chore(deps): update dependency pytest to v9.0.3 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
pytest (changelog)	9.0.2 → 9.0.3

---

pytest has vulnerable tmpdir handling

CVE-2025-71176 / GHSA-6w46-j5rx-g56g

More information

Details

pytest through 9.0.2 on UNIX relies on directories with the /tmp/pytest-of-{user} name pattern, which allows local users to cause a denial of service or possibly gain privileges.

Severity

• CVSS Score: 6.8 / 10 (Medium)
• Vector String: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L

References

• https://nvd.nist.gov/vuln/detail/CVE-2025-71176
• https://github.com/pytest-dev/pytest/issues/13669
• https://www.openwall.com/lists/oss-security/2026/01/21/5
• https://github.com/pytest-dev/pytest/pull/14343
• https://github.com/pytest-dev/pytest/commit/95d8423bd24992deea5b9df32555fa1741679e2c
• https://github.com/pytest-dev/pytest/releases/tag/9.0.3
• https://github.com/advisories/GHSA-6w46-j5rx-g56g

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

pytest-dev/pytest (pytest)

v9.0.3

Compare Source

pytest 9.0.3 (2026-04-07)

Bug fixes

• #​12444: Fixed pytest.approx which now correctly takes into account ~collections.abc.Mapping keys order to compare them.

• #​13634: Blocking a conftest.py file using the -p no: option is now explicitly disallowed.

  Previously this resulted in an internal assertion failure during plugin loading.

  Pytest now raises a clear UsageError explaining that conftest files are not plugins and cannot be disabled via -p.

• #​13734: Fixed crash when a test raises an exceptiongroup with __tracebackhide__ = True.

• #​14195: Fixed an issue where non-string messages passed to unittest.TestCase.subTest() were not printed.

• #​14343: Fixed use of insecure temporary directory (CVE-2025-71176).

Improved documentation

• #​13388: Clarified documentation for -p vs PYTEST_PLUGINS plugin loading and fixed an incorrect -p example.
• #​13731: Clarified that capture fixtures (e.g. capsys and capfd) take precedence over the -s / --capture=no command-line options in Accessing captured output from a test function <accessing-captured-output>.
• #​14088: Clarified that the default pytest_collection hook sets session.items before it calls pytest_collection_finish, not after.
• #​14255: TOML integer log levels must be quoted: Updating reference documentation.

Contributor-facing changes

• #​12689: The test reports are now published to Codecov from GitHub Actions.
  The test statistics is visible on the web interface.

  -- by aleguy02

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

Checking back in with the latest test results. 📡

I've aggregated the results of the automated checks for this PR below.

📋 Repo Health

Is the codebase feeling fit today? Let's check. 🏃‍♂️

⚠️ Some required files are missing.

Latest Version: 0.5.0

✅ difficult_dialogs/version.py — Version file
✅ README.md — README
❌ LICENSE — License file
✅ pyproject.toml — pyproject.toml
⚠️ CHANGELOG.md — Changelog
⚠️ requirements.txt — Requirements
✅ difficult_dialogs/version.py has valid version block markers

🔒 Security (pip-audit)

I've checked for any insecure file permissions. 📂

✅ No known vulnerabilities found (32 packages scanned).

🔍 Lint

Another check completed successfully! 🏁

❌ ruff: issues found — see job log

🏷️ Release Preview

A sneak peek into the future! 🔮

Current: 0.5.0 → Next: 0.5.1a1

Signal	Value
Label	(none)
PR title	chore(deps): update dependency pytest to v9.0.3 [security]
Bump	alpha

⚠️ No conventional commit prefix — alpha-only bump.
Suggested: fix: update the thing or feat: update the thing

---

🚀 Release Channel Compatibility

Predicted next version: 0.5.1a1

Channel	Status	Note	Current Constraint
Stable	⚪	Not in channel	-
Testing	⚪	Not in channel	-
Alpha	⚪	Not in channel	-

📊 Coverage

Quantifying the robustness of your changes. 🏋️

✅ 92.6% total coverage

Files below 80% coverage (1 file)

File	Coverage	Missing lines
difficult_dialogs/server.py	0.0%	111

Full report: download the coverage-report artifact.

⚖️ License Check

Evaluating the legal risk of these changes. ⚖️

✅ No license violations found (9 packages).

License distribution: 3× MIT, 2× Apache Software License, 1× Apache-2.0 OR BSD-2-Clause, 1× BSD-3-Clause, 1× MIT License, 1× Mozilla Public License 2.0 (MPL 2.0)

Full breakdown — 9 packages

Package	Version	License	URL
build	1.4.3	MIT	link
certifi	2026.2.25	Mozilla Public License 2.0 (MPL 2.0)	link
charset-normalizer	3.4.7	MIT	link
difficult_dialogs	0.5.0	Apache Software License	link
idna	3.11	BSD-3-Clause	link
packaging	26.0	Apache-2.0 OR BSD-2-Clause	link
pyproject_hooks	1.2.0	MIT License	link
requests	2.33.1	Apache Software License	link
urllib3	2.6.3	MIT	link

Policy: Apache 2.0 (universal donor). StrongCopyleft / NetworkCopyleft / WeakCopyleft / Other / Error categories fail. MPL allowed.

🔨 Build Tests

The build process has successfully terminated. 🏁

✅ All versions pass

Python	Build	Install	Tests
3.10	✅	✅	✅
3.11	✅	✅	✅
3.12	✅	✅	✅
3.13	✅	✅	✅
3.14	✅	✅	✅

---

The silent guardian of the dev branch. 🦇