8654415091
bandit 1.6.3 [1] release has dropped support for py2 [2] but the release is faulty and pip still picks it up for py2 [3][4], so cap to 1.6.2 when using py2. With the new pip dependency resolver (introduced in pip 20.3) the lower-constraints job started to fail. Problem is here with the 'install_command' in tox.ini, which uses both the upper- and lower- constraints files, causing the job to fail. This patch adds separate install_command without the upper constraints, so that only the lower-constraints.txt is used. [1] https://github.com/PyCQA/bandit/releases/tag/1.6.3 [2] https://github.com/PyCQA/bandit/pull/615 [3] https://github.com/PyCQA/bandit/issues/663 [4] https://github.com/PyCQA/bandit/issues/665 Change-Id: If8738f5005e60cf46ed93edbefa272bc2611b53f