Bandit 1.7.3 addition of new positional argument fdata causes TypeError

[RemyLau]

I've been using the flake8-bandit plugin. But recently, a new positional argument fdata was recently added to the BanditNodeVisitor function in version 1.7.3, causing a TypeError as follows

multiprocessing.pool.RemoteTraceback: 
"""
Traceback (most recent call last):
  File "/mnt/home/liurenmi/software/anaconda3/envs/geneplexus/lib/python3.8/multiprocessing/pool.py", line 125, in worker
    result = (True, func(*args, **kwds))
  File "/mnt/ufs18/home-026/liurenmi/repo/GeneplexusPublic/.tox/flake8/lib/python3.8/site-packages/flake8/checker.py", line 687, in _run_checks
    return checker.run_checks()
  File "/mnt/ufs18/home-026/liurenmi/repo/GeneplexusPublic/.tox/flake8/lib/python3.8/site-packages/flake8/checker.py", line 597, in run_checks
    self.run_ast_checks()
  File "/mnt/ufs18/home-026/liurenmi/repo/GeneplexusPublic/.tox/flake8/lib/python3.8/site-packages/flake8/checker.py", line 500, in run_ast_checks
    for (line_number, offset, text, _) in runner:
  File "/mnt/ufs18/home-026/liurenmi/repo/GeneplexusPublic/.tox/flake8/lib/python3.8/site-packages/flake8_bandit.py", line 85, in run
    for warn in self._check_source():
  File "/mnt/ufs18/home-026/liurenmi/repo/GeneplexusPublic/.tox/flake8/lib/python3.8/site-packages/flake8_bandit.py", line 59, in _check_source
    bnv = BanditNodeVisitor(
TypeError: __init__() missing 1 required positional argument: 'metrics'
"""

Would it be possible to make a patch for this?

[kjbergman]

I’m also experiencing this issue

[mschoettle]

It would probably be good to pin the exact bandit version in the requirements of this plugin to avoid a similar situation in the future. Not sure how exactly right now but happy to provide a PR if @tylerwince agrees.

[Dreamsorcerer]

This looks like a very low-activity project, so I'd suspect that will only work if someone sets up dependabot to automatically update the dependency and then automatically deploy a new release at the same time, if the tests pass successfully.

[dolfinus]

It would probably be good to pin the exact bandit version

This is not a good idea for a library. In such a case user will not be able to install another library which requires some other bandit version, as well as just upgrade bandit because some issue was fixed or a new feature was introduced.

If flake8-bandit requires some changes were added only to bandit==1.7.3, requirements.txt should look like bandit>=1.7.3. This allows user to install any other new version of bandit if this is required.

There is a way to protect from issues with future bandit releases - set up upper limit for bandit version, like bandit>=1.7.3,<2.0 or even bandit>=1.7.3,<1.8. But this requires flake8-bandit to release more often.

Also there is no guarantee that 1.7.4 release will not break backward compatibility. Actually, instead of 1.7.3 version PyCQA/bandit#496 commit should be released as 1.8.0 because it caused backward compatibility break in the first place.

[pawamoy]

There is a way to protect from issues with future bandit releases - set up upper limit for bandit version, like bandit>=1.7.3,<2.0 or even bandit>=1.7.3,<1.8.

Disagree as well, for the reasons you mentioned:

But this requires flake8-bandit to release more often.
Also there is no guarantee that 1.7.4 release will not break backward compatibility.

Compatibility can be broken at any time indeed. Upper bounds do not protect your library. And they prevent downstream users to get upgrades. Without upper bounds, sure, things can break more often, but users can exclude the problematic version themselves. Then upstream can either fix the compatibility issue or exclude the version as well.

Upper bounds can still be used of course, but only if you know the excluded range broke or is going to break compatiblity.

[dhuckins]

is @tylerwince still watching this repo?
doesn't seem like its been updated in a few years
does anyone else have access to merge a change and deploy?

[tylerwince]

Hey all! I'm happy to update and add a dependabot and accept PRs on this.

Let me take a look at the PR that was opened this morning and I'll try to work on it later today.

[tylerwince]

Sorry all! Been crazy the last week at work but this should be resolved! Let me know if you see anything that isn't working right! Cheers and thanks for being patient.

[pawamoy]

Thank you for your time @tylerwince 🙂

[radomirbosak]

Thank you very much for fixing this! :)

Would it be also possible do a new flake8-bandit release to pypi?

[RemyLau]

Thanks a lot!

[Zethson]

@tylerwince thank you! I think that for this to propagate properly we need a new release on PyPI. Would appreciate it!