Skip to content

chore(deps): update dependency pytest to v9.0.3 [security]#113

Merged
abubnalitic-nbl merged 1 commit into
mainfrom
renovate/pypi-pytest-vulnerability
Apr 20, 2026
Merged

chore(deps): update dependency pytest to v9.0.3 [security]#113
abubnalitic-nbl merged 1 commit into
mainfrom
renovate/pypi-pytest-vulnerability

Conversation

@nbl-renovate

@nbl-renovate nbl-renovate Bot commented Apr 14, 2026

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Change Age Confidence
pytest (changelog) 9.0.29.0.3 age confidence

pytest has vulnerable tmpdir handling

CVE-2025-71176 / GHSA-6w46-j5rx-g56g

More information

Details

pytest through 9.0.2 on UNIX relies on directories with the /tmp/pytest-of-{user} name pattern, which allows local users to cause a denial of service or possibly gain privileges.

Severity

  • CVSS Score: 6.8 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


Release Notes

pytest-dev/pytest (pytest)

v9.0.3

Compare Source

pytest 9.0.3 (2026-04-07)

Bug fixes

  • #​12444: Fixed pytest.approx which now correctly takes into account ~collections.abc.Mapping keys order to compare them.

  • #​13634: Blocking a conftest.py file using the -p no: option is now explicitly disallowed.

    Previously this resulted in an internal assertion failure during plugin loading.

    Pytest now raises a clear UsageError explaining that conftest files are not plugins and cannot be disabled via -p.

  • #​13734: Fixed crash when a test raises an exceptiongroup with __tracebackhide__ = True.

  • #​14195: Fixed an issue where non-string messages passed to unittest.TestCase.subTest() were not printed.

  • #​14343: Fixed use of insecure temporary directory (CVE-2025-71176).

Improved documentation

  • #​13388: Clarified documentation for -p vs PYTEST_PLUGINS plugin loading and fixed an incorrect -p example.
  • #​13731: Clarified that capture fixtures (e.g. capsys and capfd) take precedence over the -s / --capture=no command-line options in Accessing captured output from a test function <accessing-captured-output>.
  • #​14088: Clarified that the default pytest_collection hook sets session.items before it calls pytest_collection_finish, not after.
  • #​14255: TOML integer log levels must be quoted: Updating reference documentation.

Contributor-facing changes

  • #​12689: The test reports are now published to Codecov from GitHub Actions.
    The test statistics is visible on the web interface.

    -- by aleguy02


Configuration

📅 Schedule: (in timezone UTC)

  • Branch creation
    • ""
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

@github-actions

Copy link
Copy Markdown
Contributor

Vulnerability Scan: Passed

Image: netbox-mcp-server:scan

Source Library CVE Severity Installed Fixed Title
Python Pygments CVE-2026-4539 ⚪ LOW 2.19.2 2.20.0 pygments: Pygments: Denial of Service via inefficient regular expression process
Python cryptography CVE-2026-39892 🟡 MEDIUM 46.0.6 46.0.7 cryptography: Cryptography: Buffer overflow via non-contiguous buffer in API

Commit: 72d7a4c

@abubnalitic-nbl abubnalitic-nbl merged commit 48bb7a6 into main Apr 20, 2026
14 checks passed
@abubnalitic-nbl abubnalitic-nbl deleted the renovate/pypi-pytest-vulnerability branch April 20, 2026 16:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant