Skip to content

Update dependency pytest to v9.0.3 [SECURITY] (8.6-gdal3.12)#1480

Merged
renovate[bot] merged 1 commit into8.6-gdal3.12from
renovate/8.6-gdal3.12-pypi-pytest-vulnerability
Apr 13, 2026
Merged

Update dependency pytest to v9.0.3 [SECURITY] (8.6-gdal3.12)#1480
renovate[bot] merged 1 commit into8.6-gdal3.12from
renovate/8.6-gdal3.12-pypi-pytest-vulnerability

Conversation

@renovate
Copy link
Copy Markdown
Contributor

@renovate renovate bot commented Apr 13, 2026

This PR contains the following updates:

Package Change Age Confidence
pytest (changelog) 9.0.29.0.3 age confidence

pytest has vulnerable tmpdir handling

CVE-2025-71176 / GHSA-6w46-j5rx-g56g

More information

Details

pytest through 9.0.2 on UNIX relies on directories with the /tmp/pytest-of-{user} name pattern, which allows local users to cause a denial of service or possibly gain privileges.

Severity

  • CVSS Score: 6.8 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Release Notes

pytest-dev/pytest (pytest)

v9.0.3

Compare Source

pytest 9.0.3 (2026-04-07)

Bug fixes

  • #​12444: Fixed pytest.approx which now correctly takes into account ~collections.abc.Mapping keys order to compare them.

  • #​13634: Blocking a conftest.py file using the -p no: option is now explicitly disallowed.

    Previously this resulted in an internal assertion failure during plugin loading.

    Pytest now raises a clear UsageError explaining that conftest files are not plugins and cannot be disabled via -p.

  • #​13734: Fixed crash when a test raises an exceptiongroup with __tracebackhide__ = True.

  • #​14195: Fixed an issue where non-string messages passed to unittest.TestCase.subTest() were not printed.

  • #​14343: Fixed use of insecure temporary directory (CVE-2025-71176).

Improved documentation

  • #​13388: Clarified documentation for -p vs PYTEST_PLUGINS plugin loading and fixed an incorrect -p example.
  • #​13731: Clarified that capture fixtures (e.g. capsys and capfd) take precedence over the -s / --capture=no command-line options in Accessing captured output from a test function <accessing-captured-output>.
  • #​14088: Clarified that the default pytest_collection hook sets session.items before it calls pytest_collection_finish, not after.
  • #​14255: TOML integer log levels must be quoted: Updating reference documentation.

Contributor-facing changes

  • #​12689: The test reports are now published to Codecov from GitHub Actions.
    The test statistics is visible on the web interface.

    -- by aleguy02

Configuration

📅 Schedule: (in timezone Europe/Zurich)

  • Branch creation
    • ""
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot added the security Security fixes label Apr 13, 2026
@renovate renovate bot enabled auto-merge (squash) April 13, 2026 20:41
@renovate renovate bot merged commit 616246d into 8.6-gdal3.12 Apr 13, 2026
8 checks passed
@renovate renovate bot deleted the renovate/8.6-gdal3.12-pypi-pytest-vulnerability branch April 13, 2026 21:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@github-actions github-actions[bot] github-actions[bot] approved these changes

Assignees

No one assigned

Labels

security Security fixes

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants