diff options
| author | Julian Berman <Julian@GrayVines.com> | 2021-05-05 08:40:28 -0400 |
|---|---|---|
| committer | Julian Berman <Julian@GrayVines.com> | 2021-05-05 08:40:28 -0400 |
| commit | 0ea12edea319580473bda7e26ef088ff3a0983c5 (patch) | |
| tree | c0e0ccb8e6d796706d9f07af0c46fb4e3a9c5ecb | |
| parent | d9f63840609176f0b7328f2088c3b2a4016526cd (diff) | |
| download | jsonschema-0ea12edea319580473bda7e26ef088ff3a0983c5.tar.gz | |
Evade the pip safety warning.
Regardless of the version of pip on the host Python, the embedded pip
version (for the current versions of CPython) is vulnerable, so safety
was complaining about the resulting virtual environmnets created by tox.
See e.g. https://github.com/Julian/jsonschema/runs/2504226692?check_suite_focus=true
This fix seems like the simplest, albeit still seems very fragile.
tox does have a `download` config option, documented here:
https://tox.readthedocs.io/en/latest/config.html#conf-download
but it doesn't seem to have any effect, possibly because we use
`skipsdist`.
| -rw-r--r-- | tox.ini | 2 |
1 files changed, 2 insertions, 0 deletions
@@ -21,6 +21,7 @@ setenv = whitelist_externals = mkdir commands = + {envpython} -m pip install 'pip>=21.1.1' # Evade CVE-2021-28363 noextra: {envpython} -m pip install {toxinidir} format,perf: {envpython} -m pip install '{toxinidir}[format]' format_nongpl: {envpython} -m pip install '{toxinidir}[format_nongpl]' @@ -65,6 +66,7 @@ commands = [testenv:safety] deps = safety commands = + {envpython} -m pip install 'pip>=21.1.1' # Evade CVE-2021-28363 {envpython} -m pip install '{toxinidir}[format]' {envpython} -m safety check |