)]}'
{"test-requirements.txt":[{"author":{"_account_id":2472,"name":"Doug Hellmann","email":"dhellmann@redhat.com","username":"doug-hellmann"},"change_message_id":"269344a24c23bb4b33c487eaef52060f92967aa3","unresolved":false,"context_lines":[{"line_number":1,"context_line":"# The order of packages is significant, because pip processes them in the order"},{"line_number":2,"context_line":"# of appearance. Changing the order has an impact on the overall integration"},{"line_number":3,"context_line":"# process, which may cause wedges in the gate later."},{"line_number":4,"context_line":"bandit\u003e\u003d1.1.0,!\u003d1.6.0 # Apache-2.0"},{"line_number":5,"context_line":"coverage!\u003d4.4,\u003e\u003d4.0 # Apache-2.0"},{"line_number":6,"context_line":"doc8\u003e\u003d0.6.0 # Apache-2.0"},{"line_number":7,"context_line":"flake8-import-order\u003e\u003d0.13 # LGPLv3"}],"source_content_type":"text/plain","patch_set":2,"id":"9fb8cfa7_b65b8d2c","line":4,"updated":"2019-06-04 12:54:57.000000000","message":"I recommend capping the version being used. We recently had an issue with a backwards-incompatible change, and because bandit is considered a \"linter\" it is not constrained by upper-constraints.txt.","commit_id":"825be55bf420a9dd34998c60ceef426f324a8d4a"},{"author":{"_account_id":24828,"name":"Kaifeng Wang","email":"kaifeng.w@gmail.com","username":"wangkf"},"change_message_id":"da043e7c9badabba97b2716d83f9bc510511ed9a","unresolved":false,"context_lines":[{"line_number":1,"context_line":"# The order of packages is significant, because pip processes them in the order"},{"line_number":2,"context_line":"# of appearance. Changing the order has an impact on the overall integration"},{"line_number":3,"context_line":"# process, which may cause wedges in the gate later."},{"line_number":4,"context_line":"bandit\u003e\u003d1.1.0,!\u003d1.6.0 # Apache-2.0"},{"line_number":5,"context_line":"coverage!\u003d4.4,\u003e\u003d4.0 # Apache-2.0"},{"line_number":6,"context_line":"doc8\u003e\u003d0.6.0 # Apache-2.0"},{"line_number":7,"context_line":"flake8-import-order\u003e\u003d0.13 # LGPLv3"}],"source_content_type":"text/plain","patch_set":2,"id":"9fb8cfa7_3451cb37","line":4,"in_reply_to":"9fb8cfa7_91277365","updated":"2019-06-05 00:52:52.000000000","message":"Thanks! we are running bandit as a non-voting job, I think it\u0027s safe to cap to 2.0.0 before it turns to voting.","commit_id":"825be55bf420a9dd34998c60ceef426f324a8d4a"},{"author":{"_account_id":2472,"name":"Doug Hellmann","email":"dhellmann@redhat.com","username":"doug-hellmann"},"change_message_id":"9572168534c83bb09b94a0fe8e300d5aabae748b","unresolved":false,"context_lines":[{"line_number":1,"context_line":"# The order of packages is significant, because pip processes them in the order"},{"line_number":2,"context_line":"# of appearance. Changing the order has an impact on the overall integration"},{"line_number":3,"context_line":"# process, which may cause wedges in the gate later."},{"line_number":4,"context_line":"bandit\u003e\u003d1.1.0,!\u003d1.6.0 # Apache-2.0"},{"line_number":5,"context_line":"coverage!\u003d4.4,\u003e\u003d4.0 # Apache-2.0"},{"line_number":6,"context_line":"doc8\u003e\u003d0.6.0 # Apache-2.0"},{"line_number":7,"context_line":"flake8-import-order\u003e\u003d0.13 # LGPLv3"}],"source_content_type":"text/plain","patch_set":2,"id":"9fb8cfa7_91277365","line":4,"in_reply_to":"9fb8cfa7_960d2992","updated":"2019-06-04 13:44:55.000000000","message":"I\u0027m not sure. I would expect breaking changes to only happen in a 2.0.0 release, and I know the bandit team was trying to achieve that and had a regression in a 1.x.0 release. So you could be very conservative and cap to 1.6.0 and then update when there are new releases of bandit with interesting features, or you could cap to 2.0.0 and deal with breakages if they happen.","commit_id":"825be55bf420a9dd34998c60ceef426f324a8d4a"},{"author":{"_account_id":24828,"name":"Kaifeng Wang","email":"kaifeng.w@gmail.com","username":"wangkf"},"change_message_id":"440e1041db669e18390da316175bd8905195b4e4","unresolved":false,"context_lines":[{"line_number":1,"context_line":"# The order of packages is significant, because pip processes them in the order"},{"line_number":2,"context_line":"# of appearance. Changing the order has an impact on the overall integration"},{"line_number":3,"context_line":"# process, which may cause wedges in the gate later."},{"line_number":4,"context_line":"bandit\u003e\u003d1.1.0,!\u003d1.6.0 # Apache-2.0"},{"line_number":5,"context_line":"coverage!\u003d4.4,\u003e\u003d4.0 # Apache-2.0"},{"line_number":6,"context_line":"doc8\u003e\u003d0.6.0 # Apache-2.0"},{"line_number":7,"context_line":"flake8-import-order\u003e\u003d0.13 # LGPLv3"}],"source_content_type":"text/plain","patch_set":2,"id":"9fb8cfa7_960d2992","line":4,"in_reply_to":"9fb8cfa7_b65b8d2c","updated":"2019-06-04 13:23:00.000000000","message":"Thank you Doug, which version should we capped to? It seems 1.6.0 is the latest version.","commit_id":"825be55bf420a9dd34998c60ceef426f324a8d4a"}]}