From aaa06c780d57dacc09be46b1b5a700745a350b42 Mon Sep 17 00:00:00 2001
From: "renovate[bot]" <renovate-bot@git.tainton.uk>
Date: Mon, 13 Apr 2026 21:25:16 +0000
Subject: [PATCH] build(security): Update dependency pytest to v9.0.3
 [SECURITY] (#217)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This PR contains the following updates:

| Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
| [pytest](https://github.com/pytest-dev/pytest) ([changelog](https://docs.pytest.org/en/stable/changelog.html)) | `9.0.2` → `9.0.3` | ![age](https://developer.mend.io/api/mc/badges/age/pypi/pytest/9.0.3?slim=true) | ![confidence](https://developer.mend.io/api/mc/badges/confidence/pypi/pytest/9.0.2/9.0.3?slim=true) |

---

### pytest has vulnerable tmpdir handling
[CVE-2025-71176](https://nvd.nist.gov/vuln/detail/CVE-2025-71176) / [GHSA-6w46-j5rx-g56g](https://github.com/advisories/GHSA-6w46-j5rx-g56g)

<details>
<summary>More information</summary>

#### Details
pytest through 9.0.2 on UNIX relies on directories with the `/tmp/pytest-of-{user}` name pattern, which allows local users to cause a denial of service or possibly gain privileges.

#### Severity
- CVSS Score: 6.8 / 10 (Medium)
- Vector String: `CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L`

#### References
- [https://nvd.nist.gov/vuln/detail/CVE-2025-71176](https://nvd.nist.gov/vuln/detail/CVE-2025-71176)
- [https://github.com/pytest-dev/pytest/issues/13669](https://github.com/pytest-dev/pytest/issues/13669)
- [https://github.com/pytest-dev/pytest/pull/14343](https://github.com/pytest-dev/pytest/pull/14343)
- [https://github.com/pytest-dev/pytest/commit/95d8423bd24992deea5b9df32555fa1741679e2c](https://github.com/pytest-dev/pytest/commit/95d8423bd24992deea5b9df32555fa1741679e2c)
- [https://github.com/pytest-dev/pytes](https://github.com/pytest-dev/pytes)
- [https://github.com/pytest-dev/pytest/releases/tag/9.0.3](https://github.com/pytest-dev/pytest/releases/tag/9.0.3)
- [https://www.openwall.com/lists/oss-security/2026/01/21/5](https://www.openwall.com/lists/oss-security/2026/01/21/5)

This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-6w46-j5rx-g56g) and the [GitHub Advisory Database](https://github.com/github/advisory-database) ([CC-BY 4.0](https://github.com/github/advisory-database/blob/main/LICENSE.md)).
</details>

---

### Release Notes

<details>
<summary>pytest-dev/pytest (pytest)</summary>

### [`v9.0.3`](https://github.com/pytest-dev/pytest/releases/tag/9.0.3)

[Compare Source](https://github.com/pytest-dev/pytest/compare/9.0.2...9.0.3)

### pytest 9.0.3 (2026-04-07)

#### Bug fixes

- [#&#8203;12444](https://github.com/pytest-dev/pytest/issues/12444): Fixed `pytest.approx` which now correctly takes into account `~collections.abc.Mapping` keys order to compare them.

- [#&#8203;13634](https://github.com/pytest-dev/pytest/issues/13634): Blocking a `conftest.py` file using the `-p no:` option is now explicitly disallowed.

  Previously this resulted in an internal assertion failure during plugin loading.

  Pytest now raises a clear `UsageError` explaining that conftest files are not plugins and cannot be disabled via `-p`.

- [#&#8203;13734](https://github.com/pytest-dev/pytest/issues/13734): Fixed crash when a test raises an exceptiongroup with `__tracebackhide__ = True`.

- [#&#8203;14195](https://github.com/pytest-dev/pytest/issues/14195): Fixed an issue where non-string messages passed to <span class="title-ref">unittest.TestCase.subTest()</span> were not printed.

