|
30 | 30 | - [ ] Project description |
31 | 31 | - [ ] Repository URL |
32 | 32 | - [ ] Keywords/tags (in the same order if possible) |
33 | | -- [ ] requires-python in pyproject.toml should reflect the minimum |
34 | | - Python version supported by the project. |
35 | | - - [ ] Do not introduce syntax or features that are not supported |
36 | | - by the specified minimum Python version, |
37 | | - unless it is supported via __future__ imports. |
38 | 33 |
|
39 | 34 | ## General language use |
40 | 35 |
|
|
126 | 121 | Be very careful of slopsquatting and typosquatting attacks. |
127 | 122 | - [ ] Use the most updated version of the library that is supported |
128 | 123 | by the OS/compiler/framework currently being in used. |
129 | | -- [ ] In source code, sort imports by the programming language convention |
| 124 | +- [ ] In source code, group and sort imports by the programming language |
| 125 | + convention (e.g., in Python, typically by standard library first, |
| 126 | + then by third-party libraries) |
130 | 127 | and then by alphabetical order whenever possible. |
131 | | - Be careful of specific order of import requirements of some dependencies. |
| 128 | + Be careful of specific order of import requirements of some dependencies, |
| 129 | + as moving the order may break the code or create cyclic import issues. |
| 130 | +- [ ] Remove unused imports. |
132 | 131 | - [ ] In build metadata (like pyproject.toml in Python) or |
133 | 132 | dependency list (like requirements.txt in Python), sort dependencies. |
134 | 133 | - [ ] Warn users about abandoned dependency with no maintenance |
135 | 134 | for long time and suggest equivalent drop-in replacement. |
136 | 135 |
|
| 136 | +## Security |
| 137 | + |
| 138 | +- [ ] Avoid using deprecated, obsolete, or insecure libraries, |
| 139 | + frameworks, or APIs. |
| 140 | +- [ ] When handling sensitive data (like passwords, API keys, personal data), |
| 141 | + follow best practices for data protection and privacy. |
| 142 | +- [ ] Avoid hardcoding sensitive information (like passwords, API keys) |
| 143 | + directly in the codebase. |
| 144 | +- [ ] Validate and sanitize all user inputs to prevent security vulnerabilities |
| 145 | + such as SQL injection, cross-site scripting (XSS), and buffer overflows. |
| 146 | +- [ ] Regularly update dependencies to their latest secure versions. |
| 147 | +- [ ] When suggesting code that involves cryptography, |
| 148 | + use strong and well-established algorithms and key sizes. |
| 149 | +- [ ] When dealing with authentication and authorization, |
| 150 | + follow best practices and standards like OAuth2, OpenID Connect, etc. |
| 151 | +- [ ] Avoid using eval() and similar functions that execute arbitrary code, |
| 152 | + unless absolutely necessary and safe. |
| 153 | +- [ ] Avoid the deserialization of untrusted data (CWE-502). |
| 154 | + - [ ] In Python, avoid using `pickle` module for |
| 155 | + serialization/deserialization. |
| 156 | +- [ ] When handling file and path, be careful of path traversal vulnerabilities |
| 157 | + like CWE-22. |
| 158 | + |
137 | 159 | ## API |
138 | 160 |
|
139 | 161 | - [ ] The overall architecture, code, API endpoints to follow the latest |
140 | 162 | version of OpenAPI specification at https://spec.openapis.org/oas/ |
141 | 163 | - [ ] API endpoints must use proper HTTP return code |
142 | 164 | - [ ] Follows web best practices as recommended by OpenAPI, IETF, W3C, etc. |
143 | 165 |
|
| 166 | +## Python |
| 167 | + |
| 168 | +- [ ] Defensive coding: always check for None/empty and handle exceptions |
| 169 | + when dealing with external inputs, like function arguments, |
| 170 | + file I/O, network I/O, etc. |
| 171 | +- [ ] Use type hints for function/method signatures |
| 172 | + and variable declarations as much as possible. |
| 173 | +- [ ] requires-python in pyproject.toml should reflect the minimum |
| 174 | + Python version supported by the project. |
| 175 | +- [ ] Do not introduce syntax or features that are not supported |
| 176 | + by the specified minimum Python version, |
| 177 | + unless it is supported via `__future__` imports. |
| 178 | + - [ ] Do not use | union type syntax if minimum Python version is |
| 179 | + below 3.10. |
| 180 | +- [ ] Make sure that the module/class/function/object can be properly used by |
| 181 | + runtime type inspection tools, documentation generators, and static |
| 182 | + analysis tools. |
| 183 | + For example, typing.get_type_hints() should work properly. |
| 184 | +- [ ] Do not use mutable default arguments in function/method definitions. |
| 185 | +- [ ] Do not use wildcard imports (from module import *). |
| 186 | +- [ ] Remove any trailing whitespace in the Python file. |
| 187 | +- [ ] Make the package zip-safe if possible. |
| 188 | +- [ ] Be mindful about choice of data structures. |
| 189 | + Prefer built-in data structures like list, dict, set, and tuple |
| 190 | + unless there is a specific need for specialized data structures. |
| 191 | + If specialized data structures are needed, consider using |
| 192 | + appropriate collection types from `collections` and |
| 193 | + `collections.abc` modules. |
| 194 | + Use the most appropriate data structure for the specific use case |
| 195 | + to optimize performance and memory usage. |
| 196 | + |
144 | 197 | ## JSON |
145 | 198 |
|
146 | 199 | - [ ] When serialize to JSON, always enclose decimal values |
|
0 commit comments