Commit 2d24c50
committed
fix: keep pytest in requirements.txt on the CVE-fixed 9.0.3
The previous pytest-asyncio==0.23.7 capped pytest <9, so installing
from requirements.txt pulled the still-vulnerable pytest 8.4.2
(CVE-2025-71176). Pin pytest==9.0.3 explicitly and bump pytest-asyncio
to 0.23.3 (the latest in our constraint range that does NOT cap
pytest <9), matching poetry.lock. All 55 tests pass under the new
combination.
https://claude.ai/code/session_01CSENfJ5u4nVLrpBqD8npqa1 parent b1c61e8 commit 2d24c50
1 file changed
Lines changed: 2 additions & 1 deletion
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
54 | 54 | | |
55 | 55 | | |
56 | 56 | | |
57 | | - | |
| 57 | + | |
| 58 | + | |
0 commit comments