[all][stable] bandit 1.6.3 drops py2 support

Lee Yarwood lyarwood at redhat.com
Wed Dec 9 15:41:33 UTC 2020

On 09-12-20 14:40:06, Jeremy Stanley wrote:
> On 2020-12-09 13:59:04 +0000 (+0000), Lee Yarwood wrote:
> > Hello all,
> > 
> > $subject [1][2] is breaking various <= stable/train jobs where we
> > attempt to pull bandit in while still using py2. This has been reported
> > upstream and it looks like the 1.6.3 release may end up being yanked.
> > 
> > If it isn't I've proposed the following requirements change to try to
> > cap bandit to the 1.6.2 release, assuming this is safe to do on stable:
> > 
> > Cap bandit at 1.6.2 when using py2
> > https://review.opendev.org/c/openstack/requirements/+/766170
> [...]
> It's typically recommended to pin static analysis tools strictly
> less than the next major release in (test-)requirements lists of
> individual projects. Part of why it's blacklisted in the global
> requirements repository is so that the central upper-constraints.txt
> won't override project level decisions on what versions of these
> tools to run. Granted, it would also have made more sense if bandit
> uprevved to 2.0.0 when dropping Python 2.x support, so that
> in-project requirements in the form bandit<2 could have prevented
> the impact. But all that's to say, pinning bandit in stable branches
> of individual projects using it would be the more expected fix here.

ACK thanks Jeremy, I had started that below before going back to an
earlier attempt with requirements. I'll reopen these now and test things
in the Nova change.



Lee Yarwood                 A5D1 9385 88CB 7E5F BE64  6618 BCA6 6E33 F672 2D76
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: not available
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20201209/e1a0e003/attachment.sig>

More information about the openstack-discuss mailing list