From eb56670dd04a086388e67123787b2fefa32fe698 Mon Sep 17 00:00:00 2001 From: Mike Fiedler Date: Fri, 15 Aug 2025 10:46:57 -0400 Subject: [PATCH 1/5] lint: add codespell to lint for typos Supports both `reformat` and `lint`. Signed-off-by: Mike Fiedler --- bin/lint | 1 + bin/reformat | 2 ++ pyproject.toml | 17 +++++++++++++++++ requirements/lint.in | 1 + requirements/lint.txt | 4 ++++ 5 files changed, 25 insertions(+) diff --git a/bin/lint b/bin/lint index d20e5cf1a5f2..a14dd54cc7fc 100755 --- a/bin/lint +++ b/bin/lint @@ -10,3 +10,4 @@ sphinx-lint --enable=all --disable=line-too-long README.rst CONTRIBUTING.rst doc python -m djlint --check --lint ./warehouse/templates ./docs/blog python -m mypy -p warehouse ./bin/flushes +codespell diff --git a/bin/reformat b/bin/reformat index e2420b8b49c3..33f9d8321c82 100755 --- a/bin/reformat +++ b/bin/reformat @@ -1,6 +1,8 @@ #!/usr/bin/env bash set -ex +# Fix typos before other changes, as they may affect formatting. +codespell --write find . -name '*.py' -exec python -m pyupgrade --py313-plus {} + python -m isort *.py warehouse/ tests/ python -m black *.py warehouse/ tests/ diff --git a/pyproject.toml b/pyproject.toml index bc3a5d10697b..0c23d2104bbd 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -129,3 +129,20 @@ filterwarnings = [ # TODO: This can be removed once it becomes the default. # See: https://github.com/jazzband/pip-tools/issues/989 allow-unsafe = true + +[tool.codespell] +ignore-words-list = "deriver" +skip = [ + '*.po', + './dev/.mypy_cache/*', + './dev/.pytest_cache/*', + './docs/blog-site/*', + './docs/dev/_build/*', + './docs/user-site/*', + './htmlcov/*', + './node_modules/**', + './package-lock.json', + './warehouse/admin/static/dist/*', + './warehouse/static/dist/*', + './warehouse/static/js/vendor/zxcvbn.js', +] diff --git a/requirements/lint.in b/requirements/lint.in index 2fbf1771a7c3..b27bb59a791f 100644 --- a/requirements/lint.in +++ b/requirements/lint.in @@ -1,3 +1,4 @@ +codespell djlint flake8 flake8-pytest-style diff --git a/requirements/lint.txt b/requirements/lint.txt index 7860594c9619..ae5b0f3dab57 100644 --- a/requirements/lint.txt +++ b/requirements/lint.txt @@ -115,6 +115,10 @@ click==8.2.1 \ # via # black # djlint +codespell==2.4.1 \ + --hash=sha256:299fcdcb09d23e81e35a671bbe746d5ad7e8385972e65dbb833a2eaac33c01e5 \ + --hash=sha256:3dadafa67df7e4a3dbf51e0d7315061b80d265f9552ebd699b3dd6834b47e425 + # via -r requirements/lint.in colorama==0.4.6 \ --hash=sha256:08695f5cb7ed6e0531a20572697297273c47b8cae5a63ffc6d6ed5c201be6e44 \ --hash=sha256:4f1d9991f5acc0ca119f9d443620b77f9d6b33703e51011c16baf57afb285fc6 From 2d0e9fea04b785a0c2436b8adcd44846ef8ec597 Mon Sep 17 00:00:00 2001 From: Mike Fiedler Date: Fri, 15 Aug 2025 11:09:14 -0400 Subject: [PATCH 2/5] lint: fix typos Signed-off-by: Mike Fiedler --- .../blog/posts/2023-09-18-inbound-malware-reporting.md | 2 +- ...024-11-14-pypi-now-supports-digital-attestations.md | 2 +- .../posts/2024-12-11-ultralytics-attack-analysis.md | 2 +- docs/blog/posts/2025-08-14-project-status-markers.md | 2 +- docs/dev/development/getting-started.rst | 2 +- docs/dev/development/token-scanning.rst | 2 +- docs/user/api/index.md | 2 +- docs/user/trusted-publishers/troubleshooting.md | 2 +- tests/conftest.py | 2 +- tests/frontend/delete_confirm_controller_test.js | 2 +- tests/frontend/horizontal_tabs_controller_test.js | 4 ++-- tests/frontend/password_breach_controller_test.js | 2 +- tests/frontend/viewport_toggle_controller_test.js | 2 +- tests/unit/admin/views/test_users.py | 2 +- tests/unit/api/test_simple.py | 4 ++-- tests/unit/email/test_services.py | 8 ++++---- tests/unit/integration/secrets/test_utils.py | 9 +++++---- .../unit/integration/vulnerabilities/osv/test_views.py | 3 ++- tests/unit/macaroons/test_services.py | 10 +++++----- tests/unit/oidc/forms/test_activestate.py | 4 ++-- tests/unit/oidc/test_views.py | 2 +- tests/unit/utils/test_http.py | 4 ++-- .../admin/organization_applications/detail.html | 2 +- warehouse/admin/views/users.py | 2 +- warehouse/email/services.py | 2 +- warehouse/events/models.py | 2 +- warehouse/forklift/legacy.py | 4 ++-- warehouse/forklift/metadata.py | 6 +++--- warehouse/integrations/vulnerabilities/osv/views.py | 2 +- warehouse/locale/messages.pot | 2 +- warehouse/macaroons/caveats/_core.py | 2 +- ...e6d45d7ef_readd_the_unique_constraint_on_pep426_.py | 2 +- ...76a605cac_remove_the_rego_otk_table_abd_related_.py | 2 +- warehouse/oidc/models/_core.py | 2 +- warehouse/packaging/models.py | 2 +- warehouse/predicates.py | 4 +--- warehouse/rate_limiting/__init__.py | 2 +- warehouse/routes.py | 2 +- .../js/warehouse/controllers/collapsible_controller.js | 2 +- warehouse/static/sass/blocks/_centered-heading.scss | 2 +- warehouse/static/sass/blocks/_dropdown.scss | 2 +- warehouse/subscriptions/services.py | 2 +- .../templates/email/token-compromised-leak/body.html | 2 +- .../templates/email/token-compromised-leak/body.txt | 2 +- warehouse/templates/manage/manage_base.html | 2 +- .../manage/organization/manage_organization_base.html | 2 +- .../templates/manage/project/manage_project_base.html | 2 +- warehouse/templates/manage/team/manage_team_base.html | 2 +- warehouse/templates/pages/help.html | 2 +- 49 files changed, 68 insertions(+), 68 deletions(-) diff --git a/docs/blog/posts/2023-09-18-inbound-malware-reporting.md b/docs/blog/posts/2023-09-18-inbound-malware-reporting.md index 894c1926b7a6..50db563df9ef 100644 --- a/docs/blog/posts/2023-09-18-inbound-malware-reporting.md +++ b/docs/blog/posts/2023-09-18-inbound-malware-reporting.md @@ -134,7 +134,7 @@ Again, since the nature of email isn't 100% accurate in this case, we'll rely on calculating the duration of time (in minutes) between the first message of a thread and the last message of a thread. This doesn't account for the occasional behavior of a reporter -re-using the same thread to report more packages, +reusing the same thread to report more packages, nor does