* Add bandit to pre-commit and CI, use to catch known vulnerable XML parsing
* Use defusedxml instead of direct xml.etree to parse XML
* Move config to tests/bandit.yaml
* Install our core dependencies for mypy in azure
To match local setups and tox.
* Use "system" mypy in pre-commit instead of the "real" mypy hook
The results of mypy depend on what is installed. And the mypy hook
runs in a virtualenv of its own, meaning we'd need to install and
maintain another set of our dependencies there... no. Use the "system"
one and reuse the environment that is set up anyway already instead.
* Reintroduce needed ruamel.yaml type ignore
This ignore is required when ruamel.yaml is installed, and we want it
to be as it's part of the core dependency set.
Ville Skyttä
Franck Nijhof
Paulus Schoutsen