From c5feeac4cebd46a4a505e61bf4184a7ffe8ce016 Mon Sep 17 00:00:00 2001
From: goodboy <goodboy_foss@protonmail.com>
Date: Wed, 17 Jun 2026 16:05:41 -0400
Subject: [PATCH] Pin `pytest>=9.0.3` for CVE-2025-71176 floor
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Tighten the test-dep floor from `>=9.0` to `>=9.0.3` so a
fresh `uv` relock can't resolve back into the vulnerable
9.0.0–9.0.2 window; 9.0.3 is where upstream patched the
insecure-tmpdir advisory (CVE-2025-71176).

- annotate the constraint w/ the CVE id for future readers.
- update the existing bump-rationale comment to name the
  precise patched version.

(this commit-msg was generated in some part by [`claude-code`][claude-code-gh])
[claude-code-gh]: https://github.com/anthropics/claude-code
---
 pyproject.toml | 4 ++--
 uv.lock        | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/pyproject.toml b/pyproject.toml
index 0a905115..0a23dce5 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -76,13 +76,13 @@ testing = [
   # test suite
   # TODO: maybe some of these layout choices?
   # https://docs.pytest.org/en/8.0.x/explanation/goodpractices.html#choosing-a-test-layout-import-rules
-  # bumped 8.3.5 → 9.0 per upstream security advisory + our
+  # bumped 8.3.5 → 9.0.3 per upstream security advisory + our
   # local-only reliance on the post-9.0 capture-machinery shape
   # (the `sys.__stderr__`-bypass print in
   # `tractor._testing.trace._do_capture_snapshot` works on 8.x
   # too, but standardizing on 9.x here ensures `--show-capture`
   # interactions stay predictable across dev installs).
-  "pytest>=9.0",
+  "pytest>=9.0.3",  # CVE-2025-71176 (insecure tmpdir) patched in 9.0.3
   "pexpect>=4.9.0,<5",
 ]
 repl = [
diff --git a/uv.lock b/uv.lock
index 2e1e7d2c..27511f7f 100644
--- a/uv.lock
+++ b/uv.lock
@@ -726,7 +726,7 @@ dev = [
     { name = "prompt-toolkit", specifier = ">=3.0.50" },
     { name = "psutil", specifier = ">=7.0.0" },
     { name = "pyperclip", specifier = ">=1.9.0" },
-    { name = "pytest", specifier = ">=9.0" },
+    { name = "pytest", specifier = ">=9.0.3" },
     { name = "stackscope", specifier = ">=0.2.2,<0.3" },
     { name = "typing-extensions", specifier = ">=4.14.1" },
     { name = "xonsh", specifier = ">=0.23.0" },
@@ -747,7 +747,7 @@ subints = [{ name = "msgspec", marker = "python_full_version >= '3.14'", specifi
 sync-pause = [{ name = "greenback", marker = "python_full_version == '3.13.*'", specifier = ">=1.2.1,<2" }]
 testing = [
     { name = "pexpect", specifier = ">=4.9.0,<5" },
-    { name = "pytest", specifier = ">=9.0" },
+    { name = "pytest", specifier = ">=9.0.3" },
 ]
 
 [[package]]