Skip to content

Commit 0ea12ed

Browse files
committed
Evade the pip safety warning.
Regardless of the version of pip on the host Python, the embedded pip version (for the current versions of CPython) is vulnerable, so safety was complaining about the resulting virtual environmnets created by tox. See e.g. https://github.com/Julian/jsonschema/runs/2504226692?check_suite_focus=true This fix seems like the simplest, albeit still seems very fragile. tox does have a `download` config option, documented here: https://tox.readthedocs.io/en/latest/config.html#conf-download but it doesn't seem to have any effect, possibly because we use `skipsdist`.
1 parent d9f6384 commit 0ea12ed

File tree

1 file changed

+2
-0
lines changed

1 file changed

+2
-0
lines changed

tox.ini

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -21,6 +21,7 @@ setenv =
2121
whitelist_externals =
2222
mkdir
2323
commands =
24+
{envpython} -m pip install 'pip>=21.1.1' # Evade CVE-2021-28363
2425
noextra: {envpython} -m pip install {toxinidir}
2526
format,perf: {envpython} -m pip install '{toxinidir}[format]'
2627
format_nongpl: {envpython} -m pip install '{toxinidir}[format_nongpl]'
@@ -65,6 +66,7 @@ commands =
6566
[testenv:safety]
6667
deps = safety
6768
commands =
69+
{envpython} -m pip install 'pip>=21.1.1' # Evade CVE-2021-28363
6870
{envpython} -m pip install '{toxinidir}[format]'
6971
{envpython} -m safety check
7072

0 commit comments

Comments
 (0)