Skip to content

Security: Pytest upgrade#762

Merged
AkhileshNegi merged 3 commits intomainfrom
security/pytest-upgrade
Apr 15, 2026
Merged

Security: Pytest upgrade#762
AkhileshNegi merged 3 commits intomainfrom
security/pytest-upgrade

Conversation

@AkhileshNegi
Copy link
Copy Markdown
Collaborator

@AkhileshNegi AkhileshNegi commented Apr 15, 2026
edited
Loading

Summary

Upgraded pytest 7.4.4 → 9.0.3 and pytest-asyncio 0.23.8 → 1.3.0 to patch a known pytest CVE; moved pytest out of main dependencies into dev-only

@coderabbitai
Copy link
Copy Markdown

coderabbitai Bot commented Apr 15, 2026
edited
Loading

📝 Walkthrough

Walkthrough

Updated test dependencies in backend configuration by bumping pytest to version 9.0.3+ and pytest-asyncio to 1.0.0+, while removing pytest from main dependencies. Added coverage.xml to gitignore to exclude test coverage artifacts.

Changes

Cohort / File(s) Summary
Build and Test Configuration
backend/.gitignore		 Added coverage.xml to ignore list alongside existing coverage artifacts.
Backend Dependencies
backend/pyproject.toml		 Removed pytest from main dependencies; upgraded pytest to >=9.0.3 (from <8.0.0,>=7.4.3) and pytest-asyncio to >=1.0.0 (from >=0.23.8) in dev dependencies.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Possibly related PRs

Suggested labels

dependencies, ready-for-review

Suggested reviewers

  • Prajna1999
  • kartpop

Poem

🐰 A rabbit hops through coverage files so bright,
Pytest versions bouncing to the right,
Gitignore whispers: "Hide these traces clean,"
Dependencies dance—the freshest seen! 📦✨

🚥 Pre-merge checks | ✅ 3
✅ Passed checks (3 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly and specifically identifies the main change: upgrading pytest to address a security concern, which matches the primary objective of the pull request.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch security/pytest-upgrade

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@AkhileshNegi AkhileshNegi marked this pull request as ready for review April 15, 2026 04:23
coderabbitai[bot]
coderabbitai Bot reviewed Apr 15, 2026
View reviewed changes
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (1)
backend/pyproject.toml (1)

59-65: Tighten test dependency ranges to enforce explicit version floors and bounds.

Lines 59 and 65 use unbounded constraints (>=...). The lock file confirms pytest-asyncio 1.3.0 is resolved, but the constraint allows any version ≥1.0.0. Add upper bounds on majors for pytest and pytest-asyncio to match the pattern used elsewhere in the file and prevent unexpected breakage.

Proposed update 
-    "pytest>=9.0.3",
+    "pytest>=9.0.3,<10.0.0",
@@
-    "pytest-asyncio>=1.0.0",
+    "pytest-asyncio>=1.3.0,<2.0.0",
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@backend/pyproject.toml` around lines 59 - 65, The pytest and pytest-asyncio
entries currently lack upper bounds; update the dependency specifications in
pyproject.toml so they match the project's existing pattern (explicit lower and
upper major bounds). Replace "pytest>=9.0.3" with "pytest<10.0.0,>=9.0.3" and
replace "pytest-asyncio>=1.0.0" with a bounded range such as
"pytest-asyncio<2.0.0,>=1.3.0" (use 1.3.0 as the floor per the lockfile) to
prevent unbounded upgrades.
🤖 Prompt for all review comments with AI agents 
Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@backend/pyproject.toml`:
- Around line 59-65: The pytest and pytest-asyncio entries currently lack upper
bounds; update the dependency specifications in pyproject.toml so they match the
project's existing pattern (explicit lower and upper major bounds). Replace
"pytest>=9.0.3" with "pytest<10.0.0,>=9.0.3" and replace "pytest-asyncio>=1.0.0"
with a bounded range such as "pytest-asyncio<2.0.0,>=1.3.0" (use 1.3.0 as the
floor per the lockfile) to prevent unbounded upgrades.
ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 03a11781-5a5c-414e-bf05-f9ab13d69d93

📥 Commits

Reviewing files that changed from the base of the PR and between 34ae8e3 and 5295b96.

⛔ Files ignored due to path filters (1)
  • backend/uv.lock is excluded by !**/*.lock
📒 Files selected for processing (2)
  • backend/.gitignore
  • backend/pyproject.toml

@codecov
Copy link
Copy Markdown

codecov Bot commented Apr 15, 2026

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

@AkhileshNegi AkhileshNegi merged commit 5ab379e into main Apr 15, 2026
2 checks passed
@AkhileshNegi AkhileshNegi deleted the security/pytest-upgrade branch April 15, 2026 04:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@AkhileshNegi