sanitize-filename · PyPI does what it says on the box.

It’s more complex than the replace--/ that I had in mind: sanitize_filename/sanitize_filename.py · master · jplusplus / sanitize-filename · GitLab

And intution tells me using external semi-unknown libraries like this might be a security risk.

TODO - what is the best practice for user-provided values that might become filenames?.. Something not smelling of either injection vulns or dependency vulns?