repos/roboluke
5
0
Fork 0
Code Issues 1 Pull Requests 1 Actions 1 Packages Releases 79 Activity

ci(security): update dependency pytest to v9.0.3 #440

Merged
renovate-bot merged 1 commits from renovate/pypi-pytest-vulnerability into main 2026-04-13 21:28:42 +00:00
Conversation 2 Commits 1 Files Changed 1 +3 -3
renovate-bot commented 2026-04-13 21:04:05 +00:00
Member
Copy Link

This PR contains the following updates:

Package Change Age Confidence
pytest (changelog) 9.0.29.0.3 age confidence

pytest has vulnerable tmpdir handling

CVE-2025-71176 / GHSA-6w46-j5rx-g56g

More information

Details

pytest through 9.0.2 on UNIX relies on directories with the /tmp/pytest-of-{user} name pattern, which allows local users to cause a denial of service or possibly gain privileges.

Severity

  • CVSS Score: 6.8 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Release Notes

pytest-dev/pytest (pytest)

v9.0.3

Compare Source

pytest 9.0.3 (2026-04-07)

Bug fixes

  • #​12444: Fixed pytest.approx which now correctly takes into account ~collections.abc.Mapping keys order to compare them.

  • #​13634: Blocking a conftest.py file using the -p no: option is now explicitly disallowed.

    Previously this resulted in an internal assertion failure during plugin loading.

    Pytest now raises a clear UsageError explaining that conftest files are not plugins and cannot be disabled via -p.

  • #​13734: Fixed crash when a test raises an exceptiongroup with __tracebackhide__ = True.

  • #​14195: Fixed an issue where non-string messages passed to unittest.TestCase.subTest() were not printed.

  • #​14343: Fixed use of insecure temporary directory (CVE-2025-71176).

Improved documentation

  • #​13388: Clarified documentation for -p vs PYTEST_PLUGINS plugin loading and fixed an incorrect -p example.
  • #​13731: Clarified that capture fixtures (e.g. capsys and capfd) take precedence over the -s / --capture=no command-line options in Accessing captured output from a test function <accessing-captured-output>.
  • #​14088: Clarified that the default pytest_collection hook sets session.items before it calls pytest_collection_finish, not after.
  • #​14255: TOML integer log levels must be quoted: Updating reference documentation.

Contributor-facing changes

  • #​12689: The test reports are now published to Codecov from GitHub Actions.
    The test statistics is visible on the web interface.

