diff --git a/lower-constraints.txt b/lower-constraints.txt
index e08b05d22c..cfb89d0765 100644
--- a/lower-constraints.txt
+++ b/lower-constraints.txt
@@ -9,7 +9,7 @@ cliff==3.4.0
 cmd2==0.8.0
 contextlib2==0.4.0
 coverage==4.0
-cryptography==2.1
+cryptography==2.7
 ddt==1.0.1
 debtcollector==1.2.0
 decorator==4.4.1
@@ -105,7 +105,7 @@ python-watcherclient==2.5.0
 python-zaqarclient==1.0.0
 python-zunclient==3.6.0
 pytz==2013.6
-PyYAML==3.12
+PyYAML==3.13
 repoze.lru==0.7
 requests-mock==1.2.0
 requests==2.14.2
diff --git a/test-requirements.txt b/test-requirements.txt
index 3dce687bc7..8b61a5c077 100644
--- a/test-requirements.txt
+++ b/test-requirements.txt
@@ -1,10 +1,8 @@
 # The order of packages is significant, because pip processes them in the order
 # of appearance. Changing the order has an impact on the overall integration
 # process, which may cause wedges in the gate later.
-hacking>=2.0.0 # Apache-2.0
 coverage!=4.4,>=4.0 # Apache-2.0
 fixtures>=3.0.0 # Apache-2.0/BSD
-flake8-import-order>=0.13 # LGPLv3
 oslotest>=3.2.0 # Apache-2.0
 requests>=2.14.2 # Apache-2.0
 requests-mock>=1.2.0 # Apache-2.0
@@ -12,6 +10,5 @@ stestr>=1.0.0 # Apache-2.0
 testtools>=2.2.0 # MIT
 tempest>=17.1.0 # Apache-2.0
 osprofiler>=1.4.0 # Apache-2.0
-bandit!=1.6.0,>=1.1.0 # Apache-2.0
 wrapt>=1.7.0 # BSD License
 ddt>=1.0.1 # MIT
diff --git a/tox.ini b/tox.ini
index 663463e2f2..ebcdc2d5d9 100644
--- a/tox.ini
+++ b/tox.ini
@@ -28,9 +28,13 @@ commands =
   {toxinidir}/tools/fast8.sh
 
 [testenv:pep8]
+deps =
+  hacking>=2.0.0
+  bandit!=1.6.0,>=1.1.0
+  flake8-import-order>=0.13 # LGPLv3
 commands =
-    flake8
-    bandit -r openstackclient -x tests -s B105,B106,B107,B401,B404,B603,B606,B607,B110,B605,B101
+  flake8
+  bandit -r openstackclient -x tests -s B105,B106,B107,B401,B404,B603,B606,B607,B110,B605,B101
 
 [testenv:bandit]
 # This command runs the bandit security linter against the openstackclient