goodboy
/
tractor
1
0
Fork 2
Code Issues 5 Pull Requests 6 Packages Projects Releases Wiki Activity

Pin `pytest>=9.0.3` for CVE-2025-71176 floor 

Tighten the test-dep floor from `>=9.0` to `>=9.0.3` so a
fresh `uv` relock can't resolve back into the vulnerable
9.0.0–9.0.2 window; 9.0.3 is where upstream patched the
insecure-tmpdir advisory (CVE-2025-71176).

- annotate the constraint w/ the CVE id for future readers.
- update the existing bump-rationale comment to name the
  precise patched version.

(this commit-msg was generated in some part by [`claude-code`][claude-code-gh])
[claude-code-gh]: https://github.com/anthropics/claude-code
trionics_start_or_cancel
Gud Boi 2026-06-17 16:05:41 -04:00
parent 9f1a64fcf7
commit c5feeac4ce
2 changed files with 4 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
pyproject.toml
View File

@ -76,13 +76,13 @@ testing = [
# test suite # test suite
# TODO: maybe some of these layout choices? # TODO: maybe some of these layout choices?
# https://docs.pytest.org/en/8.0.x/explanation/goodpractices.html#choosing-a-test-layout-import-rules # https://docs.pytest.org/en/8.0.x/explanation/goodpractices.html#choosing-a-test-layout-import-rules
# bumped 8.3.5 → 9.0 per upstream security advisory + our # bumped 8.3.5 → 9.0.3 per upstream security advisory + our
# local-only reliance on the post-9.0 capture-machinery shape # local-only reliance on the post-9.0 capture-machinery shape
# (the `sys.__stderr__`-bypass print in # (the `sys.__stderr__`-bypass print in
# `tractor._testing.trace._do_capture_snapshot` works on 8.x # `tractor._testing.trace._do_capture_snapshot` works on 8.x
# too, but standardizing on 9.x here ensures `--show-capture` # too, but standardizing on 9.x here ensures `--show-capture`
# interactions stay predictable across dev installs). # interactions stay predictable across dev installs).
"pytest>=9.0", "pytest>=9.0.3", # CVE-2025-71176 (insecure tmpdir) patched in 9.0.3
"pexpect>=4.9.0,<5", "pexpect>=4.9.0,<5",
] ]
repl = [ repl = [

4
uv.lock
View File

@ -726,7 +726,7 @@ dev = [
{ name = "prompt-toolkit", specifier = ">=3.0.50" }, { name = "prompt-toolkit", specifier = ">=3.0.50" },
{ name = "psutil", specifier = ">=7.0.0" }, { name = "psutil", specifier = ">=7.0.0" },
{ name = "pyperclip", specifier = ">=1.9.0" }, { name = "pyperclip", specifier = ">=1.9.0" },
{ name = "pytest", specifier = ">=9.0" }, { name = "pytest", specifier = ">=9.0.3" },
{ name = "stackscope", specifier = ">=0.2.2,<0.3" }, { name = "stackscope", specifier = ">=0.2.2,<0.3" },
{ name = "typing-extensions", specifier = ">=4.14.1" }, { name = "typing-extensions", specifier = ">=4.14.1" },
{ name = "xonsh", specifier = ">=0.23.0" }, { name = "xonsh", specifier = ">=0.23.0" },
@ -747,7 +747,7 @@ subints = [{ name = "msgspec", marker = "python_full_version >= '3.14'", specifi
sync-pause = [{ name = "greenback", marker = "python_full_version == '3.13.*'", specifier = ">=1.2.1,<2" }] sync-pause = [{ name = "greenback", marker = "python_full_version == '3.13.*'", specifier = ">=1.2.1,<2" }]
testing = [ testing = [
{ name = "pexpect", specifier = ">=4.9.0,<5" }, { name = "pexpect", specifier = ">=4.9.0,<5" },
{ name = "pytest", specifier = ">=9.0" }, { name = "pytest", specifier = ">=9.0.3" },
] ]
[[package]] [[package]]