renovate[bot]
aaa06c780d
This PR contains the following updates:
| Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
| [pytest](https://github.com/pytest-dev/pytest) ([changelog](https://docs.pytest.org/en/stable/changelog.html)) | `9.0.2` → `9.0.3` |  |  |
---
### pytest has vulnerable tmpdir handling
[CVE-2025-71176](https://nvd.nist.gov/vuln/detail/CVE-2025-71176) / [GHSA-6w46-j5rx-g56g](https://github.com/advisories/GHSA-6w46-j5rx-g56g)
<details>
<summary>More information</summary>
#### Details
pytest through 9.0.2 on UNIX relies on directories with the `/tmp/pytest-of-{user}` name pattern, which allows local users to cause a denial of service or possibly gain privileges.
#### Severity
- CVSS Score: 6.8 / 10 (Medium)
- Vector String: `CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L`
#### References
- [https://nvd.nist.gov/vuln/detail/CVE-2025-71176](https://nvd.nist.gov/vuln/detail/CVE-2025-71176)
- [https://github.com/pytest-dev/pytest/issues/13669](https://github.com/pytest-dev/pytest/issues/13669)
- [https://github.com/pytest-dev/pytest/pull/14343](https://github.com/pytest-dev/pytest/pull/14343)
- [95d8423bd2)
- [https://github.com/pytest-dev/pytes](https://github.com/pytest-dev/pytes)
- [https://github.com/pytest-dev/pytest/releases/tag/9.0.3](https://github.com/pytest-dev/pytest/releases/tag/9.0.3)
- [https://www.openwall.com/lists/oss-security/2026/01/21/5](https://www.openwall.com/lists/oss-security/2026/01/21/5)
This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-6w46-j5rx-g56g) and the [GitHub Advisory Database](https://github.com/github/advisory-database) ([CC-BY 4.0](https://github.com/github/advisory-database/blob/main/LICENSE.md)).
</details>
---
### Release Notes
<details>
<summary>pytest-dev/pytest (pytest)</summary>
### [`v9.0.3`](https://github.com/pytest-dev/pytest/releases/tag/9.0.3)
[Compare Source](https://github.com/pytest-dev/pytest/compare/9.0.2...9.0.3)
### pytest 9.0.3 (2026-04-07)
#### Bug fixes
- [#​12444](https://github.com/pytest-dev/pytest/issues/12444): Fixed `pytest.approx` which now correctly takes into account `~collections.abc.Mapping` keys order to compare them.
- [#​13634](https://github.com/pytest-dev/pytest/issues/13634): Blocking a `conftest.py` file using the `-p no:` option is now explicitly disallowed.
Previously this resulted in an internal assertion failure during plugin loading.
Pytest now raises a clear `UsageError` explaining that conftest files are not plugins and cannot be disabled via `-p`.
- [#​13734](https://github.com/pytest-dev/pytest/issues/13734): Fixed crash when a test raises an exceptiongroup with `__tracebackhide__ = True`.
- [#​14195](https://github.com/pytest-dev/pytest/issues/14195): Fixed an issue where non-string messages passed to <span class="title-ref">unittest.TestCase.subTest()</span> were not printed.
- [#​14343](https://github.com/pytest-dev/pytest/issues/14343): Fixed use of insecure temporary directory (CVE-2025-71176).
#### Improved documentation
- [#​13388](https://github.com/pytest-dev/pytest/issues/13388): Clarified documentation for `-p` vs `PYTEST_PLUGINS` plugin loading and fixed an incorrect `-p` example.
- [#​13731](https://github.com/pytest-dev/pytest/issues/13731): Clarified that capture fixtures (e.g. `capsys` and `capfd`) take precedence over the `-s` / `--capture=no` command-line options in `Accessing captured output from a test function <accessing-captured-output>`.
- [#​14088](https://github.com/pytest-dev/pytest/issues/14088): Clarified that the default `pytest_collection` hook sets `session.items` before it calls `pytest_collection_finish`, not after.
- [#​14255](https://github.com/pytest-dev/pytest/issues/14255): TOML integer log levels must be quoted: Updating reference documentation.
#### Contributor-facing changes
- [#​12689](https://github.com/pytest-dev/pytest/issues/12689): The test reports are now published to Codecov from GitHub Actions.
The test statistics is visible [on the web interface](https://app.codecov.io/gh/pytest-dev/pytest/tests).
\-- by `aleguy02`
</details>
---
### Configuration
📅 **Schedule**: (UTC)
- Branch creation
- ""
- Automerge
- At any time (no schedule defined)
🚦 **Automerge**: Enabled.
♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about this update again.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box
---
This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xMTMuMCIsInVwZGF0ZWRJblZlciI6IjQzLjExMy4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJzZWN1cml0eSJdfQ==-->
Reviewed-on: https://git.tainton.uk/repos/epage/pulls/217
Co-authored-by: renovate[bot] <renovate-bot@git.tainton.uk>
Co-committed-by: renovate[bot] <renovate-bot@git.tainton.uk>
62 KiB
62 KiB