it reflect any other back-and-forth communication between admins and reporters. As such, removing any threads that have more than 4 total messages diff --git a/docs/blog/posts/2024-11-14-pypi-now-supports-digital-attestations.md b/docs/blog/posts/2024-11-14-pypi-now-supports-digital-attestations.md index ca1009313509..0bc7c5d1b004 100644 --- a/docs/blog/posts/2024-11-14-pypi-now-supports-digital-attestations.md +++ b/docs/blog/posts/2024-11-14-pypi-now-supports-digital-attestations.md @@ -96,7 +96,7 @@ tools was performed by [Trail of Bits], with special thanks to contributors Thanks to the the [Sigstore project] for their work popularizing identity-based signing, hosting a public-good transparency log, and continued support of the [Python client for Sigstore]. Many thanks to [Sviatoslav Sydorenko] as well for his support and ongoing -maintenence of the [pypa/gh-action-pypi-publish] action, as well his support +maintenance of the [pypa/gh-action-pypi-publish] action, as well his support for implementing PEP 740 in the action. --- diff --git a/docs/blog/posts/2024-12-11-ultralytics-attack-analysis.md b/docs/blog/posts/2024-12-11-ultralytics-attack-analysis.md index 60a7fbd13498..f7889488313b 100644 --- a/docs/blog/posts/2024-12-11-ultralytics-attack-analysis.md +++ b/docs/blog/posts/2024-12-11-ultralytics-attack-analysis.md @@ -55,7 +55,7 @@ If you are publishing software to PyPI then you can harden your build and publis In addition to the specific recommendations above, we strongly recommend general account security best practices such as: * **Use 2FA / MFA, preferably using a hardware key or authenticator app for all accounts associated with open source contributions.** This includes your email address and accounts for source forge(s) like GitHub or GitLab. Avoid SMS and text-message-based 2FA schemes if possible, as they are susceptible to SIM-swapping. PyPI already requires the use of 2FA to publish packages. -* **Don’t reuse passwords, use a password manager.** Re-using passwords for services means that a compromise to one service will compromise your account(s) elsewhere. +* **Don’t reuse passwords, use a password manager.** Reusing passwords for services means that a compromise to one service will compromise your account(s) elsewhere. Prevention is important, but just as important is preparedness. Here’s what to do if your own project is compromised: diff --git a/docs/blog/posts/2025-08-14-project-status-markers.md b/docs/blog/posts/2025-08-14-project-status-markers.md index cb7f7c656e9b..9a526ec33faa 100644 --- a/docs/blog/posts/2025-08-14-project-status-markers.md +++ b/docs/blog/posts/2025-08-14-project-status-markers.md @@ -121,7 +121,7 @@ which have both index-side and installer-side semantics: will not offer it for installation, and installers are encouraged to produce a warning when users attempt to install it[^warning]. * **deprecated**: Indicates that the project is considered obsolete, - and may have been superceded by another project. Unlike archived projects, + and may have been superseded by another project. Unlike archived projects, deprecated projects can still be uploaded to, but installers are encouraged to inform users about the project's deprecation. diff --git a/docs/dev/development/getting-started.rst b/docs/dev/development/getting-started.rst index d25ec556fa5d..93c2cb26b43e 100644 --- a/docs/dev/development/getting-started.rst +++ b/docs/dev/development/getting-started.rst @@ -411,7 +411,7 @@ we have a common Key set in the database for those users: This will emit a 6-digit code you can paste into the 2FA form. For other accounts, you'll need to preserve the Key used -to genreate the TOTP code the next time you need to log in. +to generate the TOTP code the next time you need to log in. To be able to "forget" the initial Key, and use it like a TOTP app, create a storage and set a password, like so: diff --git a/docs/dev/development/token-scanning.rst b/docs/dev/development/token-scanning.rst index 784acf768a55..76041f655f04 100644 --- a/docs/dev/development/token-scanning.rst +++ b/docs/dev/development/token-scanning.rst @@ -13,7 +13,7 @@ How to test it manually ^^^^^^^^^^^^^^^^^^^^^^^ A fake token reporting service is launched by Docker Compose. Head your browser to -``http://localhost:8964``. Create/reorder/... one ore more public keys, make +``http://localhost:8964``. Create/reorder/... one or more public keys, make sure one key is marked as current, then write your payload, using the following format: diff --git a/docs/user/api/index.md b/docs/user/api/index.md index da0d89e252b3..186c1271c7ca 100644 --- a/docs/user/api/index.md +++ b/docs/user/api/index.md @@ -97,7 +97,7 @@ def wheel_url(name, version, build_tag, python_tag, abi_tag, platform_tag): return f'{host}/packages/{python_tag}/{name[0]}/{name}/{filename}' ``` -Example predicable URL use: +Example predictable URL use: ```bash $ curl -I https://files.pythonhosted.org/packages/source/v/virtualenv/virtualenv-15.2.0.tar.gz diff --git a/docs/user/trusted-publishers/troubleshooting.md b/docs/user/trusted-publishers/troubleshooting.md index 3e9eec76cd53..a909daf19321 100644 --- a/docs/user/trusted-publishers/troubleshooting.md +++ b/docs/user/trusted-publishers/troubleshooting.md @@ -60,7 +60,7 @@ endpoint: as configured when the publisher was configured on PyPI. * `invalid-publisher` for a previously-working project: this usually indicates a typo or that something has changed on either side. One example we've seen - is when a source repository is renamed, and the configration on PyPI + is when a source repository is renamed, and the configuration on PyPI continues to use the old repository name. For GitHub, check that the `repository_owner`, `repository` and workflow filename values are the same on both sides. diff --git a/tests/conftest.py b/tests/conftest.py index 1c5c53be8e24..4df4608793ba 100644 --- a/tests/conftest.py +++ b/tests/conftest.py @@ -687,7 +687,7 @@ def