Skip to content

fix(security): enable Dependabot pip updates + bump pytest to 9.0.3 (CVE-2025-71176)#8586

Merged
awesomenix merged 1 commit into
mainfrom
djsly/fix-dependabot-pip-pam-pytest
May 26, 2026
Merged

fix(security): enable Dependabot pip updates + bump pytest to 9.0.3 (CVE-2025-71176)#8586
awesomenix merged 1 commit into
mainfrom
djsly/fix-dependabot-pip-pam-pytest

Conversation

@djsly
Copy link
Copy Markdown
Collaborator

@djsly djsly commented May 26, 2026

Why

GitHub Dependabot alert #43 flags CVE-2025-71176 (GHSA-6w46-j5rx-g56g, medium) in pytest used by vhdbuilder/packer/test/pam/requirements.txt. The alert has been open but no auto-PR was ever created.

Diagnosis turned up two compounding root causes:

  1. .github/dependabot.yml was missing a pip ecosystem entry. Only gomod and github-actions were declared. Dependabot's vulnerability scanner happily fires alerts for any manifest it discovers, but the version-update scanner only runs against ecosystems explicitly listed in the config — so no PR attempt was ever made for this manifest.
  2. The pin pytest>=7.3.1,<7.4.0 is too tight to widen. Even if we'd enabled pip, the default versioning-strategy: auto for pip won't push past an explicit upper bound. The fix lives in pytest 9.0.3, far outside <7.4.0.

What this PR does

.github/dependabot.yml

Adds a pip ecosystem block scoped to /vhdbuilder/packer/test/pam with versioning-strategy: increase, so future Python CVE bumps land automatically.

vhdbuilder/packer/test/pam/requirements.txt

Package Old New Why
pytest >=7.3.1,<7.4.0 >=9.0.3,<10.0 Closes CVE-2025-71176 (predictable tmpdir name → local DoS)
pytest-rerunfailures >=14.0,<15.0 >=16.0,<17.0 Required for pytest 9.x (rerunfailures 16.3 → pytest>=8.1,!=8.2.2)
pexpect >=4.8.0,<4.9.0 >=4.9.0,<5.0 Drop-in patch bump, no API changes consumed by test_pam.py

Compatibility analysis

The only consumer of these requirements is the testPam function in vhdbuilder/packer/test/linux-vhd-content-test.sh:1610-1640, which runs pip3 install -r requirements.txt on Mariner / AzureLinux VHD builds only (other OSes skip).

Distro Default python3 pytest 9.0.3 requires ≥3.10 Currently building VHDs?
Ubuntu 22.04 / 24.04 n/a (testPam skips) n/a yes — but testPam is skipped
MarinerV2 / AzureLinuxV2 3.9 ❌ no no — frozen at 202512.06.0 via FrozenCBLMarinerV2AndAzureLinuxV2SIGImageVersion (pkg/agent/datamodel/sig_config.go:387)
AzureLinux V3 (incl. Kata, FIPS, OSGuard, ARM, CVM, TL) 3.12 ✅ yes yes

So in practice the bump only needs to work on AzureLinux V3 (Python 3.12), which it does.

Verification

  • pip ecosystem entry follows the existing gomod / github-actions schema (same time, same cleanup + dependabot labels).
  • conftest.py in the test dir uses only stable pytest hooks (pytest_configure, pytest_addoption), no API breakage 7.x → 9.x.
  • testPam already has --reruns 5 resilience for transient flakes.

Out of scope

  • No application code changes.
  • No changes to testPam invocation logic.

🤖 Generated by GitHub Copilot

@djsly
fix(security): enable Dependabot pip updates + bump pytest to 9.0.3
9fca8a2 
Two compounding root causes prevented Dependabot from auto-creating a PR
for the pytest CVE alert on vhdbuilder/packer/test/pam/requirements.txt:

1. .github/dependabot.yml only declared 'gomod' and 'github-actions'
   ecosystems — no 'pip' entry, so version-update scanning never ran
   against the PAM test manifest (vulnerability scanning still fires
   security alerts independently, which is why we saw the alert but no
   PR).

