Open Stack

On 2020-12-09 13:59:04 +0000 (+0000), Lee Yarwood wrote:
> Hello all,
> 
> $subject [1][2] is breaking various <= stable/train jobs where we
> attempt to pull bandit in while still using py2. This has been reported
> upstream and it looks like the 1.6.3 release may end up being yanked.
> 
> If it isn't I've proposed the following requirements change to try to
> cap bandit to the 1.6.2 release, assuming this is safe to do on stable:
> 
> Cap bandit at 1.6.2 when using py2
> https://review.opendev.org/c/openstack/requirements/+/766170
[...]

It's typically recommended to pin static analysis tools strictly
less than the next major release in (test-)requirements lists of
individual projects. Part of why it's blacklisted in the global
requirements repository is so that the central upper-constraints.txt
won't override project level decisions on what versions of these
tools to run. Granted, it would also have made more sense if bandit
uprevved to 2.0.0 when dropping Python 2.x support, so that
in-project requirements in the form bandit<2 could have prevented
the impact. But all that's to say, pinning bandit in stable branches
of individual projects using it would be the more expected fix here.
-- 
Jeremy Stanley
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20201209/54dd2d0f/attachment.sig>