xmlrpc(self, path, method, *args): @pytest.fixture def tm(): - # Create a new transaction manager for dependant test cases + # Create a new transaction manager for dependent test cases tm = transaction.TransactionManager(explicit=True) tm.begin() diff --git a/tests/frontend/delete_confirm_controller_test.js b/tests/frontend/delete_confirm_controller_test.js index b0723d0e7325..b42f321a2dab 100644 --- a/tests/frontend/delete_confirm_controller_test.js +++ b/tests/frontend/delete_confirm_controller_test.js @@ -31,7 +31,7 @@ describe("DeleteConfirm controller", () => { describe("functionality", function() { describe("checking one box", function() { - it("doesnt enable the button", function() { + it("doesn't enable the button", function() { const inputOne = document.getElementById("input-one"); expect(inputOne).not.toBeChecked(); fireEvent.click(inputOne); diff --git a/tests/frontend/horizontal_tabs_controller_test.js b/tests/frontend/horizontal_tabs_controller_test.js index 957bcc64f306..d33bbfb5fb3f 100644 --- a/tests/frontend/horizontal_tabs_controller_test.js +++ b/tests/frontend/horizontal_tabs_controller_test.js @@ -37,7 +37,7 @@ describe("Horizontal tabs controller", () => { application.register("horizontal-tabs", HorizontalTabsController); }); - describe("on initializtion", () => { + describe("on initialization", () => { it("the first tab is shown", () => { const tabs = document.querySelectorAll(".tab"); const content = document.querySelectorAll(".horizontal-tabs__tabcontent"); @@ -76,7 +76,7 @@ describe("Horizontal tabs controller", () => { }); }); - describe("on initializtion with errors", () => { + describe("on initialization with errors", () => { beforeEach(() => { // Add some errors to the second tab const secondTabPanel = document.querySelectorAll(".horizontal-tabs__tabcontent")[1]; diff --git a/tests/frontend/password_breach_controller_test.js b/tests/frontend/password_breach_controller_test.js index 36c0b61de395..b6dae0e7a9af 100644 --- a/tests/frontend/password_breach_controller_test.js +++ b/tests/frontend/password_breach_controller_test.js @@ -72,7 +72,7 @@ describe("Password breach controller", () => { describe("entering a password with less than 3 characters", () => { it("does not call the HIBP API", async () => { const passwordField = document.querySelector("#password"); - fireEvent.input(passwordField, { target: { value: "fo" } }); + fireEvent.input(passwordField, { target: { value: "of" } }); await delay(25); // arbitrary number of ms, too low may cause failures expect(fetch.mock.calls.length).toEqual(0); diff --git a/tests/frontend/viewport_toggle_controller_test.js b/tests/frontend/viewport_toggle_controller_test.js index ee88bb001e2d..5e0fd5a8ec85 100644 --- a/tests/frontend/viewport_toggle_controller_test.js +++ b/tests/frontend/viewport_toggle_controller_test.js @@ -22,7 +22,7 @@ const viewportContent = ` function startStimulus() { - // set the HTML before satarting the application, as the controller uses the + // set the HTML before starting the application, as the controller uses the // `connect()` function. document.body.innerHTML = viewportContent; const application = Application.start(); diff --git a/tests/unit/admin/views/test_users.py b/tests/unit/admin/views/test_users.py index 40e8380979a6..a674b9ab117f 100644 --- a/tests/unit/admin/views/test_users.py +++ b/tests/unit/admin/views/test_users.py @@ -111,7 +111,7 @@ def test_validate(self): class TestUserForm: def test_validate(self): form = views.UserForm() - assert form.validate(), str(form.erros) + assert form.validate(), str(form.errors) class TestUserDetail: diff --git a/tests/unit/api/test_simple.py b/tests/unit/api/test_simple.py index 431408a61dd8..123c73f4f705 100644 --- a/tests/unit/api/test_simple.py +++ b/tests/unit/api/test_simple.py @@ -232,7 +232,7 @@ def test_no_files_with_serial(self, db_request, content_type, renderer_override) db_request.matchdict["name"] = project.normalized_name user = UserFactory.create() je = JournalEntryFactory.create(name=project.name, submitted_by=user) - als = [ + alts = [ AlternateRepositoryFactory.create(project=project), AlternateRepositoryFactory.create(project=project), ] @@ -243,7 +243,7 @@ def test_no_files_with_serial(self, db_request, content_type, renderer_override) "project-status": {"status": "active"}, "files": [], "versions": [], - "alternate-locations": sorted(al.url for al in als), + "alternate-locations": sorted(al.url for al in alts), } context = _update_context(context, content_type, renderer_override) assert simple.simple_detail(project, db_request) == context diff --git a/tests/unit/email/test_services.py b/tests/unit/email/test_services.py index 8ce6606252ec..e43c924235d4 100644 --- a/tests/unit/email/test_services.py +++ b/tests/unit/email/test_services.py @@ -129,7 +129,7 @@ def test_send(self, sender_class): service = sender_class(mailer, sender="DevPyPI ") service.send( - "sombody@example.com", + "somebody@example.com", EmailMessage( subject="a subject", body_text="a body", body_html="a html body" ), @@ -142,7 +142,7 @@ def test_send(self, sender_class): assert msg.subject == "a subject" assert msg.body == "a body" assert msg.html == "a html body" - assert msg.recipients == ["sombody@example.com"] + assert msg.recipients == ["somebody@example.com"] assert msg.sender == "DevPyPI " def test_last_sent(self, sender_class): @@ -160,7 +160,7 @@ def test_send(self, capsys): ) service.send( - "sombody@example.com", + "somebody@example.com", EmailMessage( subject="a subject", body_text="a body", @@ -172,7 +172,7 @@ def test_send(self, capsys): Email sent Subject: a subject From: DevPyPI -To: sombody@example.com +To: somebody@example.com HTML: Visualize at http://localhost:1080 Text: a body""" assert captured.out.strip() == expected.strip() diff --git a/tests/unit/integration/secrets/test_utils.py b/tests/unit/integration/secrets/test_utils.py index 6e91e11e53be..1df3c85f6413 100644 --- a/tests/unit/integration/secrets/test_utils.py +++ b/tests/unit/integration/secrets/test_utils.py @@ -64,11 +64,11 @@ def test_invalid_token_leak_request(): ( {"type": "not_found", "token": "a", "url": "b"}, "Matcher with code not_found not found. " - "Available codes are: failer, pypi_api_token", + "Available codes are: failure, pypi_api_token", "invalid_matcher", ), ( - {"type": "failer", "token": "a", "url": "b"}, + {"type": "failure", "token": "a", "url": "b"}, "Cannot extract token from received match", "extraction", ), @@ -76,14 +76,15 @@ def test_invalid_token_leak_request(): ) def test_token_leak_disclosure_request_from_api_record_error(record, error, reason): class MyFailingMatcher(utils.TokenLeakMatcher): - name = "failer" + name = "failure" def extract(self, text): raise utils.ExtractionFailedError() with pytest.raises(utils.InvalidTokenLeakRequestError) as exc: utils.TokenLeakDisclosureRequest.from_api_record( - record, matchers={"failer": MyFailingMatcher(), **utils.TOKEN_LEAK_MATCHERS} + record, + matchers={"failure": MyFailingMatcher(), **utils.TOKEN_LEAK_MATCHERS}, ) assert str(exc.value) == error diff --git a/tests/unit/integration/vulnerabilities/osv/test_views.py b/tests/unit/integration/vulnerabilities/osv/test_views.py index 76a2728a36d3..b704a84e37c0 100644 --- a/tests/unit/integration/vulnerabilities/osv/test_views.py +++ b/tests/unit/integration/vulnerabilities/osv/test_views.py @@ -145,7 +145,8 @@ def find_service(self, *a, **k): assert response.status_int == 400 assert metrics.increment.calls == [ pretend.call( - "warehouse.vulnerabilties.error.payload.json_error", tags=["origin:osv"] + "warehouse.vulnerabilities.error.payload.json_error", + tags=["origin:osv"], ) ] diff --git a/tests/unit/macaroons/test_services.py b/tests/unit/macaroons/test_services.py index 3edf2e097c9d..cf369f806acc 100644 --- a/tests/unit/macaroons/test_services.py +++ b/tests/unit/macaroons/test_services.py @@ -110,13 +110,13 @@ def test_find_from_raw_oidc(self, macaroon_service): [ "pypi-aaaa", # Invalid macaroon # Macaroon properly formatted but not found. - # The string is purposedly cut to avoid triggering the github token + # The string is purposely cut to avoid triggering the github token # disclosure feature that this very function implements. "py" "pi-AgEIcHlwaS5vcmcCJGQ0ZDhhNzA2LTUxYTEtNDg0NC1hNDlmLTEyZDRiYzNkYjZmOQAABi" "D6hJOpYl9jFI4jBPvA8gvV1mSu1Ic3xMHmxA4CSA2w_g", - # Macaroon that is malformed and has an invaild (non utf-8) identifier - # The string is purposedly cut to avoid triggering the github token + # Macaroon that is malformed and has an invalid (non utf-8) identifier + # The string is purposely cut to avoid triggering the github token # disclosure feature that this very function implements. "py" "pi-MDAwZWxvY2F0aW9uIAowMDM0aWRlbnRpZmllciBhmTAyMWY0YS0xYWQzLTQ3OGEtYjljZi1" @@ -145,8 +145,8 @@ def test_find_userid_invalid_macaroon(self, macaroon_service): "raw_macaroon", [ "pypi-thiswillnotdeserialize", - # Macaroon that is malformed and has an invaild (non utf-8) identifier - # The string is purposedly cut to avoid triggering the github token + # Macaroon that is malformed and has an invalid (non utf-8) identifier + # The string is purposely cut to avoid triggering the github token # disclosure feature that this very function implements. "py" "pi-MDAwZWxvY2F0aW9uIAowMDM0aWRlbnRpZmllciBhmTAyMWY0YS0xYWQzLTQ3OGEtYjljZi1" diff --git a/tests/unit/oidc/forms/test_activestate.py b/tests/unit/oidc/forms/test_activestate.py index bf6715d5f2d9..c957ff2c3d4d 100644 --- a/tests/unit/oidc/forms/test_activestate.py +++ b/tests/unit/oidc/forms/test_activestate.py @@ -128,7 +128,7 @@ def test_lookup_actor_404(self, monkeypatch): ) requests = pretend.stub( post=pretend.call_recorder(lambda o, **kw: response), - expception=_requests.exceptions, + exception=_requests.exceptions, Timeout=Timeout, HTTPError=HTTPError, ConnectionError=ConnectionError, @@ -160,7 +160,7 @@ def test_lookup_actor_other_http_error(self, monkeypatch): ) requests = pretend.stub( post=pretend.call_recorder(lambda o, **kw: response), - expception=_requests.exceptions, + exception=_requests.exceptions, Timeout=Timeout, HTTPError=HTTPError, ConnectionError=ConnectionError, diff --git a/tests/unit/oidc/test_views.py b/tests/unit/oidc/test_views.py index 9e959820356a..731bea80074f 100644 --- a/tests/unit/oidc/test_views.py +++ b/tests/unit/oidc/test_views.py @@ -985,7 +985,7 @@ def test_is_from_reusable_workflow( # configured when claims contain an environment (GitHubPublisherFactory, "", "new_env", True), (GitLabPublisherFactory, "", "new_env", True), - # Should not send if claims don't have an environent + # Should not send if claims don't have an environment (GitHubPublisherFactory, "", "", False), (GitLabPublisherFactory, "", "", False), # Should not send if publishers already have an environment diff --git a/tests/unit/utils/test_http.py b/tests/unit/utils/test_http.py index 04b5fb8756e5..577682ece582 100644 --- a/tests/unit/utils/test_http.py +++ b/tests/unit/utils/test_http.py @@ -15,7 +15,7 @@ class TestIsSafeUrl: "http://example.com", "http:///example.com", "https://example.com", - "ftp://exampel.com", + "ftp://example.com", r"\\example.com", r"\\\example.com", r"/\\/example.com", @@ -41,7 +41,7 @@ def test_rejects_bad_url(self, url): [ "/view/?param=http://example.com", "/view/?param=https://example.com", - "/view?param=ftp://exampel.com", + "/view?param=ftp://example.com", "https://testserver/", "HTTPS://testserver/", "//testserver/", diff --git a/warehouse/admin/templates/admin/organization_applications/detail.html b/warehouse/admin/templates/admin/organization_applications/detail.html index 94bc387de9b6..9bdfdb8a66a9 100644 --- a/warehouse/admin/templates/admin/organization_applications/detail.html +++ b/warehouse/admin/templates/admin/organization_applications/detail.html @@ -377,7 +377,7 @@

Organization Request{% if information_requests %}{% if ou
- + {% for application in conflicting_applications %}
ApplicationStatusSubmittedRequestor
ApplicationStatusSubmittedRequester
diff --git a/warehouse/admin/views/users.py b/warehouse/admin/views/users.py index 9c9152bb16f6..170eec1ac269 100644 --- a/warehouse/admin/views/users.py +++ b/warehouse/admin/views/users.py @@ -577,7 +577,7 @@ def user_recover_account_initiate(user, request): ) request.session.flash( - f"Initiatied account recovery for {user.username!r}", queue="success" + f"Initiated account recovery for {user.username!r}", queue="success" ) return HTTPSeeOther( diff --git a/warehouse/email/services.py b/warehouse/email/services.py index 7b6b474a2f8d..1fa639b2a9a2 100644 --- a/warehouse/email/services.py +++ b/warehouse/email/services.py @@ -78,7 +78,7 @@ def send(self, recipient, message): ) def last_sent(self, to, subject): - # We don't store previously sent emails, so nothing to comapre against + # We don't store previously sent emails, so nothing to compare against return None diff --git a/warehouse/events/models.py b/warehouse/events/models.py index 2518bed4c922..18418b88221e 100644 --- a/warehouse/events/models.py +++ b/warehouse/events/models.py @@ -76,7 +76,7 @@ class UserAgentInfo: def display(self) -> str: """ - Construct a resonable user-agent description, + Construct a reasonable user-agent description, depending on optional values """ diff --git a/warehouse/forklift/legacy.py b/warehouse/forklift/legacy.py index 5422785f6322..35e701e657f5 100644 --- a/warehouse/forklift/legacy.py +++ b/warehouse/forklift/legacy.py @@ -1249,7 +1249,7 @@ def file_upload(request): f"Invalid source distribution filename: {filename}", ) - # The previous function fails to accomodate the edge case where + # The previous function fails to accommodate the edge case where # versions may contain hyphens, so we handle that here based on # what we were expecting. This requires there to be at least two # hyphens in the filename: one between the project name & version @@ -1434,7 +1434,7 @@ def file_upload(request): filename = os.path.basename(temporary_filename) # Get the name and version from the original filename. Eventually this # should use packaging.utils.parse_wheel_filename(filename), but until then - # we can't use this as it adds additional normailzation to the project name + # we can't use this as it adds additional normalization to the project name # and version. name, version, _ = filename.split("-", 2) diff --git a/warehouse/forklift/metadata.py b/warehouse/forklift/metadata.py index bb6f1274f5a5..cbc71c204dda 100644 --- a/warehouse/forklift/metadata.py +++ b/warehouse/forklift/metadata.py @@ -84,7 +84,7 @@ def parse( else: raise NoMetadataError - # Validate the metadata using our custom rules, which we layer ontop of the + # Validate the metadata using our custom rules, which we layer on top of the # built in rules to add PyPI specific constraints above and beyond what the # core metadata requirements are. _validate_metadata(metadata, backfill=backfill) @@ -93,7 +93,7 @@ def parse( def _validate_metadata(metadata: Metadata, *, backfill: bool = False): - # Add our own custom validations ontop of the standard validations from + # Add our own custom validations on top of the standard validations from # packaging.metadata. errors: list[InvalidMetadata] = [] @@ -368,7 +368,7 @@ def parse_form_metadata(data: MultiDict) -> Metadata: except KeyError: unparsed[name] = value # Nothing that we've done has managed to parse this, so it'll just - # throw it in our unparseable data and move on. + # throw it in our unparsable data and move on. else: unparsed[name] = value diff --git a/warehouse/integrations/vulnerabilities/osv/views.py b/warehouse/integrations/vulnerabilities/osv/views.py index 757c1f954861..0c166814325c 100644 --- a/warehouse/integrations/vulnerabilities/osv/views.py +++ b/warehouse/integrations/vulnerabilities/osv/views.py @@ -43,7 +43,7 @@ def report_vulnerabilities(request): vulnerability_reports = request.json_body except json.decoder.JSONDecodeError: metrics.increment( - "warehouse.vulnerabilties.error.payload.json_error", tags=["origin:osv"] + "warehouse.vulnerabilities.error.payload.json_error", tags=["origin:osv"] ) return HTTPBadRequest(body="Invalid JSON") diff --git a/warehouse/locale/messages.pot b/warehouse/locale/messages.pot index 9fe7b6da9720..a7d8995c31f8 100644 --- a/warehouse/locale/messages.pot +++ b/warehouse/locale/messages.pot @@ -8708,7 +8708,7 @@ msgstr "" #: warehouse/templates/pages/help.html:1079 msgid "" "Deletion of a project, release or file on PyPI is permanent and " -"irreversable, without exception. Deletion of a project makes it " +"irreversible, without exception. Deletion of a project makes it " "uninstallable, and releases the project name for use by any other PyPI " "user. Deleted files cannot be re-" "uploaded. Deleted projects, releases or files cannot be restored by " diff --git a/warehouse/macaroons/caveats/_core.py b/warehouse/macaroons/caveats/_core.py index 3df3aa1e7ac7..6dbc39cc8723 100644 --- a/warehouse/macaroons/caveats/_core.py +++ b/warehouse/macaroons/caveats/_core.py @@ -90,7 +90,7 @@ def __init__(self, *args: Any, **kwargs: Any): def add(self, tag: int, cls: type[Caveat]): if tag in self._tags: raise TypeError( - f"Cannot re-use tag: {tag}, already used by {self._tags[tag]}" + f"Cannot reuse tag: {tag}, already used by {self._tags[tag]}" ) self._tags[tag] = cls diff --git a/warehouse/migrations/versions/1ce6d45d7ef_readd_the_unique_constraint_on_pep426_.py b/warehouse/migrations/versions/1ce6d45d7ef_readd_the_unique_constraint_on_pep426_.py index 630d55d48212..a8a06ee160c2 100644 --- a/warehouse/migrations/versions/1ce6d45d7ef_readd_the_unique_constraint_on_pep426_.py +++ b/warehouse/migrations/versions/1ce6d45d7ef_readd_the_unique_constraint_on_pep426_.py @@ -1,6 +1,6 @@ # SPDX-License-Identifier: Apache-2.0 """ -readd the unique constraint on pep426 normalization +re-add the unique constraint on pep426 normalization Revision ID: 1ce6d45d7ef