unpin tox in requirements

for some reason bandit wasn't earlier catching the SubElement usage but now it is, but it's harmless anyway so we'll just suppress it. Signed-off-by: Brian S. Stephan <bss@incorporeal.org>
2023-12-30 11:07:47 -06:00 · 2023-12-30 11:07:47 -06:00 · 713632fe7a
parent bf646db1e8
commit 713632fe7a
4 changed files with 16 additions and 11 deletions
--- a/incorporealcms/mdx/figures.py
+++ b/incorporealcms/mdx/figures.py
@ -4,7 +4,7 @@ SPDX-FileCopyrightText: © 2022 Brian S. Stephan <bss@incorporeal.org>
 SPDX-License-Identifier: AGPL-3.0-or-later
 """
 import re
-from xml.etree.ElementTree import SubElement
+from xml.etree.ElementTree import SubElement  # nosec B405 - not parsing untrusted XML here

 import markdown

--- a/pyproject.toml
+++ b/pyproject.toml
@ -27,12 +27,11 @@ classifiers = [
 "Bug Tracker" = "https://git.incorporeal.org/bss/incorporeal-cms/issues"


-# tox pinned to <4 to not conflict with safety
 [project.optional-dependencies]
 dev = ["bandit", "dlint", "flake8", "flake8-blind-except", "flake8-builtins", "flake8-docstrings",
       "flake8-executable", "flake8-fixme", "flake8-isort", "flake8-logging-format", "flake8-mutable",
       "flake8-pyproject", "mypy", "pip-tools", "pydot", "pytest", "pytest-cov", "safety",
-       "setuptools-scm", "tox<4"]
+       "setuptools-scm", "tox"]
 dot = ["pydot"]

 [tool.flake8]
--- a/requirements/requirements-dev.txt
+++ b/requirements/requirements-dev.txt
@ -10,8 +10,12 @@ blinker==1.7.0
    # via flask
 build==1.0.3
    # via pip-tools
+cachetools==5.3.2
+    # via tox
 certifi==2023.11.17
    # via requests
+chardet==5.2.0
+    # via tox
 charset-normalizer==3.3.2
    # via requests
 click==8.1.7
@ -19,6 +23,8 @@ click==8.1.7
    #   flask
    #   pip-tools
    #   safety
+colorama==0.4.6
+    # via tox
 coverage[toml]==7.4.0
    # via
    #   coverage
@ -97,6 +103,7 @@ packaging==21.3
    # via
    #   build
    #   dparse
+    #   pyproject-api
    #   pytest
    #   safety
    #   setuptools-scm
@ -106,13 +113,13 @@ pbr==6.0.0
 pip-tools==7.3.0
    # via incorporeal-cms (pyproject.toml)
 platformdirs==4.1.0
-    # via virtualenv
+    # via
+    #   tox
+    #   virtualenv
 pluggy==1.3.0
    # via
    #   pytest
    #   tox
-py==1.11.0
-    # via tox
 pycodestyle==2.11.1
    # via flake8
 pydocstyle==6.3.0
@ -127,6 +134,8 @@ pyparsing==3.1.1
    # via
    #   packaging
    #   pydot
+pyproject-api==1.5.0
+    # via tox
 pyproject-hooks==1.0.0
    # via build
 pytest==7.4.3
@ -149,15 +158,13 @@ safety==2.3.5
    # via incorporeal-cms (pyproject.toml)
 setuptools-scm==8.0.4
    # via incorporeal-cms (pyproject.toml)
-six==1.16.0
-    # via tox
 smmap==5.0.1
    # via gitdb
 snowballstemmer==2.2.0
    # via pydocstyle
 stevedore==5.1.0
    # via bandit
-tox==3.28.0
+tox==4.0.0
    # via incorporeal-cms (pyproject.toml)
 typing-extensions==4.9.0
    # via
--- a/tox.ini
+++ b/tox.ini
@ -51,10 +51,9 @@ commands =
 # run security checks
 #
 # again it seems the most valuable here to run against the packaged code
-# 51457 is nearly a red herring that I'm stuck with because tox is pinned, try removing occasionally
 commands =
    bandit {envsitepackagesdir}/incorporealcms/ -r
-    safety check -r requirements/requirements-dev.txt -i 51457
+    safety check -r requirements/requirements-dev.txt

 [testenv:lint]
 # run style checks