2. The pin 'pytest>=7.3.1,<7.4.0' is narrower than Dependabot's default
   'auto' strategy can widen, so even with the ecosystem enabled, the
   bump to 9.0.3 would have been blocked.

Changes:

- .github/dependabot.yml: add 'pip' ecosystem covering
  /vhdbuilder/packer/test/pam with 'versioning-strategy: increase' so
  upper-bound bumps land automatically going forward.
- vhdbuilder/packer/test/pam/requirements.txt: bump pytest to
  >=9.0.3,<10.0 (CVE-2025-71176 / GHSA-6w46-j5rx-g56g — pytest tmpdir
  predictable-name issue, fixed in 9.0.3), pytest-rerunfailures to
  >=16.0,<17.0 (required for pytest 9.x), and pexpect to >=4.9.0,<5.0.

Compatibility:

- testPam (vhdbuilder/packer/test/linux-vhd-content-test.sh) runs
  pip3 install on Mariner/AzureLinux only. MarinerV2/AzureLinuxV2 SIG
  images are frozen at 202512.06.0 (sig_config.go:387), so no new VHD
  builds run testPam against Python 3.9. AzureLinux V3 ships Python
  3.12, which satisfies pytest 9.0.3's >=3.10 floor.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Copilot AI review requested due to automatic review settings May 26, 2026 17:55
Copilot AI reviewed May 26, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds a pip ecosystem entry to Dependabot so Python dependencies are auto-updated, and bumps pytest to 9.0.3 (with companion bumps to pytest-rerunfailures and pexpect) to close CVE-2025-71176 in the PAM test harness used during Mariner/AzureLinux VHD builds.

Changes:

  • Enable pip ecosystem updates for /vhdbuilder/packer/test/pam with versioning-strategy: increase.
  • Bump pytest from >=7.3.1,<7.4.0 to >=9.0.3,<10.0 to remediate CVE-2025-71176.
  • Bump pytest-rerunfailures (>=16.0,<17.0) and pexpect (>=4.9.0,<5.0) to remain compatible with pytest 9.x.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File Description
.github/dependabot.yml Adds a pip ecosystem block for the PAM test requirements so future Python CVE bumps are auto-PR'd.
vhdbuilder/packer/test/pam/requirements.txt Upgrades pytest to the CVE-fixed line and adjusts companion packages for compatibility.

@awesomenix awesomenix merged commit c9f09c2 into main May 26, 2026
27 of 33 checks passed
@awesomenix awesomenix deleted the djsly/fix-dependabot-pip-pam-pytest branch May 26, 2026 18:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@awesomenix awesomenix awesomenix approved these changes

@cameronmeissner cameronmeissner Awaiting requested review from cameronmeissner cameronmeissner is a code owner

@ganeshkumarashok ganeshkumarashok Awaiting requested review from ganeshkumarashok ganeshkumarashok is a code owner

@Devinwong Devinwong Awaiting requested review from Devinwong Devinwong is a code owner

@lilypan26 lilypan26 Awaiting requested review from lilypan26 lilypan26 is a code owner

@AbelHu AbelHu Awaiting requested review from AbelHu AbelHu is a code owner

@junjiezhang1997 junjiezhang1997 Awaiting requested review from junjiezhang1997

@phealy phealy Awaiting requested review from phealy phealy is a code owner

@r2k1 r2k1 Awaiting requested review from r2k1 r2k1 is a code owner

@timmy-wright timmy-wright Awaiting requested review from timmy-wright timmy-wright is a code owner

@zachary-bailey zachary-bailey Awaiting requested review from zachary-bailey zachary-bailey is a code owner

@mxj220 mxj220 Awaiting requested review from mxj220 mxj220 is a code owner

@pdamianov-dev pdamianov-dev Awaiting requested review from pdamianov-dev pdamianov-dev is a code owner

@calvin197 calvin197 Awaiting requested review from calvin197 calvin197 is a code owner

@sulixu sulixu Awaiting requested review from sulixu sulixu is a code owner

@surajssd surajssd Awaiting requested review from surajssd surajssd is a code owner

@SriHarsha001 SriHarsha001 Awaiting requested review from SriHarsha001 SriHarsha001 is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@djsly @awesomenix