From 006d1546fdb97b9e1a94775c42f2066991b18267 Mon Sep 17 00:00:00 2001 From: Jeff West Date: Sun, 17 May 2026 08:06:32 -0500 Subject: [PATCH] fix(deps): bump pytest pin to >=9,<10 to clear CVE-2025-71176 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit pip-audit on main flagged pytest 8.4.2 for CVE-2025-71176 — predictable /tmp/pytest-of-{user} directory allows local DoS / privilege escalation on UNIX. Fix is in pytest 9.0.3. Dev-only dep; zero risk to SDK users. Affects developers running the test suite on shared UNIX systems. Notes: - uv.lock on main was already at pytest 9.0.3 + pytest-asyncio 1.3.0 (cascaded from #119's pytest-asyncio bump), so this commit only realigns pyproject.toml with the lockfile. - Local full suite: 1607 passed, 51 warnings. mypy strict + ruff clean. - Integration suite has 11 pre-existing failures unrelated to this bump (verified by running tests/integration/ against plain main with pytest 8.4.2 — same 11 failures). Tracked in a separate follow-up issue covering integration-test health overall. - pip-audit also surfaced cryptography CVE-2026-26007 + CVE-2026-34073 (both fixed in 46.0+); pin already allows up to <49 so the floating lockfile picks up 48.0.0 with no pyproject change needed. Co-Authored-By: Claude Opus 4.7 (1M context) --- pyproject.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pyproject.toml b/pyproject.toml index a5210fb..44aedc9 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -76,7 +76,7 @@ markers = [ [dependency-groups] dev = [ - "pytest>=8,<9", + "pytest>=9,<10", "pytest-asyncio>=0.24,<2", "respx>=0.21,<1", "ruff>=0.8,<1",