safety in tox: scan requirements for known bad packages

requirements/requirements-dev.in

@@ -17,6 +17,7 @@ flake8-fixme
 flake8-isort
 flake8-logging-format
 flake8-mutable
+safety                      # check requirements file for issues
 
 # maintenance utilities and tox
 pip-tools                   # pip-compile

requirements/requirements-dev.txt

@@ -1,5 +1,5 @@
 #
-# This file is autogenerated by pip-compile
+# This file is autogenerated by pip-compile with python 3.8
 # To update, run:
 #
 #    pip-compile --output-file=requirements/requirements-dev.txt requirements/requirements-dev.in
@@ -12,20 +12,36 @@ bandit==1.6.2
     # via -r requirements/requirements-dev.in
 bleach==3.3.0
     # via mdx-linkify
+certifi==2021.5.30
+    # via requests
+chardet==4.0.0
+    # via requests
 click==7.1.2
     # via
     #   flask
     #   pip-tools
+    #   safety
 coverage==5.5
     # via pytest-cov
 distlib==0.3.2
     # via virtualenv
 dlint==0.11.0
     # via -r requirements/requirements-dev.in
+dparse==0.5.1
+    # via safety
 filelock==3.0.12
     # via
     #   tox
     #   virtualenv
+flake8==3.9.2
+    # via
+    #   -r requirements/requirements-dev.in
+    #   dlint
+    #   flake8-builtins
+    #   flake8-docstrings
+    #   flake8-executable
+    #   flake8-isort
+    #   flake8-mutable
 flake8-blind-except==0.2.0
     # via -r requirements/requirements-dev.in
 flake8-builtins==1.5.3
@@ -42,21 +58,14 @@ flake8-logging-format==0.6.0
     # via -r requirements/requirements-dev.in
 flake8-mutable==1.2.0
     # via -r requirements/requirements-dev.in
-flake8==3.9.2
-    # via
-    #   -r requirements/requirements-dev.in
-    #   dlint
-    #   flake8-builtins
-    #   flake8-docstrings
-    #   flake8-executable
-    #   flake8-isort
-    #   flake8-mutable
 flask==1.1.2
     # via -r requirements/requirements.in
 gitdb==4.0.7
     # via gitpython
 gitpython==3.1.18
     # via bandit
+idna==2.10
+    # via requests
 iniconfig==1.1.1
     # via pytest
 isort==5.9.1
@@ -78,7 +87,9 @@ mdx-linkify==2.1
 packaging==20.9
     # via
     #   bleach
+    #   dparse
     #   pytest
+    #   safety
     #   tox
 pbr==5.6.0
     # via stevedore
@@ -106,16 +117,22 @@ pyparsing==2.4.7
     # via
     #   packaging
     #   pydot
-pytest-cov==2.12.1
-    # via -r requirements/requirements-dev.in
 pytest==6.2.4
     # via
     #   -r requirements/requirements-dev.in
     #   pytest-cov
+pytest-cov==2.12.1
+    # via -r requirements/requirements-dev.in
 pytz==2021.1
     # via tzlocal
 pyyaml==5.4.1
-    # via bandit
+    # via
+    #   bandit
+    #   dparse
+requests==2.25.1
+    # via safety
+safety==1.10.3
+    # via -r requirements/requirements-dev.in
 six==1.15.0
     # via
     #   bandit
@@ -132,18 +149,21 @@ testfixtures==6.17.1
     # via flake8-isort
 toml==0.10.2
     # via
+    #   dparse
     #   pep517
     #   pytest
     #   pytest-cov
     #   tox
-tox-wheel==0.6.0
-    # via -r requirements/requirements-dev.in
 tox==3.23.1
     # via
     #   -r requirements/requirements-dev.in
     #   tox-wheel
+tox-wheel==0.6.0
+    # via -r requirements/requirements-dev.in
 tzlocal==2.1
     # via -r requirements/requirements.in
+urllib3==1.26.5
+    # via requests
 versioneer==0.19
     # via -r requirements/requirements-dev.in
 virtualenv==20.4.7

tox.ini

@@ -58,6 +58,7 @@ commands =
 # again it seems the most valuable here to run against the packaged code
 commands =
     bandit {envsitepackagesdir}/incorporealcms/ -r
+    safety check -r requirements/requirements-dev.txt
 
 [testenv:lint]
 # run style checks