Skip to content

fix(security): bump pytest >=9.0.3 in examples/python (ENG-14486)#151

Merged
KateZhang98 merged 1 commit intomainfrom
andriy/ENG-14486-fix-pytest-cve-2025-71176
Apr 15, 2026
Merged

fix(security): bump pytest >=9.0.3 in examples/python (ENG-14486)#151
KateZhang98 merged 1 commit intomainfrom
andriy/ENG-14486-fix-pytest-cve-2025-71176

Conversation

@andriy-sudo
Copy link
Copy Markdown
Contributor

@andriy-sudo andriy-sudo commented Apr 15, 2026

Vulnerability Fix

Package Old New Advisory CVSS Status
pytest 8.4.2 9.0.3 CVE-2025-71176 Medium ✅ Fixed

CVE-2025-71176 — pytest through 9.0.2 on UNIX relies on directories with the /tmp/pytest-of-{user} name pattern, which allows local users to cause a denial of service or possibly gain privileges.

Changes

  • Added pytest = ">=9.0.3" as an explicit dev dependency in examples/python/pyproject.toml
  • Bumped Python constraint from ^3.9^3.10: requests >= 2.33.0 already requires Python >=3.10 and pytest >= 9.0.3 also requires >=3.10, so Python 3.9 support was effectively already broken

Linear: ENG-14486

Changelog impact summary
Package Old New Classification Key changes
pytest 8.4.2 9.0.3 Patch/security CVE-2025-71176 fix only — tmp dir handling; no breaking API changes

@andriy-sudo @claude
fix(security): bump pytest >=9.0.3 in examples/python (ENG-14486)
c6ca743 
- pytest 8.4.2 → 9.0.3 (CVE-2025-71176 — local privilege escalation via /tmp/pytest-of-{user} directory)
- Bumped python constraint ^3.9 → ^3.10 (requests >=2.33.0 and pytest >=9.0.3 both require Python >=3.10; 3.9 support was already broken)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@coderabbitai
Copy link
Copy Markdown

coderabbitai Bot commented Apr 15, 2026

Warning

Rate limit exceeded

@andriy-sudo has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 0 minutes and 59 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 0 minutes and 59 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 68c096b7-4dde-43f9-bb45-416b08c3c8a6

📥 Commits

Reviewing files that changed from the base of the PR and between 0706439 and c6ca743.

⛔ Files ignored due to path filters (1)
  • examples/python/poetry.lock is excluded by !**/*.lock
📒 Files selected for processing (1)
  • examples/python/pyproject.toml
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch andriy/ENG-14486-fix-pytest-cve-2025-71176

Comment @coderabbitai help to get the list of available commands and usage tips.

@andriy-sudo andriy-sudo requested a review from KateZhang98 April 15, 2026 17:11
@KateZhang98 KateZhang98 merged commit d33b196 into main Apr 15, 2026
3 checks passed
@KateZhang98 KateZhang98 deleted the andriy/ENG-14486-fix-pytest-cve-2025-71176 branch April 15, 2026 19:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@KateZhang98 KateZhang98 KateZhang98 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@andriy-sudo @KateZhang98