Revises: 23a3c4ffe5d diff --git a/warehouse/migrations/versions/42e76a605cac_remove_the_rego_otk_table_abd_related_.py b/warehouse/migrations/versions/42e76a605cac_remove_the_rego_otk_table_abd_related_.py index 0d4d0c46cf77..f9b1c0a3e867 100644 --- a/warehouse/migrations/versions/42e76a605cac_remove_the_rego_otk_table_abd_related_.py +++ b/warehouse/migrations/versions/42e76a605cac_remove_the_rego_otk_table_abd_related_.py @@ -1,6 +1,6 @@ # SPDX-License-Identifier: Apache-2.0 """ -Remove the rego_otk table abd related index +Remove the rego_otk table and related index Revision ID: 42e76a605cac Revises: 895279cc4490 diff --git a/warehouse/oidc/models/_core.py b/warehouse/oidc/models/_core.py index 6908492ac46d..7f9b94337d7b 100644 --- a/warehouse/oidc/models/_core.py +++ b/warehouse/oidc/models/_core.py @@ -131,7 +131,7 @@ class OIDCPublisherMixin: # A set of claim names which must be present, but can't be verified __required_unverifiable_claims__: set[str] = set() - # Simlar to __verificable_claims__, but these claims are optional + # Similar to __required_verifiable_claims__, but these claims are optional __optional_verifiable_claims__: dict[str, CheckClaimCallable[Any]] = dict() # Claims that have already been verified during the JWT signature diff --git a/warehouse/packaging/models.py b/warehouse/packaging/models.py index 0b3672d1369a..b734ce931dd4 100644 --- a/warehouse/packaging/models.py +++ b/warehouse/packaging/models.py @@ -1099,7 +1099,7 @@ def __table_args__(cls): # noqa @db.listens_for(db.Session, "before_flush") def ensure_monotonic_journals(config, session, flush_context, instances): # We rely on `journals.id` to be a monotonically increasing integer, - # however the way that SERIAL is implemented, it does not guarentee + # however the way that SERIAL is implemented, it does not guarantee # that is the case. # # Ultimately SERIAL fetches the next integer regardless of what happens diff --git a/warehouse/predicates.py b/warehouse/predicates.py index 275af978e6b9..c308be7825d4 100644 --- a/warehouse/predicates.py +++ b/warehouse/predicates.py @@ -30,9 +30,7 @@ def __call__(self, info, request): class HeadersPredicate: def __init__(self, val: list[str], config): if not val: - raise ConfigurationError( - "Excpected at least one value in headers predicate" - ) + raise ConfigurationError("Expected at least one value in headers predicate") self.sub_predicates = [ predicates.HeaderPredicate(subval, config) for subval in val diff --git a/warehouse/rate_limiting/__init__.py b/warehouse/rate_limiting/__init__.py index 978d5f24fc82..17ab817e0c0a 100644 --- a/warehouse/rate_limiting/__init__.py +++ b/warehouse/rate_limiting/__init__.py @@ -92,7 +92,7 @@ def resets_in(self, *identifiers): reset = datetime.fromtimestamp(resets_at, tz=timezone.utc) # If our current datetime is either greater than or equal to when - # the limit resets, then we will skipp it since it has either + # the limit resets, then we will skip it since it has either # already reset, or it is resetting now. if current >= reset: continue diff --git a/warehouse/routes.py b/warehouse/routes.py index b4e79bc27dee..894ed330f36e 100644 --- a/warehouse/routes.py +++ b/warehouse/routes.py @@ -575,7 +575,7 @@ def includeme(config): domain=warehouse, ) config.add_route( - "integrations.github.disclose-token", # For backwards compatiblity + "integrations.github.disclose-token", # For backwards compatibility "/_/github/disclose-token", domain=warehouse, ) diff --git a/warehouse/static/js/warehouse/controllers/collapsible_controller.js b/warehouse/static/js/warehouse/controllers/collapsible_controller.js index 1e44c80abc9d..890a56a2db31 100644 --- a/warehouse/static/js/warehouse/controllers/collapsible_controller.js +++ b/warehouse/static/js/warehouse/controllers/collapsible_controller.js @@ -4,7 +4,7 @@ import { Controller } from "@hotwired/stimulus"; export default class extends Controller { /** - * Get element's collasped status from the cookie. + * Get element's collapsed status from the cookie. * @private */ _getCollapsedCookie() { diff --git a/warehouse/static/sass/blocks/_centered-heading.scss b/warehouse/static/sass/blocks/_centered-heading.scss index c0992791237d..ec43a92efb10 100644 --- a/warehouse/static/sass/blocks/_centered-heading.scss +++ b/warehouse/static/sass/blocks/_centered-heading.scss @@ -1,7 +1,7 @@ /* SPDX-License-Identifier: Apache-2.0 */ /* - A heading aligned in the center, with a sub title and horziontal rule: + A heading aligned in the center, with a sub title and horizontal rule:

Title

diff --git a/warehouse/static/sass/blocks/_dropdown.scss b/warehouse/static/sass/blocks/_dropdown.scss index cc78a3c77ec3..72b62734c621 100644 --- a/warehouse/static/sass/blocks/_dropdown.scss +++ b/warehouse/static/sass/blocks/_dropdown.scss @@ -17,7 +17,7 @@ - Accessbility: + Accessibility: - .dropdown - aria-label: label the entire dropdown. E.g. "Main navigation" - .dropdown__trigger - aria-label: label the button. E.g. "Show menu" - .dropdown__trigger - aria-haspopup: indicates that the button has a popup element attached diff --git a/warehouse/subscriptions/services.py b/warehouse/subscriptions/services.py index 6e8124130e90..c69c3dcf053e 100644 --- a/warehouse/subscriptions/services.py +++ b/warehouse/subscriptions/services.py @@ -437,7 +437,7 @@ def add_subscription( self.db.add(subscription) self.db.add(organization_subscription) - self.db.flush() # flush db now so we have acccess to subscription.id + self.db.flush() # flush db now so we have access to subscription.id # Create new subscription item. subscription_item = StripeSubscriptionItem( diff --git a/warehouse/templates/email/token-compromised-leak/body.html b/warehouse/templates/email/token-compromised-leak/body.html index 6035a8e22e35..3d85db97a70b 100644 --- a/warehouse/templates/email/token-compromised-leak/body.html +++ b/warehouse/templates/email/token-compromised-leak/body.html @@ -37,7 +37,7 @@

How do you know this?

