The os.path.commonprefix() function has been an API in the Python standard library for at least 35 years (since February 1991) and in that time has been confusing users and creating security issues, even in programs explicitly trying to mitigate vulnerabilities. This was caused directly by the API's placement in the os.path module and further perpetuated by backwards compatibility.

This article shows the long history of confusion around this API, the security issues the confusion caused, and some recommendations on responding to user reports of confusing behavior in security-sensitive functions.

Read more: https://sethmlarson.dev/deprecate-confusing-apis-like-os-path-commonprefix