I Ran Refactron on Django's Codebase. Here's What It Found.

One of the best ways to understand what a code analysis tool actually does is to point it at a codebase you didn't write. No bias, no familiarity, no tendency to skip over the parts you know are messy.

Django is the obvious choice. 300,000+ lines of Python, maintained by hundreds of contributors over nearly two decades, used in production by millions of applications. If Refactron is useful on real-world Python code, it should have something to say about Django.

Here's what happened.

Setup

git clone https://github.com/django/django
cd django
pip install refactron
refactron analyze .

Analysis runs locally. No code leaves the machine. Took about 40 seconds on a standard MacBook Pro.

What it found

Django is a well-maintained, mature codebase — so the expectation going in was that the obvious stuff would already be handled. That held up. No hardcoded secrets, no SQL injection patterns, no clear security issues in the parts of the codebase that matter most.

What Refactron did surface was structural complexity — the kind that accumulates in any codebase that's been evolving for 18 years.

Complexity hotspots. Several functions across the ORM and template engine came back with high cyclomatic complexity scores. These aren't bugs. They're functions that have grown organically to handle a large number of edge cases, and they're hard to read as a result. Django's maintainers know about most of them — they're documented in comments. But seeing them flagged with specific line numbers and complexity scores makes the scope concrete.

Long parameter lists. A handful of view-related functions have accumulated parameters over multiple release cycles. Again, not broken — just increasingly difficult to call correctly without referring to the docs. The kind of thing that's fine when one person owns the code and becomes a maintenance burden as the team grows.

Dead code candidates. A small number of internal utilities that appear unreferenced within the codebase. Some of these are intentionally public API — tools or hooks that external projects depend on — which is exactly why Refactron surfaces them as candidates rather than applying automatic fixes. Context matters. The tool flags, you decide.

What it didn't do

It didn't try to rewrite Django's ORM. It didn't suggest architectural changes it couldn't verify. It didn't produce a hundred false positives because it misunderstood a pattern.

The autofix step — I ran it with --dry-run first, which shows proposed changes without applying them. The suggestions it was confident enough to propose were narrow: unused imports in a few utility modules, a small number of variable naming inconsistencies in non-public code.

refactron autofix . --verify --dry-run

For the complexity issues it found, it flagged them and stopped. Complex functions that are deeply intertwined with behavior across the codebase are exactly the category where automated fixes without full context are dangerous. Refactron knows this. It surfaces the information and leaves the decision to you.

The honest takeaway

Django is not the right target for aggressive automated refactoring and Refactron didn't pretend otherwise. A codebase this mature, this widely depended on, with this many external consumers needs careful human judgment on anything structural.

What the analysis is useful for is orientation. If you're a new contributor trying to understand where the complexity lives, or a team using Django's patterns as a reference for your own codebase, the output gives you a map. Here's where the complexity is concentrated. Here's what's worth reading carefully before you touch it.

For most teams Refactron is aimed at — companies with 2-5 year old Python codebases that have accumulated debt without Django's level of test coverage and contributor scrutiny — the tool has more to say and more it can safely do. But testing against Django was the right first move. If it handles a codebase this large and this well-known without producing noise, it'll handle yours.

Try it on your own codebase

pip install refactron
refactron analyze .

Read-only. Nothing changes. See what's there.

Next in this series: Flask and Requests — smaller codebases, different patterns, different findings.