- [#&#8203;14343](https://github.com/pytest-dev/pytest/issues/14343): Fixed use of insecure temporary directory (CVE-2025-71176).

#### Improved documentation

- [#&#8203;13388](https://github.com/pytest-dev/pytest/issues/13388): Clarified documentation for `-p` vs `PYTEST_PLUGINS` plugin loading and fixed an incorrect `-p` example.
- [#&#8203;13731](https://github.com/pytest-dev/pytest/issues/13731): Clarified that capture fixtures (e.g. `capsys` and `capfd`) take precedence over the `-s` / `--capture=no` command-line options in `Accessing captured output from a test function <accessing-captured-output>`.
- [#&#8203;14088](https://github.com/pytest-dev/pytest/issues/14088): Clarified that the default `pytest_collection` hook sets `session.items` before it calls `pytest_collection_finish`, not after.
- [#&#8203;14255](https://github.com/pytest-dev/pytest/issues/14255): TOML integer log levels must be quoted: Updating reference documentation.

#### Contributor-facing changes

- [#&#8203;12689](https://github.com/pytest-dev/pytest/issues/12689): The test reports are now published to Codecov from GitHub Actions.
  The test statistics is visible [on the web interface](https://app.codecov.io/gh/pytest-dev/pytest/tests).

  \-- by `aleguy02`

</details>

---

### Configuration

📅 **Schedule**: (UTC)

- Branch creation
  - ""
- Automerge
  - At any time (no schedule defined)

🚦 **Automerge**: Enabled.

♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box

---

This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xMTMuMCIsInVwZGF0ZWRJblZlciI6IjQzLjExMy4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJzZWN1cml0eSJdfQ==-->

Reviewed-on: https://git.tainton.uk/repos/epage/pulls/217
Co-authored-by: renovate[bot] <renovate-bot@git.tainton.uk>
Co-committed-by: renovate[bot] <renovate-bot@git.tainton.uk>
---
 uv.lock | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/uv.lock b/uv.lock
index 894542e..4b7ad18 100644
--- a/uv.lock
+++ b/uv.lock
@@ -401,7 +401,7 @@ wheels = [
 
 [[package]]
 name = "pytest"
-version = "9.0.2"
+version = "9.0.3"
 source = { registry = "https://pypi.org/simple" }
 dependencies = [
     { name = "colorama", marker = "sys_platform == 'win32'" },
@@ -410,9 +410,9 @@ dependencies = [
     { name = "pluggy" },
     { name = "pygments" },
 ]
-sdist = { url = "https://files.pythonhosted.org/packages/d1/db/7ef3487e0fb0049ddb5ce41d3a49c235bf9ad299b6a25d5780a89f19230f/pytest-9.0.2.tar.gz", hash = "sha256:75186651a92bd89611d1d9fc20f0b4345fd827c41ccd5c299a868a05d70edf11", size = 1568901, upload-time = "2025-12-06T21:30:51.014Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/7d/0d/549bd94f1a0a402dc8cf64563a117c0f3765662e2e668477624baeec44d5/pytest-9.0.3.tar.gz", hash = "sha256:b86ada508af81d19edeb213c681b1d48246c1a91d304c6c81a427674c17eb91c", size = 1572165, upload-time = "2026-04-07T17:16:18.027Z" }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/3b/ab/b3226f0bd7cdcf710fbede2b3548584366da3b19b5021e74f5bde2a8fa3f/pytest-9.0.2-py3-none-any.whl", hash = "sha256:711ffd45bf766d5264d487b917733b453d917afd2b0ad65223959f59089f875b", size = 374801, upload-time = "2025-12-06T21:30:49.154Z" },
+    { url = "https://files.pythonhosted.org/packages/d4/24/a372aaf5c9b7208e7112038812994107bc65a84cd00e0354a88c2c77a617/pytest-9.0.3-py3-none-any.whl", hash = "sha256:2c5efc453d45394fdd706ade797c0a81091eccd1d6e4bccfcd476e2b8e0ab5d9", size = 375249, upload-time = "2026-04-07T17:16:16.13Z" },
 ]
 
 [[package]]