chore(deps): bump pytest from 8.3.3 to 9.0.3 in the pip group across 1 directory

[dependabot]

Bumps the pip group with 1 update in the / directory: pytest.

Updates pytest from 8.3.3 to 9.0.3

Release notes

Sourced from pytest's releases.

9.0.3

pytest 9.0.3 (2026-04-07)

Bug fixes

• #12444: Fixed pytest.approx which now correctly takes into account ~collections.abc.Mapping keys order to compare them.

• #13634: Blocking a conftest.py file using the -p no: option is now explicitly disallowed.

  Previously this resulted in an internal assertion failure during plugin loading.

  Pytest now raises a clear UsageError explaining that conftest files are not plugins and cannot be disabled via -p.

• #13734: Fixed crash when a test raises an exceptiongroup with __tracebackhide__ = True.

• #14195: Fixed an issue where non-string messages passed to unittest.TestCase.subTest() were not printed.

• #14343: Fixed use of insecure temporary directory (CVE-2025-71176).

Improved documentation

• #13388: Clarified documentation for -p vs PYTEST_PLUGINS plugin loading and fixed an incorrect -p example.
• #13731: Clarified that capture fixtures (e.g. capsys and capfd) take precedence over the -s / --capture=no command-line options in Accessing captured output from a test function <accessing-captured-output>.
• #14088: Clarified that the default pytest_collection hook sets session.items before it calls pytest_collection_finish, not after.
• #14255: TOML integer log levels must be quoted: Updating reference documentation.

Contributor-facing changes

• #12689: The test reports are now published to Codecov from GitHub Actions. The test statistics is visible on the web interface.

  -- by aleguy02

9.0.2

pytest 9.0.2 (2025-12-06)

Bug fixes

• #13896: The terminal progress feature added in pytest 9.0.0 has been disabled by default, except on Windows, due to compatibility issues with some terminal emulators.

  You may enable it again by passing -p terminalprogress. We may enable it by default again once compatibility improves in the future.

  Additionally, when the environment variable TERM is dumb, the escape codes are no longer emitted, even if the plugin is enabled.

• #13904: Fixed the TOML type of the tmp_path_retention_count settings in the API reference from number to string.

• #13946: The private config.inicfg attribute was changed in a breaking manner in pytest 9.0.0. Due to its usage in the ecosystem, it is now restored to working order using a compatibility shim. It will be deprecated in pytest 9.1 and removed in pytest 10.

... (truncated)

Commits

• a7d58d7 Prepare release version 9.0.3
• 089d981 Merge pull request #14366 from bluetech/revert-14193-backport
• 8127eaf Revert "Fix: assertrepr_compare respects dict insertion order (#14050) (#14193)"
• 99a7e60 Merge pull request #14363 from pytest-dev/patchback/backports/9.0.x/95d8423bd...
• ddee02a Merge pull request #14343 from bluetech/cve-2025-71176-simple
• 74eac69 doc: Update training info (#14298) (#14301)
• f92dee7 Merge pull request #14267 from pytest-dev/patchback/backports/9.0.x/d6fa26c62...
• 7ee58ac Merge pull request #12378 from Pierre-Sassoulas/fix-implicit-str-concat-and-d...
• 37da870 Merge pull request #14259 from mitre88/patch-4 (#14268)
• c34bfa3 Add explanation for string context diffs (#14257) (#14266)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.

Greptile Summary

This PR bumps pytest from 8.3.3 to 9.0.3, a major-version upgrade that includes a security fix for CVE-2025-71176 (insecure temporary directory usage) along with several bug fixes.

• pytest==9.0.3 is pinned in pyproject.toml; no other dependency versions are changed.
• minversion = "8.0" in [tool.pytest.ini_options] was not updated to reflect the new major version, leaving a minor inconsistency between the declared floor and the actual pin.

Confidence Score: 4/5

Safe to merge; the only change is a pytest version pin that includes an important security fix, with no logic or application code touched.

This is a straightforward dependency bump with a single line changed. The upgrade includes CVE-2025-71176 remediation and multiple bug fixes. The only minor concern is that minversion in [tool.pytest.ini_options] was not updated from 8.0 to 9.0 to stay in sync with the new pin, but this does not affect runtime behavior since 9.0.3 satisfies the 8.0 floor. No application logic is modified.

No files require special attention beyond the minor minversion inconsistency in pyproject.toml.

Important Files Changed

Filename	Overview
pyproject.toml	Bumps pytest from 8.3.3 to 9.0.3 (major version); minversion in [tool.pytest.ini_options] still reads "8.0" and was not updated to match the new pin

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[pyproject.toml] -->|pins| B["pytest==9.0.3\n(was 8.3.3)"]
    A -->|pins| C["pytest-xdist==3.6.1\n(unchanged)"]
    B -->|resolves| D["CVE-2025-71176\nInsecure tmp dir fix"]
    B -->|resolves| E["exceptiongroup\n__tracebackhide__ crash fix"]
    B -->|resolves| F["conftest -p no: clear error"]
    G["tool.pytest.ini_options\nminversion = '8.0'"] -.->|stale - still reads 8.0| A

Loading

Comments Outside Diff (1)

1. pyproject.toml, line 53 (link)

   The minversion guard is now stale: the project pins pytest==9.0.3, so any environment satisfying minversion = "8.0" could technically run an older 8.x release if the lock is bypassed. Updating it to "9.0" keeps the guard in sync with the intended minimum.

   Prompt To Fix With AI

   This is a comment left during a code review.
   Path: pyproject.toml
   Line: 53
   
   Comment:
   The `minversion` guard is now stale: the project pins `pytest==9.0.3`, so any environment satisfying `minversion = "8.0"` could technically run an older 8.x release if the lock is bypassed. Updating it to `"9.0"` keeps the guard in sync with the intended minimum.
   
   
   
   How can I resolve this? If you propose a fix, please make it concise.

   Note: If this suggestion doesn't match your team's coding style, reply to this and let me know. I'll remember it for next time!

   

Prompt To Fix All With AI

Fix the following 1 code review issue. Work through them one at a time, proposing concise fixes.

---

### Issue 1 of 1
pyproject.toml:53
The `minversion` guard is now stale: the project pins `pytest==9.0.3`, so any environment satisfying `minversion = "8.0"` could technically run an older 8.x release if the lock is bypassed. Updating it to `"9.0"` keeps the guard in sync with the intended minimum.

```suggestion
minversion = "9.0"
```

_{Reviews (1): Last reviewed commit: "chore(deps): bump pytest in the pip grou..." | Re-trigger Greptile}

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

Package	Version	Score	Details
pip/pytest	9.0.3	Unknown	Unknown

Scanned Files

• pyproject.toml