Skip to content

Commit 2d24c50

Browse files
committed
fix: keep pytest in requirements.txt on the CVE-fixed 9.0.3
The previous pytest-asyncio==0.23.7 capped pytest <9, so installing from requirements.txt pulled the still-vulnerable pytest 8.4.2 (CVE-2025-71176). Pin pytest==9.0.3 explicitly and bump pytest-asyncio to 0.23.3 (the latest in our constraint range that does NOT cap pytest <9), matching poetry.lock. All 55 tests pass under the new combination. https://claude.ai/code/session_01CSENfJ5u4nVLrpBqD8npqa
1 parent b1c61e8 commit 2d24c50

1 file changed

Lines changed: 2 additions & 1 deletion

File tree

requirements.txt

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -54,4 +54,5 @@ urllib3==2.6.2 ; python_version >= "3.10" and python_full_version < "3.13"
5454
websocket-client==1.7.0 ; python_version >= "3.10" and python_full_version < "3.13"
5555
zipp==3.20.2 ; python_version >= "3.10" and python_full_version < "3.13"
5656
# required for tests
57-
pytest-asyncio==0.23.7 ; python_version >= "3.10" and python_full_version < "3.13"
57+
pytest==9.0.3 ; python_version >= "3.10" and python_full_version < "3.13"
58+
pytest-asyncio==0.23.3 ; python_version >= "3.10" and python_full_version < "3.13"

0 commit comments

Comments
 (0)