[pyflakes] Mark F523 fix as unsafe when it removes a meaningful .format(...) call

adityasingh2400 · adityasingh2400 · commit 99d4014d820e · 2026-05-22T05:45:34.000-07:00
When every positional argument is unused, `F523` removes the entire `.format(...)` call. That changes behavior whenever the format string relies on the call: * Brace escapes: `"{{".format("!")` returns "{", but `"{{"` is two characters. * Named placeholders: `"{x}".format("!")` raises `KeyError`, but `"{x}"` quietly succeeds. Detect these cases and downgrade the fix applicability to `Unsafe`, so users opt in via `--unsafe-fixes` instead of having the autofix silently change runtime behavior. Side-effect detection keeps its existing behavior; the new check just widens the set of unsafe cases. Closes #15557
diff --git a/crates/ruff_linter/resources/test/fixtures/pyflakes/F523.py b/crates/ruff_linter/resources/test/fixtures/pyflakes/F523.py
@@ -43,3 +43,10 @@
 # The fix here is safe because the unused argument has no side effect,
 # even though the used argument has a side effect
 "Hello, {0}".format(print(1), "Pikachu")
+
+# https://github.com/astral-sh/ruff/issues/15557
+# These fixes must be unsafe: removing the `.format(...)` call entirely changes the
+# string ("{{" is two characters but `"{{".format()` is one), or suppresses a
+# KeyError raised by an unset named placeholder.
+"{{".format("!")
+"{x}".format("!")
diff --git a/crates/ruff_linter/src/rules/pyflakes/rules/strings.rs b/crates/ruff_linter/src/rules/pyflakes/rules/strings.rs
@@ -920,6 +920,14 @@ pub(crate) fn string_dot_format_extra_positional_arguments(
     );
 
     if is_contiguous_from_end(&missing, args) {
+        // If every argument is being removed and the format string contains `{{`, `}}`,
+        // or named placeholders, removing the entire `.format(...)` call changes the
+        // string's observable behavior (`"{{".format()` returns `"{"`, but `"{{"` is
+        // two characters; `"{x}".format()` raises `KeyError`, but `"{x}"` does not).
+        // Mark such fixes as unsafe.
+        let removes_format_call = missing.len() == args.len();
+        let format_string_meaningful = removes_format_call
+            && format_string_has_braces_or_named_field(call, summary);
         diagnostic.try_set_fix(|| {
             let edit = remove_unused_positional_arguments_from_format_call(
                 &missing,
@@ -929,8 +937,7 @@ pub(crate) fn string_dot_format_extra_positional_arguments(
             )?;
             Ok(Fix::applicable_edit(
                 edit,
-                // Mark fix as unsafe if the `format` call contains an argument with side effect
-                if side_effects {
+                if side_effects || format_string_meaningful {
                     Applicability::Unsafe
                 } else {
                     Applicability::Safe
@@ -940,6 +947,23 @@ pub(crate) fn string_dot_format_extra_positional_arguments(
     }
 }
 
+/// Returns `true` when the `format` call's target string literal contains either
+/// a brace-escape (`{{` / `}}`) or a named field. Both cases survive only as long
+/// as the `.format(...)` call survives, so removing the call entirely silently
+/// changes the resulting string or suppresses a `KeyError`.
+fn format_string_has_braces_or_named_field(call: &ast::ExprCall, summary: &FormatSummary) -> bool {
+    if !summary.keywords.is_empty() {
+        return true;
+    }
+    let Expr::Attribute(attribute) = &*call.func else {
+        return false;
+    };
+    let Expr::StringLiteral(literal) = &*attribute.value else {
+        return false;
+    };
+    literal.value.to_str().bytes().any(|b| b == b'{' || b == b'}')
+}
+
 /// F524
 pub(crate) fn string_dot_format_missing_argument(
     checker: &Checker,
diff --git a/crates/ruff_linter/src/rules/pyflakes/snapshots/ruff_linter__rules__pyflakes__tests__F523_F523.py.snap b/crates/ruff_linter/src/rules/pyflakes/snapshots/ruff_linter__rules__pyflakes__tests__F523_F523.py.snap
@@ -332,10 +332,49 @@ F523 [*] `.format` call has unused arguments at position(s): 1
 44 | # even though the used argument has a side effect
 45 | "Hello, {0}".format(print(1), "Pikachu")
    | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+46 |
+47 | # https://github.com/astral-sh/ruff/issues/15557
    |
 help: Remove extra positional arguments at position(s): 1
 42 |
 43 | # The fix here is safe because the unused argument has no side effect,
 44 | # even though the used argument has a side effect
    - "Hello, {0}".format(print(1), "Pikachu")
 45 + "Hello, {0}".format(print(1), )
+46 |
+47 | # https://github.com/astral-sh/ruff/issues/15557
+48 | # These fixes must be unsafe: removing the `.format(...)` call entirely changes the
+
+F523 [*] `.format` call has unused arguments at position(s): 0
+  --> F523.py:51:1
+   |
+49 | # string ("{{" is two characters but `"{{".format()` is one), or suppresses a
+50 | # KeyError raised by an unset named placeholder.
+51 | "{{".format("!")
+   | ^^^^^^^^^^^^^^^^
+52 | "{x}".format("!")
+   |
+help: Remove extra positional arguments at position(s): 0
+48 | # These fixes must be unsafe: removing the `.format(...)` call entirely changes the
+49 | # string ("{{" is two characters but `"{{".format()` is one), or suppresses a
+50 | # KeyError raised by an unset named placeholder.
+   - "{{".format("!")
+51 + "{{"
+52 | "{x}".format("!")
+note: This is an unsafe fix and may change runtime behavior
+
+F523 [*] `.format` call has unused arguments at position(s): 0
+  --> F523.py:52:1
+   |
+50 | # KeyError raised by an unset named placeholder.
+51 | "{{".format("!")
+52 | "{x}".format("!")
+   | ^^^^^^^^^^^^^^^^^
+   |
+help: Remove extra positional arguments at position(s): 0
+49 | # string ("{{" is two characters but `"{{".format()` is one), or suppresses a
+50 | # KeyError raised by an unset named placeholder.
+51 | "{{".format("!")
+   - "{x}".format("!")
+52 + "{x}"
+note: This is an unsafe fix and may change runtime behavior
