From 19e3738ccf3a5b639fa706bd0fe493473d52f3d7 Mon Sep 17 00:00:00 2001 From: Feanil Patel Date: Wed, 12 Jul 2023 14:02:00 -0400 Subject: [PATCH] build: Remove tox constraint. The `tox` package is already 6 minor revisions ahead at 4.6.4. If there are still plugins that don't support 4.x.x, then they are likely stagnant and need to be removed or updated ourselves. However, as long as we keep this constraint here, we can't easily find and fix those issues. In many of the cases, this constraint was added due to the incompatibility of tox-battery with tox 4.x.x. However, tox-battery has updated its `install_requires` to be explicit of this dependency. https://github.com/signalpillar/tox-battery/blob/master/setup.py#L20 Another issue we're running into is that some of the dependencies of tox are starting to publish security vulnerabilities. It's lower risk since this is in dev and CI but leaving this as is will increase security noise making it harder to respnod to real signals. Specifically, tox<4.0.0 depends on a version of `py` which has a security vulnerability. Dependabot is picking this up and making some noise in a lot of our repos. --- edx_lint/files/common_constraints.txt | 4 ---- 1 file changed, 4 deletions(-) diff --git a/edx_lint/files/common_constraints.txt b/edx_lint/files/common_constraints.txt index afe6aa8..15aafb2 100644 --- a/edx_lint/files/common_constraints.txt +++ b/edx_lint/files/common_constraints.txt @@ -21,7 +21,3 @@ elasticsearch<7.14.0 # django-simple-history>3.0.0 adds indexing and causes a lot of migrations to be affected django-simple-history==3.0.0 - -# tox>4.0.0 isn't yet compatible with many tox plugins, causing CI failures in almost all repos. -# Details can be found in this discussion: https://github.com/tox-dev/tox/discussions/1810 -tox<4.0.0