This is an automated message. Our partner {{ origin.name }} analyzes all the data it receives for unintentional {{ site_name }} token publications and warns us every time - it finds one. We check every disclosure we recieve and take action when the token + it finds one. We check every disclosure we receive and take action when the token appears valid.

diff --git a/warehouse/templates/email/token-compromised-leak/body.txt b/warehouse/templates/email/token-compromised-leak/body.txt index f76045489405..764e9ae8d39c 100644 --- a/warehouse/templates/email/token-compromised-leak/body.txt +++ b/warehouse/templates/email/token-compromised-leak/body.txt @@ -37,7 +37,7 @@ How do you know this? This is an automated message. Our partner {{ origin.name }} analyzes all the data it receives for unintentional {{ site_name }} token publications and warns us every time it finds -one. We check every disclosure we recieve and take action when the token appears valid. +one. We check every disclosure we receive and take action when the token appears valid. For more information, see our FAQ at {{ request.help_url(_anchor='compromised-token') }} diff --git a/warehouse/templates/manage/manage_base.html b/warehouse/templates/manage/manage_base.html index c79ca67451fe..c15cdbb91f1e 100644 --- a/warehouse/templates/manage/manage_base.html +++ b/warehouse/templates/manage/manage_base.html @@ -219,7 +219,7 @@

{% trans %}Two factor authentication (2FA){% endtrans %}
    - {# Last breadcrumb can be overriden #} + {# Last breadcrumb can be overridden #} {% block breadcrumb %}
  • {% trans %}Your account{% endtrans %}
    • {% endblock %} diff --git a/warehouse/templates/manage/organization/manage_organization_base.html b/warehouse/templates/manage/organization/manage_organization_base.html index 1f129ba7e1cc..be31b0359f9f 100644 --- a/warehouse/templates/manage/organization/manage_organization_base.html +++ b/warehouse/templates/manage/organization/manage_organization_base.html @@ -16,7 +16,7 @@
  • {% trans %}Your account{% endtrans %}
    • - {# Last breadcrumb can be overriden #} + {# Last breadcrumb can be overridden #} {% block breadcrumb %}
  • diff --git a/warehouse/templates/manage/project/manage_project_base.html b/warehouse/templates/manage/project/manage_project_base.html index 243111dcc14b..8ffaf987c3de 100644 --- a/warehouse/templates/manage/project/manage_project_base.html +++ b/warehouse/templates/manage/project/manage_project_base.html @@ -24,7 +24,7 @@
    • {% endif %} - {# Last breadcrumb can be overriden #} + {# Last breadcrumb can be overridden #} {% block breadcrumb %}
  • diff --git a/warehouse/templates/manage/team/manage_team_base.html b/warehouse/templates/manage/team/manage_team_base.html index fdf74c8fc116..442bf006b42a 100644 --- a/warehouse/templates/manage/team/manage_team_base.html +++ b/warehouse/templates/manage/team/manage_team_base.html @@ -22,7 +22,7 @@ {{ team.organization.name }}
    • - {# Last breadcrumb can be overriden #} + {# Last breadcrumb can be overridden #} {% block breadcrumb %}
  • diff --git a/warehouse/templates/pages/help.html b/warehouse/templates/pages/help.html index 33a833b4f40c..3448f3291101 100644 --- a/warehouse/templates/pages/help.html +++ b/warehouse/templates/pages/help.html @@ -1077,7 +1077,7 @@

    {{ vulnerability_data() }}

    {{ deletion() }}

    {% trans %} - Deletion of a project, release or file on PyPI is permanent and irreversable, without exception. + Deletion of a project, release or file on PyPI is permanent and irreversible, without exception. Deletion of a project makes it uninstallable, and releases the project name for use by any other PyPI user. Deleted files cannot be re-uploaded. Deleted projects, releases or files cannot be restored by PyPI administrators. From c618d70a42e246b1cb4bb8c49e5dd16839fe9574 Mon Sep 17 00:00:00 2001 From: Mike Fiedler Date: Fri, 15 Aug 2025 11:09:55 -0400 Subject: [PATCH 3/5] lint: selectively ignore one-off occurrences Also demonstrates the correct syntax for different locations: - Python - Markdown - SCSS Signed-off-by: Mike Fiedler --- ...024-08-16-safety-and-security-engineer-year-in-review.md | 2 +- tests/unit/events/test_models.py | 2 +- tests/unit/forklift/test_metadata.py | 6 ++++-- warehouse/oidc/services.py | 2 +- warehouse/static/sass/blocks/_project-description.scss | 3 ++- 5 files changed, 9 insertions(+), 6 deletions(-) diff --git a/docs/blog/posts/2024-08-16-safety-and-security-engineer-year-in-review.md b/docs/blog/posts/2024-08-16-safety-and-security-engineer-year-in-review.md index 32ee09c340f3..0ff38b974832 100644 --- a/docs/blog/posts/2024-08-16-safety-and-security-engineer-year-in-review.md +++ b/docs/blog/posts/2024-08-16-safety-and-security-engineer-year-in-review.md @@ -243,7 +243,7 @@ with the added benefit of making it easier for others to contribute. As well as "routine" work - handling inbound reports, analysis, and response. I also attended some conferences, round tables, and meetings, including -Fastly Altitude 2023, AWS re:Invent 2023, PyCon US 2024, and AWS re:Inforce 2024, +Fastly Altitude 2023, AWS re:Invent 2023, PyCon US 2024, and AWS re:Inforce 2024, amongst some. I've also been getting more involved with the [OpenSSF](https://openssf.org/) diff --git a/tests/unit/events/test_models.py b/tests/unit/events/test_models.py index e5c9331a3460..ca7dc88b4e3e 100644 --- a/tests/unit/events/test_models.py +++ b/tests/unit/events/test_models.py @@ -76,7 +76,7 @@ class TestUserAgentInfo: ), ( ( - "Mozilla/5.0 (X11; CrOS x86_64 8172.45.0) AppleWebKit/537.36 " + "Mozilla/5.0 (X11; CrOS x86_64 8172.45.0) AppleWebKit/537.36 " # codespell:ignore # noqa: E501 "(KHTML, like Gecko) Chrome/51.0.2704.64 Safari/537.36" ), { diff --git a/tests/unit/forklift/test_metadata.py b/tests/unit/forklift/test_metadata.py index 7cca4748a904..192804b1a3a8 100644 --- a/tests/unit/forklift/test_metadata.py +++ b/tests/unit/forklift/test_metadata.py @@ -148,7 +148,7 @@ def test_invalid_classifier(self): def test_deprecated_classifiers_with_replacement(self, backfill): data = ( b"Metadata-Version: 2.1\nName: spam\nVersion: 2.0\n" - b"Classifier: Natural Language :: Ukranian\n" + b"Classifier: Natural Language :: Ukranian\n" # codespell:ignore ) if not backfill: @@ -157,7 +157,9 @@ def test_deprecated_classifiers_with_replacement(self, backfill): _assert_invalid_metadata(excinfo.value, "classifier") else: meta = metadata.parse(data, backfill=True) - assert meta.classifiers == ["Natural Language :: Ukranian"] + assert meta.classifiers == [ + "Natural Language :: Ukranian" # codespell:ignore + ] @pytest.mark.parametrize("backfill", [True, False]) def test_deprecated_classifiers_no_replacement(self, backfill): diff --git a/warehouse/oidc/services.py b/warehouse/oidc/services.py index e46b985e4e19..69f53777af06 100644 --- a/warehouse/oidc/services.py +++ b/warehouse/oidc/services.py @@ -240,7 +240,7 @@ def store_jwt_identifier(self, jti: str, expiration: int) -> None: # released before the token invalidation. r.set( f"/warehouse/oidc/{self.publisher}/{jti}", - exat=expiration + 5, + exat=expiration + 5, # codespell:ignore exat value="", # empty value to lower memory usage nx=True, ) diff --git a/warehouse/static/sass/blocks/_project-description.scss b/warehouse/static/sass/blocks/_project-description.scss index 0430c361b0a2..3a0f4886175a 100644 --- a/warehouse/static/sass/blocks/_project-description.scss +++ b/warehouse/static/sass/blocks/_project-description.scss @@ -383,7 +383,8 @@ $black: #000; color: $darkest-blue; } - .nd { /* Name.Decorator */ + // stylelint-disable-next-line comment-empty-line-before -- codespell syntax + .nd { /* Name.Decorator */ /* codespell:ignore nd */ color: $mid-grey; } From f9821a368152d0584715751a7aba6153dec74015 Mon Sep 17 00:00:00 2001 From: Mike Fiedler Date: Fri, 5 Sep 2025 14:33:11 -0400 Subject: [PATCH 4/5] chore: remove unneeded exceptions stub Was a typo before, unnecessary, as the stub expresses the necessary raises. Signed-off-by: Mike Fiedler --- tests/unit/oidc/forms/test_activestate.py | 2 -- 1 file changed, 2 deletions(-) diff --git a/tests/unit/oidc/forms/test_activestate.py b/tests/unit/oidc/forms/test_activestate.py index c957ff2c3d4d..ae16322d6b5e 100644 --- a/tests/unit/oidc/forms/test_activestate.py +++ b/tests/unit/oidc/forms/test_activestate.py @@ -128,7 +128,6 @@ def test_lookup_actor_404(self, monkeypatch): ) requests = pretend.stub( post=pretend.call_recorder(lambda o, **kw: response), - exception=_requests.exceptions, Timeout=Timeout, HTTPError=HTTPError, ConnectionError=ConnectionError, @@ -160,7 +159,6 @@ def test_lookup_actor_other_http_error(self, monkeypatch): ) requests = pretend.stub( post=pretend.call_recorder(lambda o, **kw: response), - exception=_requests.exceptions, Timeout=Timeout, HTTPError=HTTPError, ConnectionError=ConnectionError, From bc4fe538054e671f2b27f3e8de306a830f8b63e5 Mon Sep 17 00:00:00 2001 From: Mike Fiedler Date: Fri, 5 Sep 2025 14:34:30 -0400 Subject: [PATCH 5/5] chore: remove automatic spelling fixes Let the user determine the correct spelling. Signed-off-by: Mike Fiedler --- bin/reformat | 2 -- 1 file changed, 2 deletions(-) diff --git a/bin/reformat b/bin/reformat index 33f9d8321c82..e2420b8b49c3 100755 --- a/bin/reformat +++ b/bin/reformat @@ -1,8 +1,6 @@ #!/usr/bin/env bash set -ex -# Fix typos before other changes, as they may affect formatting. -codespell --write find . -name '*.py' -exec python -m pyupgrade --py313-plus {} + python -m isort *.py warehouse/ tests/ python -m black *.py warehouse/ tests/