Skip to content

fix(deps): Update dependency pytest to v9.0.3 [SECURITY]#81

Merged
williaby merged 1 commit into
mainfrom
renovate/pypi-pytest-vulnerability
May 28, 2026
Merged

fix(deps): Update dependency pytest to v9.0.3 [SECURITY]#81
williaby merged 1 commit into
mainfrom
renovate/pypi-pytest-vulnerability

Conversation

@williaby
Copy link
Copy Markdown
Collaborator

@williaby williaby commented May 28, 2026

Summary

Why

Scheduled patch update, bug fixes and security patches with no API changes.

Changes

This PR contains the following updates:

Package Change Age Confidence
pytest (changelog) 9.0.19.0.3 age confidence

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

Impact

  • ✅ Patch update: bug fixes and security patches only
  • ✅ No breaking changes

Acceptance Criteria

  • All CI checks pass

Testing

  • CI gates pass (tests, lint, type checking, security scan)

Notes

pytest has vulnerable tmpdir handling

CVE-2025-71176 / GHSA-6w46-j5rx-g56g

More information

Details

pytest through 9.0.2 on UNIX relies on directories with the /tmp/pytest-of-{user} name pattern, which allows local users to cause a denial of service or possibly gain privileges.

Severity

  • CVSS Score: 6.8 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

pytest has vulnerable tmpdir handling

CVE-2025-71176 / GHSA-6w46-j5rx-g56g

More information

Details

pytest through 9.0.2 on UNIX relies on directories with the /tmp/pytest-of-{user} name pattern, which allows local users to cause a denial of service or possibly gain privileges.

Severity

  • CVSS Score: 6.8 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Release Notes

pytest-dev/pytest (pytest)

v9.0.3

Compare Source

pytest 9.0.3 (2026-04-07)

Bug fixes

  • #​12444: Fixed pytest.approx which now correctly takes into account ~collections.abc.Mapping keys order to compare them.

  • #​13634: Blocking a conftest.py file using the -p no: option is now explicitly disallowed.

    Previously this resulted in an internal assertion failure during plugin loading.

    Pytest now raises a clear UsageError explaining that conftest files are not plugins and cannot be disabled via -p.

  • #​13734: Fixed crash when a test raises an exceptiongroup with __tracebackhide__ = True.

  • #​14195: Fixed an issue where non-string messages passed to unittest.TestCase.subTest() were not printed.

  • #​14343: Fixed use of insecure temporary directory (CVE-2025-71176).

Improved documentation

  • #​13388: Clarified documentation for -p vs PYTEST_PLUGINS plugin loading and fixed an incorrect -p example.
  • #​13731: Clarified that capture fixtures (e.g. capsys and capfd) take precedence over the -s / --capture=no command-line options in Accessing captured output from a test function <accessing-captured-output>.
  • #​14088: Clarified that the default pytest_collection hook sets session.items before it calls pytest_collection_finish, not after.
  • #​14255: TOML integer log levels must be quoted: Updating reference documentation.

Contributor-facing changes

  • #​12689: The test reports are now published to Codecov from GitHub Actions.
    The test statistics is visible on the web interface.

    -- by aleguy02

v9.0.2

Compare Source

pytest 9.0.2 (2025-12-06)

Bug fixes

  • #​13896: The terminal progress feature added in pytest 9.0.0 has been disabled by default, except on Windows, due to compatibility issues with some terminal emulators.

    You may enable it again by passing -p terminalprogress. We may enable it by default again once compatibility improves in the future.

    Additionally, when the environment variable TERM is dumb, the escape codes are no longer emitted, even if the plugin is enabled.

  • #​13904: Fixed the TOML type of the tmp_path_retention_count settings in the API reference from number to string.

  • #​13946: The private config.inicfg attribute was changed in a breaking manner in pytest 9.0.0.
    Due to its usage in the ecosystem, it is now restored to working order using a compatibility shim.
    It will be deprecated in pytest 9.1 and removed in pytest 10.

  • #​13965: Fixed quadratic-time behavior when handling unittest subtests in Python 3.10.

Improved documentation

  • #​4492: The API Reference now contains cross-reference-able documentation of pytest's command-line flags <command-line-flags>.

Configuration

📅 Schedule: (in timezone America/New_York)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Enabled.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate.

Copilot AI review requested due to automatic review settings May 28, 2026 04:32
@williaby williaby enabled auto-merge (squash) May 28, 2026 04:32
Copilot AI reviewed May 28, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot wasn't able to review any files in this pull request.

@coderabbitai
Copy link
Copy Markdown

coderabbitai Bot commented May 28, 2026

Important

Review skipped

Review was skipped due to path filters

⛔ Files ignored due to path filters (1)
  • uv.lock is excluded by !**/*.lock, !**/*.lock

CodeRabbit blocks several paths by default. You can override this behavior by explicitly including those paths in the path filters. For example, including **/dist/** will override the default block on the dist directory, by removing the pattern from both the lists.

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: b8dea314-357e-4b51-a13d-def345ed9915

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch renovate/pypi-pytest-vulnerability

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@socket-security
Copy link
Copy Markdown

socket-security Bot commented May 28, 2026

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Updatedpypi/​pytest@​9.0.1 ⏵ 9.0.387 +1100 +2100100100

View full report

@williaby williaby merged commit 2a0ed0d into main May 28, 2026
70 checks passed
@williaby williaby deleted the renovate/pypi-pytest-vulnerability branch May 28, 2026 04:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

security

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@williaby