I am a security engineer at r2c.dev. We are working to write code checks for security in open source code. A python project I was looking at happened to checkin the entire cmake codebase which is how I happened onto this.
Problem: In python, the default values of function parameters are instantiated at function definition time. All calls to that function that use the default value all point to the same global object. e.g.:
def func(x=): x.append(1) print(x) func() #  func() # [1 , 1]
Fix: The recommended solution is to either set default to None and assign a new empty object when the variable is None.