MD5 hashing is used for fingerprinting

[Letme]

Clearly state that it is not used for security, so that Static Analysis tools do no flag a false positive.

Summary by CodeRabbit

• Chores
  • Updated internal code quality to align with best practices.
  • Improved internal hashing behavior for better compatibility across Python versions and runtime environments.

[coderabbitai]

Warning

Rate limit exceeded

@Letme has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 1 minutes and 47 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

📝 Walkthrough

Walkthrough

Introduces a private helper method _md5_hash(data: bytes) and adds import sys; all previous direct hashlib.md5(...).hexdigest() calls in fingerprint() and its collision-resolution logic are replaced to use self._md5_hash(...), which conditionally sets usedforsecurity based on Python version.

Changes

Cohort / File(s)	Summary
MD5 helper & usage updates src/mlx/warnings/code_quality.py	Added import sys and new private helper _md5_hash(data: bytes); replaced direct hashlib.md5(...).hexdigest() calls in fingerprint() and collision-handling with self._md5_hash(...) so usedforsecurity is set conditionally.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐇 I nibble bytes and weave a hash so small,
A helper tucked where md5s now call,
Not for secrets, just tidy art —
A rabbit's stamp on code and heart.

🚥 Pre-merge checks | ✅ 3 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 50.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main change: introducing MD5 hashing specifically for fingerprinting purposes, which aligns with the PR's objective to clarify MD5 usage for fingerprinting rather than security.
Merge Conflict Detection	✅ Passed	✅ No merge conflicts detected when merging into master

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch mark_md5_algo_for_not_security

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Pull request overview

This PR attempts to clarify that MD5 hashing is used for fingerprinting (non-security purposes) by adding the usedforsecurity=False parameter to hashlib.md5() calls. This is intended to prevent static analysis tools from flagging false positives about insecure cryptographic usage.

Changes:

• Added usedforsecurity=False parameter to two hashlib.md5() calls in the fingerprint method

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@src/mlx/warnings/code_quality.py`:
- Around line 35-37: Replace direct calls to hashlib.md5(...,
usedforsecurity=False) in src/mlx/warnings/code_quality.py with a compatibility
helper to support Python 3.8; implement a helper function named _md5_hash(data:
bytes) that uses sys.version_info to call hashlib.md5(data,
usedforsecurity=False).hexdigest() on Python >=3.9 and
hashlib.md5(data).hexdigest() otherwise, then use _md5_hash for computing
new_hash in the places referencing new_hash (the two hashlib.md5 calls in the
collision loop) so both collision-resolution iterations work on Python 3.8 and
newer.

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@src/mlx/warnings/code_quality.py`:
- Around line 3-5: There is only one blank line between the top-level import and
the class definition which triggers flake8 E302; add one more blank line before
the top-level class Finding so there are two blank lines separating the import
(sys) and the class definition (class Finding:), then run flake8/CI to verify
the E302 error is resolved.

🧹 Nitpick comments (1)

src/mlx/warnings/code_quality.py (1)

117-121: Consider making this a @staticmethod.

_md5_hash doesn't reference self; it could be a @staticmethod (or module-level function) to make that explicit.

Regarding the Ruff S324 warning on line 120: this is a false positive in context — the Python 3.8 fallback intentionally omits usedforsecurity because the parameter doesn't exist there. You could add # noqa: S324 to suppress it.

Optional refactor

+    `@staticmethod`
-    def _md5_hash(self, data: bytes) -> str:
+    def _md5_hash(data: bytes) -> str:
         if sys.version_info >= (3, 9):
-            return hashlib.md5(data, usedforsecurity=False).hexdigest()
+            return hashlib.md5(data, usedforsecurity=False).hexdigest()  # noqa: S324
-        return hashlib.md5(data).hexdigest()
+        return hashlib.md5(data).hexdigest()  # noqa: S324