fix(deps): vuln minor: packaging · patch: pytest [tools/dogfooding]

[gh-worker-campaigns-3e9aa4]

Summary: Security update — 2 packages upgraded (MINOR changes included)

Manifests changed:

• tools/dogfooding (pip)

---

✅ Action Required: Please review the changes below. If they look good, approve and merge this PR.

---

Updates

Package	From	To	Type	Dep Type	Vulnerabilities Fixed
pytest	9.0.2	9.0.3	patch	Direct	2 MODERATE
packaging	26.0	26.1	minor	Direct	-

Packages marked with "-" are updated due to dependency constraints.

---

Security Details

ℹ️ Other Vulnerabilities (2)

Package	CVE	Severity	Summary	Unsafe Version	Fixed In
pytest	GHSA-6w46-j5rx-g56g	MODERATE	pytest has vulnerable tmpdir handling	9.0.2	9.0.3
pytest	CVE-2025-71176	MODERATE	-	9.0.2	-

---

Review Checklist

Standard review:

• Review changes for compatibility with your code
• Check for breaking changes in release notes
• Run tests locally or wait for CI
• Approve and merge this PR

---

Update Mode: Vulnerability Remediation

🤖 Generated by DataDog Automated Dependency Management System

[campaigner-prod]

Release Notes

pytest (9.0.2 → 9.0.3) — GitHub Release

pytest 9.0.3 (2026-04-07)

Bug fixes

• \https://github.com/pytest-dev/pytest/issues/12444: Fixed pytest.approx which now correctly takes into account ~collections.abc.Mapping keys order to compare them.

• \https://github.com/pytest-dev/pytest/issues/13634: Blocking a conftest.py file using the -p no: option is now explicitly disallowed.

  Previously this resulted in an internal assertion failure during plugin loading.

  Pytest now raises a clear UsageError explaining that conftest files are not plugins and cannot be disabled via -p.

• \https://github.com/pytest-dev/pytest/issues/13734: Fixed crash when a test raises an exceptiongroup with __tracebackhide__ = True.

• \https://github.com/pytest-dev/pytest/issues/14195: Fixed an issue where non-string messages passed to unittest.TestCase.subTest() were not printed.

• \https://github.com/pytest-dev/pytest/issues/14343: Fixed use of insecure temporary directory (CVE-2025-71176).

Improved documentation

• \https://github.com/pytest-dev/pytest/issues/13388: Clarified documentation for -p vs PYTEST_PLUGINS plugin loading and fixed an incorrect -p example.
• \https://github.com/pytest-dev/pytest/issues/13731: Clarified that capture fixtures (e.g. capsys and capfd) take precedence over the -s / --capture=no command-line options in Accessing captured output from a test function <accessing-captured-output>.
• \https://github.com/pytest-dev/pytest/issues/14088: Clarified that the default pytest_collection hook sets session.items before it calls pytest_collection_finish, not after.
• \https://github.com/pytest-dev/pytest/issues/14255: TOML integer log levels must be quoted: Updating reference documentation.

Contributor-facing changes

• \https://github.com/pytest-dev/pytest/issues/12689: The test reports are now published to Codecov from GitHub Actions.
  The test statistics is visible on the web interface.

  -- by aleguy02

packaging (26.0 → 26.1) — GitHub Release

26.1

Features:

• PEP 783: add handling for Emscripten wheel tags by @hoodmane in feat: add handling for Emscripten wheels tags per PEP 783 pypa/packaging#804 (old name used in implementation, will be fixed in next release)
• PEP 803: add handling for the abi3.abi3t free-threading tag by @ngoldbaum in Add support for abi3.abi3t tag from PEP 803 pypa/packaging#1099
• PEP 723: add packaging.dependency_groups module, based on the dependency-groups package by @sirosen in feat: add a new packaging.dependency_groups module, based on the existing dependency-groups package pypa/packaging#1065
• Add the packaging.direct_url module by @sbidoul in feat: direct_url pypa/packaging#944
• Add the packaging.errors module by @henryiii in feat: errors.py pypa/packaging#1071
• Add SpecifierSet.is_unsatisfiable using ranges (new internals that will be expanded in future versions) by @notatallshaw in Implement is_unsatisfiable on SpecifierSet using ranges pypa/packaging#1119
• Add create_compatible_tags_selector to select compatible tags by @sbidoul in Add utility to select things with compatible tags pypa/packaging#1110
• Add a key argument to SpecifierSet.filter() by @frostming in feat: add a key argument to SpecifierSet.filter() pypa/packaging#1068
• Support & and | for Marker's by @henryiii in feat: marker & and | pypa/packaging#1146
• Normalize Version.__replace__ and add Version.from_parts by @henryiii in feat: normalize replace & add from_parts pypa/packaging#1078
• Add an option to validate compressed tag set sort order in parse_wheel_filename by @r266-tech in feat: option to validate compressed tag set sort order in parse_wheel_filename pypa/packaging#1150

Behavior adaptations:

• Narrow exclusion of pre-releases for <V.postN to match spec by @notatallshaw in Narrow <V.postN pre-release exclusion to match spec pypa/packaging#1140
• Narrow exclusion of post-releases for >V to match spec by @notatallshaw in Narrow >V post-release exclusion to match spec pypa/packaging#1141
• Rename format_full_version to _format_full_version to make it visibly private by @r266-tech in Rename format_full_version to _format_full_version to make it visibly private pypa/packaging#1125
• Restrict local version to ASCII by @henryiii in fix: only ASCII allowed in local version pypa/packaging#1102

Pylock (PEP 751) updates:

(truncated)

---

Generated by ADMS Sources: 2 GitHub Releases.

[seberm-6]

Hey, sorry for the noise. This was caused by a bug in our automated dependency update system that incorrectly included upstream changelog content in PR comments, triggering notifications to external contributors. The feature flag has been turned off and we're working on a fix. Sorry about that again.