Skip to content

fix(deps): bump pytest 9.0.2 → 9.0.3 (GHSA-6w46-j5rx-g56g)#114

Open
bandrel wants to merge 1 commit into
mainfrom
fix/bump-pytest-9.0.3
Open

fix(deps): bump pytest 9.0.2 → 9.0.3 (GHSA-6w46-j5rx-g56g)#114
bandrel wants to merge 1 commit into
mainfrom
fix/bump-pytest-9.0.3

Conversation

@bandrel

@bandrel bandrel commented Jul 1, 2026

Copy link
Copy Markdown
Collaborator

What

Bumps the pinned dev/test dependency pytest from 9.0.29.0.3 in pyproject.toml, clearing the vulnerable tmpdir-handling advisory GHSA-6w46-j5rx-g56g (affects pytest < 9.0.3).

Why

Our root pyproject.toml pinned pytest==9.0.2 — exactly the vulnerable version. This is development scope only (the test runner); there is no runtime dependency change.

Notes on the Dependabot alert

  • The open alert (updates for json #1) is attributed to HashcatRosetta/requirements.txt (a git submodule), created 2026-05-05 and never updated. That submodule was already bumped to v0.2.0 in release 2.10.1 to drop its vulnerable transitive pytest, and its requirements.txt no longer contains pytest — so that specific alert is stale/already-remediated and can be dismissed as fixed.
  • This PR closes out the remaining real instance: our own pinned pytest==9.0.2.

Verification

  • uv lock resolves pytest 9.0.3 (note: uv.lock is gitignored in this repo, so the pin lives in pyproject.toml).
  • Full suite passes under 9.0.3: 904 passed, 24 skipped.
  • ruff check hate_crack clean.

Per the project's release cadence, this is a standalone patch release (2.10.7); a version-history entry is included in README.md.

🤖 Generated with Claude Code

The pinned dev/test dependency pytest==9.0.2 is affected by the
vulnerable tmpdir-handling advisory GHSA-6w46-j5rx-g56g (pytest < 9.0.3).
Bump the pin to 9.0.3 to clear it. Development scope only (test runner);
no runtime dependency change. Full test suite passes under 9.0.3.

The same advisory was previously cleared in the HashcatRosetta submodule
in 2.10.1; this closes it out for hate_crack's own pyproject.toml pin.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant