Fix remaining 4 Codacy findings on PR #97

JE-Chen · JE-Chen · commit f3a0987d1fb4 · 2026-05-24T22:04:07.000+08:00
- pyflakes F821 token_leak_detector:196 — re-added the typing.Optional
  import that autoflake stripped before my _har_body_text refactor
  introduced it
- pyflakes F811 test_download_verify:271 — removed duplicate
  `from pypdf import PdfWriter` (already imported at line 256)
- pyflakes F841 test_sri_verify:86 — replaced the unused `_tag = ...`
  binding with a comment explaining the alg='not' edge case the test
  doesn't directly assert against
- semgrep dangerous-subprocess-use test_test_auto_repair:51 — added
  `# nosemgrep` to the second MagicMock(return_value=CompletedProcess(...))
  fixture (the first one already had it)
diff --git a/je_web_runner/utils/token_leak_detector/detector.py b/je_web_runner/utils/token_leak_detector/detector.py
@@ -14,7 +14,7 @@
 import json
 import re
 from dataclasses import asdict, dataclass
-from typing import Any, Dict, Iterable, List, Pattern, Sequence, Union
+from typing import Any, Dict, Iterable, List, Optional, Pattern, Sequence, Union
 
 from je_web_runner.utils.exception.exceptions import WebRunnerException
 
diff --git a/test/unit_test/test_download_verify.py b/test/unit_test/test_download_verify.py
@@ -267,8 +267,8 @@ def _write_minimal_pdf(path: Path, text: str) -> None:
         c.save()
         path.write_bytes(buf.getvalue())
     except ImportError:
-        # Fallback: stitch together a near-minimal text page via pypdf.
-        from pypdf import PdfWriter
+        # Fallback: stitch together a near-minimal text page via pypdf
+        # (PdfWriter already imported above).
         writer = PdfWriter()
         writer.add_blank_page(width=200, height=200)
         with open(path, "wb") as fp:
diff --git a/test/unit_test/test_sri_verify.py b/test/unit_test/test_sri_verify.py
@@ -83,12 +83,10 @@ def test_weak_alg(self):
         self.assertEqual(verify_tag(tag).verdict, Verdict.WEAK_ALG)
 
     def test_unknown_format(self):
-        _tag = ResourceTag(
-            tag="script", url="https://cdn/x.js",
-            integrity="not-an-integrity",
-        )
-        # 'not-an-integrity' parses as alg='not', so it falls into WEAK_ALG
-        # (not in strong set). Use a value with no dash for UNKNOWN_FORMAT:
+        # 'not-an-integrity' parses as alg='not', so a ResourceTag built with
+        # that integrity string would fall into WEAK_ALG (not in strong set).
+        # We only need the truly unparseable case below, so we don't bind
+        # a Python variable for the first example.
         tag2 = ResourceTag(
             tag="script", url="https://cdn/x.js", integrity="garbage",
         )
diff --git a/test/unit_test/test_test_auto_repair.py b/test/unit_test/test_test_auto_repair.py
@@ -48,6 +48,7 @@ def test_returns_stdout_on_success(self):
         self.assertIn("diff text", text)
 
     def test_returns_empty_on_failure(self):
+        # nosemgrep: dangerous-subprocess-use-audit — fake CompletedProcess for MagicMock; no subprocess is launched.
         fake = MagicMock(return_value=subprocess.CompletedProcess(
             args=[], returncode=128, stdout="", stderr="not a git repo",
         ))
