Bump the python-dependencies group with 2 updates

[dependabot]

Bumps the python-dependencies group with 2 updates: pytest and nox.

Updates pytest from 9.0.2 to 9.0.3

Release notes

Sourced from pytest's releases.

9.0.3

pytest 9.0.3 (2026-04-07)

Bug fixes

• #12444: Fixed pytest.approx which now correctly takes into account ~collections.abc.Mapping keys order to compare them.

• #13634: Blocking a conftest.py file using the -p no: option is now explicitly disallowed.

  Previously this resulted in an internal assertion failure during plugin loading.

  Pytest now raises a clear UsageError explaining that conftest files are not plugins and cannot be disabled via -p.

• #13734: Fixed crash when a test raises an exceptiongroup with __tracebackhide__ = True.

• #14195: Fixed an issue where non-string messages passed to unittest.TestCase.subTest() were not printed.

• #14343: Fixed use of insecure temporary directory (CVE-2025-71176).

Improved documentation

• #13388: Clarified documentation for -p vs PYTEST_PLUGINS plugin loading and fixed an incorrect -p example.
• #13731: Clarified that capture fixtures (e.g. capsys and capfd) take precedence over the -s / --capture=no command-line options in Accessing captured output from a test function <accessing-captured-output>.
• #14088: Clarified that the default pytest_collection hook sets session.items before it calls pytest_collection_finish, not after.
• #14255: TOML integer log levels must be quoted: Updating reference documentation.

Contributor-facing changes

• #12689: The test reports are now published to Codecov from GitHub Actions. The test statistics is visible on the web interface.

  -- by aleguy02

Commits

• a7d58d7 Prepare release version 9.0.3
• 089d981 Merge pull request #14366 from bluetech/revert-14193-backport
• 8127eaf Revert "Fix: assertrepr_compare respects dict insertion order (#14050) (#14193)"
• 99a7e60 Merge pull request #14363 from pytest-dev/patchback/backports/9.0.x/95d8423bd...
• ddee02a Merge pull request #14343 from bluetech/cve-2025-71176-simple
• 74eac69 doc: Update training info (#14298) (#14301)
• f92dee7 Merge pull request #14267 from pytest-dev/patchback/backports/9.0.x/d6fa26c62...
• 7ee58ac Merge pull request #12378 from Pierre-Sassoulas/fix-implicit-str-concat-and-d...
• 37da870 Merge pull request #14259 from mitre88/patch-4 (#14268)
• c34bfa3 Add explanation for string context diffs (#14257) (#14266)
• Additional commits viewable in compare view

Updates nox from 2026.2.9 to 2026.4.10

Release notes

Sourced from nox's releases.

2026.04.10 🧹

This release drops Python 3.8 and adds a --usage command for full docstrings. Our .nox dir is now ignored by default, virtualenvs are recreated if symlinks are broken (such as after a Python upgrade), and -t now selects from all available sessions.

We'd like to thank the following folks who contributed to this release:

• @​henryiii
• @​agriyakhetarpal
• @​scop

Features:

• Drop Python 3.8 (reapply #1004) by @​henryiii in wntrblm/nox#1062
• Add a nox --usage <session> command to print full docstrings for provided sessions by @​agriyakhetarpal in wntrblm/nox#1064
• Write out .gitignore/CACHEDIR.TAG to .nox dir by @​henryiii in wntrblm/nox#1072

Fixes:

• Recreate venv if broken symlinks are present by @​henryiii in wntrblm/nox#1078
• Ignore default selection for tags and keywords by @​henryiii in wntrblm/nox#1057
• More uv variables set by @​henryiii in wntrblm/nox#1056
• Ignore forcecolor falsy by @​henryiii in wntrblm/nox#1073
• Fully pin actions in composite action by @​henryiii in wntrblm/nox#1080

Internal changes:

• Pin CI to working conda version by @​henryiii in wntrblm/nox#1079
• Use prek by @​agriyakhetarpal in wntrblm/nox#1065
• Switch artifact attestations to actions/attest by @​scop in wntrblm/nox#1070
• Use zizmor by @​henryiii in wntrblm/nox#1082

Full Changelog: wntrblm/nox@2026.02.09...2026.04.10

Changelog

Sourced from nox's changelog.

Changelog

2026.04.10

This release drops Python 3.8 and adds a --usage command for full docstrings. Our .nox dir is now ignored by default, virtualenvs are recreated if symlinks are broken (such as after a Python upgrade), and -t now selects from all available sessions.

We'd like to thank the following folks who contributed to this release:

• @​henryiii
• @​agriyakhetarpal
• @​scop

Features:

• Drop Python 3.8 (reapply #1004) by @​henryiii in wntrblm/nox#1062
• Add a nox --usage <session> command to print full docstrings for provided sessions by @​agriyakhetarpal in wntrblm/nox#1064
• Write out .gitignore/CACHEDIR.TAG to .nox dir by @​henryiii in wntrblm/nox#1072

Fixes:

• Recreate venv if broken symlinks are present by @​henryiii in wntrblm/nox#1078
• Ignore default selection for tags and keywords by @​henryiii in wntrblm/nox#1057
• More uv variables set by @​henryiii in wntrblm/nox#1056
• Ignore forcecolor falsy by @​henryiii in wntrblm/nox#1073
• Fully pin actions in composite action by @​henryiii in wntrblm/nox#1080

Internal changes:

• Pin CI to working conda version by @​henryiii in wntrblm/nox#1079
• Use prek by @​agriyakhetarpal in wntrblm/nox#1065
• Switch artifact attestations to actions/attest by @​scop in wntrblm/nox#1070
• Use zizmor by @​henryiii in wntrblm/nox#1082

2026.02.09

This small release supports uv 0.10's new requirement that --clear be passed to clear an environment. Python 3.8 support was temporarily re-added since uv 0.10 still supports 3.8, so nox on 3.8 was affected.

We'd like to thank the following folks who contributed to this release:

• @​henryiii
• @​kai687 (first contribution)
• @​wu-zhao-min (first contribution)

... (truncated)

Commits

• 97e345e docs: add thanks section (#1083)
• 8d5c759 chore: prepare for 2026.04.10 (#1081)
• 2577f31 ci: add zizmor (#1082)
• b6a6156 fix: fully pin actions in composite action (#1080)
• 4c7a215 fix: write out .gitignore/CACHEDIR.TAG to our dir (#1072)
• 47cb9c3 fix: ignore default selection for tags and keywords (#1057)
• 63dcab9 fix: more uv variables set (#1056)
• e0f64e6 fix: recreate if broken symlinks are present (#1078)
• bf90952 tests: pin to working conda version (#1079)
• 4ff681f fix: ignore forcecolor falsy (#1073)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions