• LLVM recommends using Black 23.x for Python code formatting. • Black 23.x faces CVE-2024-21503, a regex denial-of-service vulnerability. • The vulnerability could trigger excessive CPU usage during formatting. • LLVM advises avoiding manual line-length overrides to maintain consistency. • Projects must decide whether to upgrade or patch Black to mitigate risk.

Article Summaries:

  • LLVM’s coding standards currently mandate the Python formatter Black 23.x. A newly disclosed CVE‑2024‑21503, a regular‑expression denial‑of‑service vulnerability, affects this version, triggering Dependabot alerts in LLVM projects. The LLVM community is debating whether to upgrade to the latest Black 26.x release. Running Black 26.1.0 on the monorepo would reformat 982 files, adding over 3,500 insertions and 4,100 deletions, potentially causing significant churn. Stakeholders are weighing the security benefit against the maintenance cost, considering whether to adopt the newer version immediately or postpone until a future release.

Sources: