fix(deps): bump pytest 9.0.2 → 9.0.3 (GHSA-6w46-j5rx-g56g)#114
Open
bandrel wants to merge 1 commit into
Open
Conversation
The pinned dev/test dependency pytest==9.0.2 is affected by the vulnerable tmpdir-handling advisory GHSA-6w46-j5rx-g56g (pytest < 9.0.3). Bump the pin to 9.0.3 to clear it. Development scope only (test runner); no runtime dependency change. Full test suite passes under 9.0.3. The same advisory was previously cleared in the HashcatRosetta submodule in 2.10.1; this closes it out for hate_crack's own pyproject.toml pin. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Bumps the pinned dev/test dependency pytest from
9.0.2→9.0.3inpyproject.toml, clearing the vulnerable tmpdir-handling advisory GHSA-6w46-j5rx-g56g (affects pytest< 9.0.3).Why
Our root
pyproject.tomlpinnedpytest==9.0.2— exactly the vulnerable version. This is development scope only (the test runner); there is no runtime dependency change.Notes on the Dependabot alert
HashcatRosetta/requirements.txt(a git submodule), created 2026-05-05 and never updated. That submodule was already bumped to v0.2.0 in release 2.10.1 to drop its vulnerable transitive pytest, and itsrequirements.txtno longer contains pytest — so that specific alert is stale/already-remediated and can be dismissed as fixed.pytest==9.0.2.Verification
uv lockresolvespytest 9.0.3(note:uv.lockis gitignored in this repo, so the pin lives inpyproject.toml).ruff check hate_crackclean.Per the project's release cadence, this is a standalone patch release (2.10.7); a version-history entry is included in
README.md.🤖 Generated with Claude Code