This repository is part of a public portfolio, so the bar is practical
correctness, clear documentation, and reproducible checks. For
safejson, "quality" means the parser contract is precise enough for
untrusted input, the public docs do not overclaim, and every policy is
covered by executable tests.
ruff check .must pass with the full configured rule set.pytest --cov=safejson --cov-branch --cov-fail-under=100must keep line and branch coverage at 100%.mypy --strict src/safejsonmust pass with no ignores added to hide public API uncertainty.- The Python 3.9, 3.10, 3.11, and 3.12 GitHub Actions matrix must stay green.
python -m buildmust produce installable wheel and sdist artifacts.- Public behavior changes must include happy-path, edge-case, and error tests, plus docs updates when the API contract changes.
- The streaming scanner must remain iterative; deeply nested hostile
input should raise
LimitExceededError, notRecursionError. - Syntax,
allow_nan, and everyLimitsceiling must be enforced beforejson.loadsconstructs containers. - Duplicate-key and type-whitelist behavior may rely on stdlib decode hooks, but README wording must continue to make that phase boundary explicit.
- RFC 8259 conformance tests must compare ordinary valid values with
Python's stdlib and pin the deliberate differences:
NaN/Infinityrejection and duplicate-key rejection by default.
- Run the required checks locally.
- Confirm GitHub Actions is green on the default branch.
- Confirm Dependabot and secret scanning have no open alerts.
- Confirm the README still describes the actual API and scope.
- Smoke-test the installed wheel with
safejson.loads(...)before a release tag.