chore(deps): update dependency pytest to v9.0.3 [security]

[renovate]

This PR contains the following updates:

Package	Type	Update	Change	OpenSSF
pytest (changelog)	dependency-groups	patch	9.0.2 → 9.0.3

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

pytest has vulnerable tmpdir handling

CVE-2025-71176 / GHSA-6w46-j5rx-g56g

More information

Details

pytest through 9.0.2 on UNIX relies on directories with the /tmp/pytest-of-{user} name pattern, which allows local users to cause a denial of service or possibly gain privileges.

Severity

• CVSS Score: 6.8 / 10 (Medium)
• Vector String: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L

References

• https://nvd.nist.gov/vuln/detail/CVE-2025-71176
• https://github.com/pytest-dev/pytest/issues/13669
• https://github.com/pytest-dev/pytest/pull/14343
• https://github.com/pytest-dev/pytest/commit/95d8423bd24992deea5b9df32555fa1741679e2c
• https://github.com/pytest-dev/pytes
• https://github.com/pytest-dev/pytest/releases/tag/9.0.3
• https://www.openwall.com/lists/oss-security/2026/01/21/5

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

pytest-dev/pytest (pytest)

v9.0.3

Compare Source

pytest 9.0.3 (2026-04-07)

Bug fixes

• #​12444: Fixed pytest.approx which now correctly takes into account ~collections.abc.Mapping keys order to compare them.

• #​13634: Blocking a conftest.py file using the -p no: option is now explicitly disallowed.

  Previously this resulted in an internal assertion failure during plugin loading.

  Pytest now raises a clear UsageError explaining that conftest files are not plugins and cannot be disabled via -p.

• #​13734: Fixed crash when a test raises an exceptiongroup with __tracebackhide__ = True.

• #​14195: Fixed an issue where non-string messages passed to unittest.TestCase.subTest() were not printed.

• #​14343: Fixed use of insecure temporary directory (CVE-2025-71176).

Improved documentation

• #​13388: Clarified documentation for -p vs PYTEST_PLUGINS plugin loading and fixed an incorrect -p example.
• #​13731: Clarified that capture fixtures (e.g. capsys and capfd) take precedence over the -s / --capture=no command-line options in Accessing captured output from a test function <accessing-captured-output>.
• #​14088: Clarified that the default pytest_collection hook sets session.items before it calls pytest_collection_finish, not after.
• #​14255: TOML integer log levels must be quoted: Updating reference documentation.

Contributor-facing changes

• #​12689: The test reports are now published to Codecov from GitHub Actions.
  The test statistics is visible on the web interface.

  -- by aleguy02

---

Configuration

📅 Schedule: (in timezone America/New_York)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[cubic-dev-ai]

No issues found across 1 file

Confidence score: 5/5

• Automated review surfaced no issues in the provided summaries.
• No files require special attention.

[github-actions]

📚 Documentation Preview

Type	URL	Version	Message
Production	https://tux.atl.dev	-	-
Preview	https://c210ec45-tux-docs.allthingslinux.workers.dev	c210ec45-ee0e-4360-8caf-7789262dc9d2	Preview: tux@7a3f9be0d66c2aba495237067603f71ab83396d1 on 1243/merge by renovate[bot] (run 522)

[github-actions]

Dependency Review

The following issues were found:

• ✅ 0 vulnerable package(s)
• ✅ 0 package(s) with incompatible licenses
• ✅ 0 package(s) with invalid SPDX license definitions
• ⚠️ 1 package(s) with unknown licenses.

See the Details below.

Snapshot Warnings

⚠️: No snapshots were found for the head SHA 9a62ece.

Ensure that dependencies are being submitted on PR branches. Re-running this action after a short time may resolve the issue. See the documentation for more information and troubleshooting advice.

License Issues

uv.lock

Package	Version	License	Issue Type
pytest	9.0.3	Null	Unknown License

OpenSSF Scorecard

Package	Version	Score	Details
pip/pytest	9.0.3	Unknown	Unknown

Scanned Files

• uv.lock

[sentry]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 42.23%. Comparing base (f0f2491) to head (9a62ece).
✅ All tests successful. No failed tests found.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #1243      +/-   ##
==========================================
- Coverage   42.24%   42.23%   -0.02%     
==========================================
  Files         221      221              
  Lines       18410    18410              
  Branches     2431     2431              
==========================================
- Hits         7778     7775       -3     
- Misses      10632    10635       +3     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.