chore: project optimization and code quality improvements#1
Closed
chore: project optimization and code quality improvements#1
Conversation
- Replace bare exception handlers with specific exception types and logging in resource_monitor.py, workflow.py, and metrics.py for better debugging - Implement atomic checkpoint saving in base.py using temp file + rename to prevent corruption during concurrent access - Fix memory leak in fusion strategies by only storing attention weights during evaluation mode, not training - Add path traversal protection in medical.py dataset loader with resolve() and is_relative_to() validation - Harden torch.load calls across 6 files with weights_only=True parameter to prevent arbitrary code execution via pickle deserialization - Add TODO comment to NodeExecutor base class for implementation guidance
- Lock uv.lock to ensure reproducible builds across environments - Add .nvmrc (Node.js v22) for frontend development consistency - Update .gitignore to exclude .claude/ directory (Claude Code config) - Update Python version constraint to <3.14 in uv.lock These changes improve: 1. Dependency reproducibility (uv.lock) 2. Frontend tooling consistency (.nvmrc) 3. Git cleanliness (.gitignore for .claude/) Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
- Format 42 files with ruff format - Fix 25 linting issues automatically with ruff check --fix - Remaining 15 issues are in scripts (E402, F401, F841) and don't affect core library Changes include: - Remove f-string without placeholders (F541) - Update deprecated type annotations (UP006, UP035) - Remove redundant open modes (UP015) - Remove unused imports in scripts Core library (med_core/) has 0 linting issues. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
Contributor
Author
|
Closing for now - will continue optimization before review |
There was a problem hiding this comment.
Pull request overview
This PR focuses on repo-wide code quality/formatting cleanups and a handful of safety/reliability improvements (notably around checkpoint loading and dataset path handling) for the MedFusion codebase.
Changes:
- Apply ruff-style formatting and small lint fixes across scripts, examples, notebooks, and core modules.
- Harden checkpoint handling (atomic checkpoint writes;
torch.load(..., weights_only=True)in multiple loaders; improved exception logging instead of silentpass). - Add a path-traversal mitigation when building image paths from CSV rows in
MedicalMultimodalDataset.from_csv.
Reviewed changes
Copilot reviewed 56 out of 58 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
| web/test_optimizations.py | Formatting and minor style fixes. |
| web/test_backend.py | Formatting and consistent quoting in test script. |
| src/utils/clean_table.py | Formatting + minor API usage adjustments (see comment re pandas deprecation). |
| src/engine/trainer.py | Formatting and consistent dict key quoting. |
| src/data/dataset.py | Formatting; improves readability of error message and type literals. |
| scripts/verify_ci_fixes.py | Formatting and consistent quoting. |
| scripts/test_pluggability.py | Make pytest skip call multi-line; formatting of calculations/ternaries. |
| scripts/test_enhanced_report.py | Remove unused import; formatting improvements. |
| scripts/test_attention_supervision.py | Formatting and minor string formatting cleanup. |
| scripts/smoke_test.py | Formatting and readability of long prints/calls. |
| scripts/simple_test.py | Formatting of logging configuration. |
| scripts/quick_simulation_test.py | Remove unused imports; formatting. |
| scripts/quick_ci_test.py | Formatting (blank line after docstring). |
| scripts/generate_test_stubs.py | Formatting and consistent quoting; safer file open style. |
| scripts/generate_mock_data.py | Formatting of function signatures and long prints. |
| scripts/full_workflow_test.py | Formatting and readability improvements. |
| scripts/compare_benchmarks.py | Formatting of long expressions/list comprehensions. |
| scripts/ci_diagnostic.py | Modernize typing (list[...], tuple[...]), formatting, and command invocations. |
| scripts/analyze_coverage.py | Formatting and consistent quoting/__main__ guard. |
| notebooks/quickstart.ipynb | Normalize string quoting in a cell. |
| med_core_rs/test_quick.py | Formatting and arithmetic spacing in benchmark output. |
| med_core_rs/test_percentile_analysis.py | Formatting and arithmetic spacing; readability. |
| med_core_rs/test_mil.py | Formatting and consistent quoting; readability in prints. |
| med_core_rs/test_3d.py | Formatting and readability; slightly clearer asserts/prints. |
| med_core_rs/integration_example.py | Formatting and readability for the integration example. |
| med_core_rs/example_integration.py | Formatting and readability; minor slicing style cleanup. |
| med_core_rs/benchmark_standalone.py | Formatting and readability of benchmark helpers/prints. |
| med_core_rs/benchmark_comparison.py | Formatting; readability of prints and list comprehensions. |
| med_core_rs/benchmark_3d.py | Formatting and readability of benchmark output. |
| med_core_rs/analyze_bottleneck.py | Formatting and readability of benchmark output. |
| med_core/web/routers/workflow.py | Avoid silently swallowing websocket errors; log debug details instead. |
| med_core/web/resource_monitor.py | Log debug details on cleanup/telemetry failures instead of pass. |
| med_core/web/node_executors.py | Add TODO comment clarifying abstract method intent. |
| med_core/web/checkpoint_manager.py | Use torch.load(..., weights_only=True) when loading model weights dicts. |
| med_core/utils/distributed.py | Use torch.load(..., weights_only=True) for distributed checkpoint loads. |
| med_core/utils/checkpoint.py | Use torch.load(..., weights_only=True) for checkpoint loads. |
| med_core/trainers/base.py | Atomic checkpoint writes + weights_only=True for loads. |
| med_core/shared/model_utils/training.py | Use torch.load(..., weights_only=True) for checkpoint loads. |
| med_core/shared/model_utils/metrics.py | Log debug info when bootstrap iterations fail. |
| med_core/fusion/strategies.py | Only store detached “last attention/gate” tensors in eval mode. |
| med_core/datasets/medical.py | Add path resolution + containment check to mitigate CSV path traversal. |
| med_core/cli/evaluate.py | Use torch.load(..., weights_only=True) when loading evaluation checkpoints. |
| examples/train_demo.py | Formatting of config construction and calls. |
| examples/smurf_usage.py | Formatting and consistent quoting. |
| examples/model_export_demo.py | Formatting of long prints and exception block spacing. |
| examples/logging_demo.py | Formatting; readability for long logging calls. |
| examples/hyperparameter_tuning_demo.py | Formatting; readability for optimizer selection. |
| examples/gradient_checkpointing_demo.py | Formatting of long prints. |
| examples/exception_handling_demo.py | Formatting and trailing commas for better diffs/readability. |
| examples/distributed_training_demo.py | Formatting and consistent dict key quoting. |
| examples/cache_demo_simple.py | Formatting and consistent quoting. |
| examples/cache_demo.py | Switch to triple-double-quoted snippet string; formatting. |
| examples/benchmark_demo.py | Switch to triple-double-quoted snippet strings; formatting. |
| examples/advanced_attention_demo.py | Switch to triple-double-quoted snippet strings; formatting. |
| docs/conf.py | Formatting and consistent quoting in Sphinx config. |
| .nvmrc | Add Node version pin for local dev consistency. |
| .gitignore | Ignore .claude/ directory. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+193
to
+201
| # Resolve to absolute path and validate it's within image_dir | ||
| try: | ||
| img_path = img_path.resolve() | ||
| # Ensure the resolved path is within image_dir (prevent path traversal) | ||
| if not Path(img_name).is_absolute(): | ||
| image_dir_resolved = image_dir.resolve() | ||
| if not str(img_path).startswith(str(image_dir_resolved)): | ||
| logger.warning(f"Path traversal attempt detected: {img_name}") | ||
| continue |
There was a problem hiding this comment.
The path traversal protection here is not reliable: using str(img_path).startswith(str(image_dir_resolved)) can be bypassed with paths that share the same prefix (e.g. /data/images_evil/...) and can behave incorrectly on Windows due to path normalization/case. Prefer img_path.is_relative_to(image_dir_resolved) (Py>=3.9) or os.path.commonpath on resolved paths. Also consider whether absolute img_name values should be allowed at all; currently they bypass the containment check entirely.
Comment on lines
+195
to
+199
| img_path = img_path.resolve() | ||
| # Ensure the resolved path is within image_dir (prevent path traversal) | ||
| if not Path(img_name).is_absolute(): | ||
| image_dir_resolved = image_dir.resolve() | ||
| if not str(img_path).startswith(str(image_dir_resolved)): |
There was a problem hiding this comment.
image_dir.resolve() is recomputed on every row. Since image_dir is constant for the entire CSV load, resolve it once before the loop and reuse it (this also makes the traversal check easier to read).
Comment on lines
+193
to
+204
| # Resolve to absolute path and validate it's within image_dir | ||
| try: | ||
| img_path = img_path.resolve() | ||
| # Ensure the resolved path is within image_dir (prevent path traversal) | ||
| if not Path(img_name).is_absolute(): | ||
| image_dir_resolved = image_dir.resolve() | ||
| if not str(img_path).startswith(str(image_dir_resolved)): | ||
| logger.warning(f"Path traversal attempt detected: {img_name}") | ||
| continue | ||
| except (OSError, RuntimeError) as e: | ||
| logger.warning(f"Invalid path {img_name}: {e}") | ||
| continue |
There was a problem hiding this comment.
This introduces new security-relevant behavior (skipping records when a traversal attempt is detected) but there are no regression tests covering it. Add a unit test (e.g., in the dataset tests) with an image_path like ../outside.png to assert it’s rejected/skipped as intended.
Comment on lines
378
to
380
| elif self.missing_strategy == "forward_fill": | ||
| df_filled[column].fillna(method='ffill', inplace=True) | ||
| df_filled[column].fillna(method="ffill", inplace=True) | ||
| self.cleaning_stats["missing_filled"] += missing_count |
There was a problem hiding this comment.
fillna(method="ffill", inplace=True) is deprecated in recent pandas versions and inplace=True on a column can trigger chained-assignment issues. Prefer df_filled[column] = df_filled[column].ffill() (or df_filled[column] = df_filled[column].fillna(... ) without inplace).
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This PR includes comprehensive project optimization and code quality improvements for the MedFusion framework.
Changes
1. Project Configuration Optimization (c4d6b58)
uv.lockto ensure reproducible builds across environments.nvmrc(v22) for frontend development consistency.claude/directory (Claude Code configuration)requires-python = ">=3.11, <3.14"in uv.lock2. Code Quality Improvements (3deca1a)
ruff check --fixImpact
med_core/): 0 linting issuesTesting
Checklist
ruff formatruff check --fixuv.lockNote: This PR improves code quality and project maintainability without changing any functionality.