Skip to content

chore: 🔨 Update dependency pytest to v9.0.3 [SECURITY]#2106

Closed
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/pypi-pytest-vulnerability
Closed

chore: 🔨 Update dependency pytest to v9.0.3 [SECURITY]#2106
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/pypi-pytest-vulnerability

Conversation

@renovate

@renovate renovate Bot commented Apr 14, 2026

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Change Age Confidence
pytest (changelog) 9.0.29.0.3 age confidence

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.


pytest has vulnerable tmpdir handling

CVE-2025-71176 / GHSA-6w46-j5rx-g56g

More information

Details

pytest through 9.0.2 on UNIX relies on directories with the /tmp/pytest-of-{user} name pattern, which allows local users to cause a denial of service or possibly gain privileges.

Severity

  • CVSS Score: 6.8 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


Release Notes

pytest-dev/pytest (pytest)

v9.0.3

Compare Source

pytest 9.0.3 (2026-04-07)

Bug fixes

  • #​12444: Fixed pytest.approx which now correctly takes into account ~collections.abc.Mapping keys order to compare them.

  • #​13634: Blocking a conftest.py file using the -p no: option is now explicitly disallowed.

    Previously this resulted in an internal assertion failure during plugin loading.

    Pytest now raises a clear UsageError explaining that conftest files are not plugins and cannot be disabled via -p.

  • #​13734: Fixed crash when a test raises an exceptiongroup with __tracebackhide__ = True.

  • #​14195: Fixed an issue where non-string messages passed to unittest.TestCase.subTest() were not printed.

  • #​14343: Fixed use of insecure temporary directory (CVE-2025-71176).

Improved documentation

  • #​13388: Clarified documentation for -p vs PYTEST_PLUGINS plugin loading and fixed an incorrect -p example.
  • #​13731: Clarified that capture fixtures (e.g. capsys and capfd) take precedence over the -s / --capture=no command-line options in Accessing captured output from a test function <accessing-captured-output>.
  • #​14088: Clarified that the default pytest_collection hook sets session.items before it calls pytest_collection_finish, not after.
  • #​14255: TOML integer log levels must be quoted: Updating reference documentation.

Contributor-facing changes

  • #​12689: The test reports are now published to Codecov from GitHub Actions.
    The test statistics is visible on the web interface.

    -- by aleguy02


Configuration

📅 Schedule: (in timezone America/New_York)

  • Branch creation
    • ""
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot added dependencies Pull requests that update a dependency file renovate labels Apr 14, 2026
@renovate renovate Bot enabled auto-merge (squash) April 14, 2026 04:57
@renovate renovate Bot added dependencies Pull requests that update a dependency file renovate labels Apr 14, 2026
@renovate renovate Bot requested a review from Anselmoo as a code owner April 14, 2026 04:57
@semanticdiff-com

Copy link
Copy Markdown

Review changes with  SemanticDiff

@codecov

codecov Bot commented Apr 14, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 97.70%. Comparing base (6bed9a6) to head (780a7bd).

Additional details and impacted files
@@           Coverage Diff           @@
##             main    #2106   +/-   ##
=======================================
  Coverage   97.70%   97.70%           
=======================================
  Files          63       63           
  Lines        6246     6246           
=======================================
  Hits         6102     6102           
  Misses        144      144           
Flag Coverage Δ
unittests 97.70% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@renovate renovate Bot changed the title chore: 🔨 Update dependency pytest to v9.0.3 [SECURITY] chore: 🔨 Update dependency pytest to v9.0.3 [SECURITY] - autoclosed Apr 27, 2026
@renovate renovate Bot closed this Apr 27, 2026
auto-merge was automatically disabled April 27, 2026 16:37

Pull request was closed

@renovate renovate Bot deleted the renovate/pypi-pytest-vulnerability branch April 27, 2026 16:37
@renovate renovate Bot changed the title chore: 🔨 Update dependency pytest to v9.0.3 [SECURITY] - autoclosed chore: 🔨 Update dependency pytest to v9.0.3 [SECURITY] Apr 27, 2026
@renovate renovate Bot reopened this Apr 27, 2026
@renovate renovate Bot force-pushed the renovate/pypi-pytest-vulnerability branch 2 times, most recently from 55b0d1a to 780a7bd Compare April 27, 2026 22:46
@sonarqubecloud

Copy link
Copy Markdown

@stale

stale Bot commented May 12, 2026

Copy link
Copy Markdown

This pull request has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

@stale stale Bot added the wontfix This will not be worked on label May 12, 2026
@stale stale Bot closed this Jun 6, 2026
@renovate

renovate Bot commented Jun 6, 2026

Copy link
Copy Markdown
Contributor Author

Renovate Ignore Notification

Because you closed this PR without merging, Renovate will ignore this update (>=8.3.5). You will get a PR once a newer version is released. To ignore this dependency forever, add it to the ignoreDeps array of your Renovate config.

If you accidentally closed this PR, or if you changed your mind: rename this PR to get a fresh replacement PR.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file renovate root size/XS wontfix This will not be worked on

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants