search

FluxML / MacroTools.jl

MacroTools provides a library of tools for working with Julia code and expressions.
https://fluxml.ai/MacroTools.jl/stable/
Other
310 stars 79 forks source link

Split sourcewalk into its own package? #121

Closed oxinabox closed 4 years ago

oxinabox commented 5 years ago

MacroTools has a lot of packages that depend on it. it is comfortably in the top 10. It is a prime target for anyone wanting to inject malicious code. Luckily it is fairly simply and small so easy enough to detect.

The sourcewalk code brings in a number of dependencies (CSTParser and Tokenize) Which increase the attack surface. Particularly as these are much less simple and small.

We know noone is using that in production since it requires a deving a custom branch of CSTParser, so I am thinking before it is stablized, sourcewalk can move out to its own package.

MikeInnes commented 5 years ago

While this is certainly doable, CSTParser is likely to go into Base/stdlib soon anyway, which might negate the benefit.

oxinabox commented 5 years ago

I know that has been proposed a few times. But I don't know that it is actually going to happen soon. And I am personally not sure it is a good idea.