Policies

Version policy

PyBandit uses a loose variant of semantic versioning (SemVer) to govern deprecations, API compatibility, and version numbering.

A PyBandit release number is made up of MAJOR.MINOR.PATCH.

API breaking changes should only occur in major releases. These changes will be documented, with clear guidance on what is changing, why it’s changing, and how to migrate existing code to the new behavior.

Whenever possible, a deprecation path will be provided rather than an outright breaking change.

PyBandit will introduce deprecations in minor releases. These deprecations will preserve the existing behavior while emitting a warning that provide guidance on:

• How to achieve similar behavior if an alternative is available

• The PyBandit version in which the deprecation will be enforced.

We will not introduce new deprecations in patch releases.

Deprecations will only be enforced in major releases. For example, if a behavior is deprecated in PyBandit 1.2.0, it will continue to work, with a warning, for all releases in the 1.x series. The behavior will change and the deprecation removed in the next major release (2.0.0).

Note

PyBandit will sometimes make behavior changing bug fixes, as part of minor or patch releases. Whether or not a change is a bug fix or an API-breaking change is a judgement call. We’ll do our best, and we invite you to participate in development discussion on the issue tracker or mailing list.

These policies do not apply to features marked as experimental in the documentation. PyBandit may change the behavior of experimental features at any time.

Python support

PyBandit mirrors the NumPy guidelines for Python support.

Security policy

To report a security vulnerability to PyBandit, please go to pybandit/pybandit and see the instructions there.