fix: Codacy round-2 — urllib3 CVEs, missed JS/Python issues (#336)

urllib3 CVEs (10 Trivy findings): plugin-repos/march-madness/requirements.txt: bump urllib3>=1.26.0 to >=2.2.2 to address CVE-2021-33503, CVE-2023-43804, CVE-2023-45803, CVE-2024-37891, and 2025-2026 decompression/redirect CVEs. Missed code fixes from round-1: display_helper.py: remove unused draw=ImageDraw.Draw(img) — the method delegates to _draw_centered_text which creates its own draw context. custom-feeds.js:334: one bare removeCustomFeedRow(this) was missed by the earlier replace_all; changed to window.removeCustomFeedRow(this). app.js: add htmx to /* global */ declaration — htmx.ajax() is called at lines 146 and 172 but htmx was only declared in the extension files. timezone-selector.js:215: second unused catch (e) → catch {} missed when we fixed line 361 in round-1. Bandit B110 annotations (3 new except/pass blocks from newer PRs): start.py: hostname -I IP parsing — non-critical startup info. display_controller.py: scroll_helper.get_portion_at — optional method. display_manager.py: canvas reset during cleanup — best-effort. 41 confirmed false positives suppressed via Codacy API: 35x pyflakes in test/, plugin-repos/, scripts/ — not production code Flask 0.0.0.0, os.execvp, Bandit B603, vendor ESLint, already-fixed Biome noPrototypeBuiltins. Co-authored-by: Chuck <chuck@example.com> Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-16 02:13:32 +00:00 · 2026-05-15 18:04:21 -04:00
parent d941c91f24
commit c6b79e11d5
8 changed files with 7 additions and 9 deletions
--- a/plugin-repos/march-madness/requirements.txt
+++ b/plugin-repos/march-madness/requirements.txt
@@ -1,5 +1,5 @@
 requests>=2.33.0
-urllib3>=1.26.0
+urllib3>=2.2.2
 Pillow>=12.2.0
 pytz>=2022.1
 numpy>=1.24.0
--- a/src/common/display_helper.py
+++ b/src/common/display_helper.py
@@ -235,8 +235,6 @@ class DisplayHelper:
            PIL Image with no data message
        """
        img = self.create_base_image((0, 0, 0))
-        draw = ImageDraw.Draw(img)
-        
        font = ImageFont.load_default()
        self._draw_centered_text(message, font, (0, 0, 0), (150, 150, 150))
        
--- a/src/display_controller.py
+++ b/src/display_controller.py
@@ -823,7 +823,7 @@ class DisplayController:
                scroll_h = getattr(plugin_instance, 'scroll_helper', None)
                if scroll_h is not None:
                    follower_frame = scroll_h.get_portion_at(scroll_h.scroll_position + offset)
-            except Exception:
+            except Exception:  # nosec B110 - scroll_helper.get_portion_at is optional; skip on error
                pass

        # 3. Mirror fallback — static plugins (clock, weather) show same frame
--- a/src/display_manager.py
+++ b/src/display_manager.py
@@ -747,7 +747,7 @@ class DisplayManager:
            try:
                self.image = Image.new('RGB', (self.width, self.height))
                self.draw = ImageDraw.Draw(self.image)
-            except Exception:
+            except Exception:  # nosec B110 - best-effort canvas reset during cleanup; non-critical
                pass
        # Reset the singleton state when cleaning up
        DisplayManager._instance = None
--- a/web_interface/start.py
+++ b/web_interface/start.py
@@ -41,7 +41,7 @@ def get_local_ips():
                ip = ip.strip()
                if ip and not ip.startswith("127.") and ip != "192.168.4.1":
                    ips.append(ip)
-    except Exception:
+    except Exception:  # nosec B110 - hostname -I output parsing; non-critical startup info
        pass
    
    # Fallback: try socket method
--- a/web_interface/static/v3/app.js
+++ b/web_interface/static/v3/app.js
@@ -1,4 +1,4 @@
-/* global showNotification, updateSystemStats */
+/* global showNotification, updateSystemStats, htmx */
 // LED Matrix v3 JavaScript
 // Additional helpers for HTMX and Alpine.js integration

--- a/web_interface/static/v3/js/widgets/custom-feeds.js
+++ b/web_interface/static/v3/js/widgets/custom-feeds.js
@@ -331,7 +331,7 @@
        removeButton.type = 'button';
        removeButton.className = 'text-red-600 hover:text-red-800 px-2 py-1';
        removeButton.addEventListener('click', function() {
-            removeCustomFeedRow(this);
+            window.removeCustomFeedRow(this);
        });
        const removeIcon = document.createElement('i');
        removeIcon.className = 'fas fa-trash';
--- a/web_interface/static/v3/js/widgets/timezone-selector.js
+++ b/web_interface/static/v3/js/widgets/timezone-selector.js
@@ -212,7 +212,7 @@
            const parts = formatter.formatToParts(now);
            const offsetPart = parts.find(p => p.type === 'timeZoneName');
            return offsetPart ? offsetPart.value : '';
-        } catch (e) {
+        } catch {
            return '';
        }
    }