[stable-only] Cap bandit and fix lowwer-constraints

bandit 1.6.3 [1] release has dropped support for py2 [2] but the release is faulty and pip still picks it up for py2 [3][4], so cap to 1.6.2 when using py2. With the new pip dependency resolver (introduced in pip 20.3) the lower-constraints job started to fail. Problem is here with the 'install_command' in tox.ini, which uses both the upper- and lower- constraints files, causing the job to fail. This patch adds separate install_command without the upper constraints, so that only the lower-constraints.txt is used. [1] https://github.com/PyCQA/bandit/releases/tag/1.6.3 [2] PyCQA/bandit#615 [3] PyCQA/bandit#663 [4] PyCQA/bandit#665 Change-Id: If8738f5005e60cf46ed93edbefa272bc2611b53f
openstack · Jan 15, 2021 · 8654415 · 8654415
1 parent 6307c84
commit 8654415
Show file tree

Hide file tree

Showing 4 changed files with 7 additions and 3 deletions.
diff --git a/doc/requirements.txt b/doc/requirements.txt
@@ -1,7 +1,8 @@
 # The order of packages is significant, because pip processes them in the order
 # of appearance. Changing the order has an impact on the overall integration
 # process, which may cause wedges in the gate later.
-sphinx!=1.6.6,!=1.6.7,>=1.6.2 # BSD
+sphinx!=1.6.6,!=1.6.7,>=1.6.2,<2.0.0;python_version=='2.7'  # BSD
+sphinx!=1.6.6,!=1.6.7,>=1.6.2;python_version>='3.4' # BSD
 sphinxcontrib-httpdomain>=1.3.0 # BSD
 sphinxcontrib-blockdiag>=1.5.4 # BSD
 reno>=2.5.0 # Apache-2.0

diff --git a/requirements.txt b/requirements.txt
@@ -44,7 +44,8 @@ oslo.i18n>=3.15.3 # Apache-2.0
 oslo.context>=2.19.2 # Apache-2.0
 oslo.policy>=1.30.0 # Apache-2.0
 Werkzeug>=0.9 # BSD License
-python-memcached>=1.56 # PSF
+python-memcached>=1.56;python_version=='2.7' # PSF
+python-memcached>=1.56;python_version>='3.4' # PSF
 tooz>=1.58.0 # Apache-2.0
 debtcollector>=1.2.0 # Apache-2.0
 os-win>=3.0.0 # Apache-2.0

diff --git a/test-requirements.txt b/test-requirements.txt
@@ -15,7 +15,8 @@ testscenarios>=0.4 # Apache-2.0/BSD
 WebTest>=2.0.27 # MIT
 tempest>=17.1.0 # Apache-2.0
 # Bandit security code scanner
-bandit>=1.1.0 # Apache-2.0
+bandit>=1.1.0,<1.6.3;python_version=='2.7' # Apache-2.0
+bandit>=1.1.0;python_version>='3.5' # Apache-2.0
 zake>=0.1.6 # Apache-2.0
 doc8>=0.6.0 # Apache-2.0
 Pygments>=2.2.0 # BSD license
diff --git a/tox.ini b/tox.ini
@@ -190,6 +190,7 @@ import_exceptions = designate.i18n
 
 [testenv:lower-constraints]
 basepython = python3
+install_command = pip install {opts} {packages}
 deps =
   -c{toxinidir}/lower-constraints.txt
   -r{toxinidir}/test-requirements.txt