Change in behavior in bandit 1.6.0

Stephen Finucane sfinucan at redhat.com
Fri May 10 09:42:02 UTC 2019


We've noticed a spate of recent test failures within the 'pep8' jobs in
oslo recently. It seems these are because of the release of bandit
1.6.0. The root cause is that the '-x' (exclude) option seems to have
changed behavior. Previously, to match a path like 'oslo_log/tests/*',
you could state '-x test'. This option now expects a glob patterns,
such as '-x oslo_log/tests/*'. If you use bandit, you probably have to
update your 'tox.ini' accordingly. See [1] for an example.

It's worth noting that bandit is one of the few packages we don't
manage the version for [2], so if you're not already limiting yourself
to a version, perhaps it would be a good idea to do so to avoid stable
branches breaking periodically. Also, this is something that really
shouldn't have happened in a minor version (backwards incompatible
behavior change, yo) but it has so we'll live with it. I would ask
though that the bandit maintainers, whoever ye be, be more careful
about this kind of stuff in the future. Thanks :)

Stephen

[1] https://review.opendev.org/#/c/658249/
[2] https://github.com/openstack/requirements/blob/master/blacklist.txt




More information about the openstack-discuss mailing list