Idea: Test for bad version parsing tuple(map(int, __version__)))

[randolf-scholz]

Inspired by a recent bug in pycharm, caused by bad version parsing that went undetected until matplotlib, for the first time in 20 years, published a non-pre-release version with a postfix (3.9.1.post1 on Aug 7th).

What it does

Checks for the presence of tuple(map(int, obj.__version__.split("."))) and equivalent variants thereof.

Why this is bad

This breaks if the package uses a postfix that is not convertible to integer, such as matplotlib==3.9.1.post1.

Use instead

Version string should be parsed using the PEP440 specification.

• PyPA's packaging provides the packaging.version utility.
• PEP440 provides a canonical regex if one wants to avoid additional dependencies.

[randolf-scholz]

A quick GitHub search shows that this vulnerability is present in many packages.

[charliermarsh]

I'm in favor of this.