    -- by aleguy02

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • ""
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [pytest](https://github.com/pytest-dev/pytest) ([changelog](https://docs.pytest.org/en/stable/changelog.html)) | `9.0.2` → `9.0.3` | ![age](https://developer.mend.io/api/mc/badges/age/pypi/pytest/9.0.3?slim=true) | ![confidence](https://developer.mend.io/api/mc/badges/confidence/pypi/pytest/9.0.2/9.0.3?slim=true) | --- ### pytest has vulnerable tmpdir handling [CVE-2025-71176](https://nvd.nist.gov/vuln/detail/CVE-2025-71176) / [GHSA-6w46-j5rx-g56g](https://github.com/advisories/GHSA-6w46-j5rx-g56g) <details> <summary>More information</summary> #### Details pytest through 9.0.2 on UNIX relies on directories with the `/tmp/pytest-of-{user}` name pattern, which allows local users to cause a denial of service or possibly gain privileges. #### Severity - CVSS Score: 6.8 / 10 (Medium) - Vector String: `CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L` #### References - [https://nvd.nist.gov/vuln/detail/CVE-2025-71176](https://nvd.nist.gov/vuln/detail/CVE-2025-71176) - [https://github.com/pytest-dev/pytest/issues/13669](https://github.com/pytest-dev/pytest/issues/13669) - [https://github.com/pytest-dev/pytest/pull/14343](https://github.com/pytest-dev/pytest/pull/14343) - [https://github.com/pytest-dev/pytest/commit/95d8423bd24992deea5b9df32555fa1741679e2c](https://github.com/pytest-dev/pytest/commit/95d8423bd24992deea5b9df32555fa1741679e2c) - [https://github.com/pytest-dev/pytes](https://github.com/pytest-dev/pytes) - [https://github.com/pytest-dev/pytest/releases/tag/9.0.3](https://github.com/pytest-dev/pytest/releases/tag/9.0.3) - [https://www.openwall.com/lists/oss-security/2026/01/21/5](https://www.openwall.com/lists/oss-security/2026/01/21/5) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-6w46-j5rx-g56g) and the [GitHub Advisory Database](https://github.com/github/advisory-database) ([CC-BY 4.0](https://github.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### Release Notes <details> <summary>pytest-dev/pytest (pytest)</summary> ### [`v9.0.3`](https://github.com/pytest-dev/pytest/releases/tag/9.0.3) [Compare Source](https://github.com/pytest-dev/pytest/compare/9.0.2...9.0.3) ### pytest 9.0.3 (2026-04-07) #### Bug fixes - [#&#8203;12444](https://github.com/pytest-dev/pytest/issues/12444): Fixed `pytest.approx` which now correctly takes into account `~collections.abc.Mapping` keys order to compare them. - [#&#8203;13634](https://github.com/pytest-dev/pytest/issues/13634): Blocking a `conftest.py` file using the `-p no:` option is now explicitly disallowed. Previously this resulted in an internal assertion failure during plugin loading. Pytest now raises a clear `UsageError` explaining that conftest files are not plugins and cannot be disabled via `-p`. - [#&#8203;13734](https://github.com/pytest-dev/pytest/issues/13734): Fixed crash when a test raises an exceptiongroup with `__tracebackhide__ = True`. - [#&#8203;14195](https://github.com/pytest-dev/pytest/issues/14195): Fixed an issue where non-string messages passed to <span class="title-ref">unittest.TestCase.subTest()</span> were not printed. - [#&#8203;14343](https://github.com/pytest-dev/pytest/issues/14343): Fixed use of insecure temporary directory (CVE-2025-71176). #### Improved documentation - [#&#8203;13388](https://github.com/pytest-dev/pytest/issues/13388): Clarified documentation for `-p` vs `PYTEST_PLUGINS` plugin loading and fixed an incorrect `-p` example. - [#&#8203;13731](https://github.com/pytest-dev/pytest/issues/13731): Clarified that capture fixtures (e.g. `capsys` and `capfd`) take precedence over the `-s` / `--capture=no` command-line options in `Accessing captured output from a test function <accessing-captured-output>`. - [#&#8203;14088](https://github.com/pytest-dev/pytest/issues/14088): Clarified that the default `pytest_collection` hook sets `session.items` before it calls `pytest_collection_finish`, not after. - [#&#8203;14255](https://github.com/pytest-dev/pytest/issues/14255): TOML integer log levels must be quoted: Updating reference documentation. #### Contributor-facing changes - [#&#8203;12689](https://github.com/pytest-dev/pytest/issues/12689): The test reports are now published to Codecov from GitHub Actions. The test statistics is visible [on the web interface](https://app.codecov.io/gh/pytest-dev/pytest/tests). \-- by `aleguy02` </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - "" - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xMTMuMCIsInVwZGF0ZWRJblZlciI6IjQzLjExMy4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJzZWN1cml0eSJdfQ==-->
renovate-bot added the security label 2026-04-13 21:04:05 +00:00
renovate-bot added 1 commit 2026-04-13 21:04:05 +00:00
[SECURITY] Update dependency pytest to v9.0.3 [SECURITY]
All checks were successful
Validate PR Title / validate (pull_request) Successful in 2s
Details
CI / ci (pull_request) Successful in 20s
Details
4fe4c06572
renovate-bot requested review from luke 2026-04-13 21:04:05 +00:00
renovate-bot scheduled this pull request to auto merge when all checks succeed 2026-04-13 21:04:06 +00:00
luke changed title from [SECURITY] Update dependency pytest to v9.0.3 [SECURITY] to ci(security): update dependency pytest to v9.0.3 2026-04-13 21:28:13 +00:00
luke approved these changes 2026-04-13 21:28:23 +00:00
Dismissed
luke approved these changes 2026-04-13 21:28:34 +00:00
renovate-bot merged commit 0e8f31eb74 into main 2026-04-13 21:28:42 +00:00
renovate-bot deleted branch renovate/pypi-pytest-vulnerability 2026-04-13 21:28:42 +00:00
Sign in to join this conversation.
Reviewers
No Reviewers
luke
Labels
Clear labels
bug
Something isn't working
 dependencies
Pull requests that update a dependency file
 documentation
Improvements or additions to documentation
 duplicate
This issue or pull request already exists
 enhancement
New feature or request
 good first issue
Good for newcomers
 help wanted
Extra attention is needed
 invalid
This doesn't seem right
 question
Further information is requested
 security
wontfix
This will not be worked on
Compat/Breaking
Breaking change that won't be backward compatible
 Kind/Bug
Something is not working
 Kind/Documentation
Documentation changes
 Kind/Enhancement
Improve existing functionality
 Kind/Feature
New functionality
 Kind/Security
This is security issue
 Kind/Testing
Issue or pull request related to testing
Priority
Critical
The priority is critical
Priority
High
The priority is high
Priority
Low
The priority is low
Priority
Medium
The priority is medium
Reviewed
Confirmed
Issue has been confirmed
Reviewed
Duplicate
This issue or pull request already exists
Reviewed
Invalid
Invalid issue
Reviewed
Won't Fix
This issue won't be fixed
Status
Abandoned
Somebody has started to work on this but abandoned work
Status
Blocked
Something is blocking this issue or pull request
Status
Need More Info
Feedback is required to reproduce issue or to continue work
No Label security
Milestone
No items
No Milestone
Assignees
Clear assignees
ai-review-bot gitea-actions-bot luke renovate-bot
No Assignees
2 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: repos/roboluke#440
Delete Branch "renovate/pypi-pytest-vulnerability"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?