Evade the pip safety warning.

Julian · Julian · commit 0ea12edea319 · 2021-05-05T08:40:28.000-04:00
Regardless of the version of pip on the host Python, the embedded pip version (for the current versions of CPython) is vulnerable, so safety was complaining about the resulting virtual environmnets created by tox. See e.g. https://github.com/Julian/jsonschema/runs/2504226692?check_suite_focus=true This fix seems like the simplest, albeit still seems very fragile. tox does have a `download` config option, documented here: https://tox.readthedocs.io/en/latest/config.html#conf-download but it doesn't seem to have any effect, possibly because we use `skipsdist`.
diff --git a/tox.ini b/tox.ini
@@ -21,6 +21,7 @@ setenv =
 whitelist_externals =
     mkdir
 commands =
+    {envpython} -m pip install 'pip>=21.1.1'  # Evade CVE-2021-28363
     noextra: {envpython} -m pip install {toxinidir}
     format,perf: {envpython} -m pip install '{toxinidir}[format]'
     format_nongpl: {envpython} -m pip install '{toxinidir}[format_nongpl]'
@@ -65,6 +66,7 @@ commands =
 [testenv:safety]
 deps = safety
 commands =
+    {envpython} -m pip install 'pip>=21.1.1'  # Evade CVE-2021-28363
     {envpython} -m pip install '{toxinidir}[format]'
     {envpython} -m safety check
 
