flake8 safety reports error

[ajantha-bhat]

python 3.8 with flake8 , safety reports following error.

+============================+===========+==========================+==========+ | package | installed | affected | ID | +============================+===========+==========================+==========+ | pytest-runner | 5.3.1 | >0 | 43313 | +==============================================================================+

[jaraco]

That error doesn't mean anything to me. Can you decode what the report is saying?

[benoit-pierre]

The linked mention above contains more information:

+============================+===========+==========================+==========+
| pytest-runner              | 5.3.1     | >0                       | 43313    |
+==============================================================================+
| Pytest-runner depends on deprecated features of setuptools and relies on     |
| features that break security mechanisms in pip. For example ‘setup_requires’ |
| and ‘tests_require’ bypass pip --require-hashes. See also                    |
| pypa/setuptools#1684.                                                        |
| It is recommended that you:                                                  |
| - Remove 'pytest-runner' from your setup_requires, preferably removing the   |
| setup_requires option.                                                       |
| - Remove 'pytest' and any other testing requirements from tests_require,     |
| preferably removing the tests_requires option.                               |
| - Select a tool to bootstrap and then run tests such as tox.                 |
+==============================================================================+

[graingert]

seems pytest-runner got added to safety-db here:

https://github.com/pyupio/safety-db/commit/1163353fa4577d835e29e14a476839163b147ec6#diff-674fdcad879dee1d5570c68e560a6678eb78df68003a7c834532af09c4f264cbR29340-R29350

the project as a whole is deprecated and that's what the message says. I think this repo should be archived to make that clearer

[jaraco]

Sounds good. That clarifies. There's nothing for this project to do (except maybe archive the repo). I'd like to keep the repo active in case there are other emergent concerns, but I'll consider that in the future as usage wanes.