From 0ea12edea319580473bda7e26ef088ff3a0983c5 Mon Sep 17 00:00:00 2001
From: Julian Berman <Julian@GrayVines.com>
Date: Wed, 5 May 2021 08:40:28 -0400
Subject: Evade the pip safety warning.

Regardless of the version of pip on the host Python, the embedded pip
version (for the current versions of CPython) is vulnerable, so safety
was complaining about the resulting virtual environmnets created by tox.

See e.g. https://github.com/Julian/jsonschema/runs/2504226692?check_suite_focus=true

This fix seems like the simplest, albeit still seems very fragile.

tox does have a `download` config option, documented here:

https://tox.readthedocs.io/en/latest/config.html#conf-download

but it doesn't seem to have any effect, possibly because we use
`skipsdist`.
---
 tox.ini | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/tox.ini b/tox.ini
index fcd7f94..d5766b3 100644
--- a/tox.ini
+++ b/tox.ini
@@ -21,6 +21,7 @@ setenv =
 whitelist_externals =
     mkdir
 commands =
+    {envpython} -m pip install 'pip>=21.1.1'  # Evade CVE-2021-28363
     noextra: {envpython} -m pip install {toxinidir}
     format,perf: {envpython} -m pip install '{toxinidir}[format]'
     format_nongpl: {envpython} -m pip install '{toxinidir}[format_nongpl]'
@@ -65,6 +66,7 @@ commands =
 [testenv:safety]
 deps = safety
 commands =
+    {envpython} -m pip install 'pip>=21.1.1'  # Evade CVE-2021-28363
     {envpython} -m pip install '{toxinidir}[format]'
     {envpython} -m safety check
 
-- 
cgit v1.2.1