From 713632fe7adf1e04e08754f55ae99a10ecccfb37 Mon Sep 17 00:00:00 2001
From: "Brian S. Stephan" <bss@incorporeal.org>
Date: Sat, 30 Dec 2023 11:07:47 -0600
Subject: [PATCH] unpin tox in requirements

for some reason bandit wasn't earlier catching the SubElement usage but
now it is, but it's harmless anyway so we'll just suppress it.

Signed-off-by: Brian S. Stephan <bss@incorporeal.org>
---
 incorporealcms/mdx/figures.py     |  2 +-
 pyproject.toml                    |  3 +--
 requirements/requirements-dev.txt | 19 +++++++++++++------
 tox.ini                           |  3 +--
 4 files changed, 16 insertions(+), 11 deletions(-)

diff --git a/incorporealcms/mdx/figures.py b/incorporealcms/mdx/figures.py
index 7817234..f777d08 100644
--- a/incorporealcms/mdx/figures.py
+++ b/incorporealcms/mdx/figures.py
@@ -4,7 +4,7 @@ SPDX-FileCopyrightText: © 2022 Brian S. Stephan <bss@incorporeal.org>
 SPDX-License-Identifier: AGPL-3.0-or-later
 """
 import re
-from xml.etree.ElementTree import SubElement
+from xml.etree.ElementTree import SubElement  # nosec B405 - not parsing untrusted XML here
 
 import markdown
 
diff --git a/pyproject.toml b/pyproject.toml
index 4e194d4..9deaf29 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -27,12 +27,11 @@ classifiers = [
 "Bug Tracker" = "https://git.incorporeal.org/bss/incorporeal-cms/issues"
 
 
-# tox pinned to <4 to not conflict with safety
 [project.optional-dependencies]
 dev = ["bandit", "dlint", "flake8", "flake8-blind-except", "flake8-builtins", "flake8-docstrings",
        "flake8-executable", "flake8-fixme", "flake8-isort", "flake8-logging-format", "flake8-mutable",
        "flake8-pyproject", "mypy", "pip-tools", "pydot", "pytest", "pytest-cov", "safety",
-       "setuptools-scm", "tox<4"]
+       "setuptools-scm", "tox"]
 dot = ["pydot"]
 
 [tool.flake8]
diff --git a/requirements/requirements-dev.txt b/requirements/requirements-dev.txt
index 01d23b7..3357f16 100644
--- a/requirements/requirements-dev.txt
+++ b/requirements/requirements-dev.txt
@@ -10,8 +10,12 @@ blinker==1.7.0
     # via flask
 build==1.0.3
     # via pip-tools
+cachetools==5.3.2
+    # via tox
 certifi==2023.11.17
     # via requests
+chardet==5.2.0
+    # via tox
 charset-normalizer==3.3.2
     # via requests
 click==8.1.7
@@ -19,6 +23,8 @@ click==8.1.7
     #   flask
     #   pip-tools
     #   safety
+colorama==0.4.6
+    # via tox
 coverage[toml]==7.4.0
     # via
     #   coverage
@@ -97,6 +103,7 @@ packaging==21.3
     # via
     #   build
     #   dparse
+    #   pyproject-api
     #   pytest
     #   safety
     #   setuptools-scm
@@ -106,13 +113,13 @@ pbr==6.0.0
 pip-tools==7.3.0
     # via incorporeal-cms (pyproject.toml)
 platformdirs==4.1.0
-    # via virtualenv
+    # via
+    #   tox
+    #   virtualenv
 pluggy==1.3.0
     # via
     #   pytest
     #   tox
-py==1.11.0
-    # via tox
 pycodestyle==2.11.1
     # via flake8
 pydocstyle==6.3.0
@@ -127,6 +134,8 @@ pyparsing==3.1.1
     # via
     #   packaging
     #   pydot
+pyproject-api==1.5.0
+    # via tox
 pyproject-hooks==1.0.0
     # via build
 pytest==7.4.3
@@ -149,15 +158,13 @@ safety==2.3.5
     # via incorporeal-cms (pyproject.toml)
 setuptools-scm==8.0.4
     # via incorporeal-cms (pyproject.toml)
-six==1.16.0
-    # via tox
 smmap==5.0.1
     # via gitdb
 snowballstemmer==2.2.0
     # via pydocstyle
 stevedore==5.1.0
     # via bandit
-tox==3.28.0
+tox==4.0.0
     # via incorporeal-cms (pyproject.toml)
 typing-extensions==4.9.0
     # via
diff --git a/tox.ini b/tox.ini
index eb4ee30..488325c 100644
--- a/tox.ini
+++ b/tox.ini
@@ -51,10 +51,9 @@ commands =
 # run security checks
 #
 # again it seems the most valuable here to run against the packaged code
-# 51457 is nearly a red herring that I'm stuck with because tox is pinned, try removing occasionally
 commands =
     bandit {envsitepackagesdir}/incorporealcms/ -r
-    safety check -r requirements/requirements-dev.txt -i 51457
+    safety check -r requirements/requirements-dev.txt
 
 [testenv:lint]
 # run style checks