Comment 2 for bug 1550161

Correct. It is the best practice advice. While bandit is produced by OpenStack it is also very much in use by communities not involved in OpenStack. I don't think we should change the test. Also, I think openstack/requirements will give us a hassle if we update g-r, but we can try anyway :)