Bump pytest from 5.3.5 to 9.0.3

[dependabot]

Bumps pytest from 5.3.5 to 9.0.3.

Release notes

Sourced from pytest's releases.

9.0.3

pytest 9.0.3 (2026-04-07)

Bug fixes

• #12444: Fixed pytest.approx which now correctly takes into account ~collections.abc.Mapping keys order to compare them.

• #13634: Blocking a conftest.py file using the -p no: option is now explicitly disallowed.

  Previously this resulted in an internal assertion failure during plugin loading.

  Pytest now raises a clear UsageError explaining that conftest files are not plugins and cannot be disabled via -p.

• #13734: Fixed crash when a test raises an exceptiongroup with __tracebackhide__ = True.

• #14195: Fixed an issue where non-string messages passed to unittest.TestCase.subTest() were not printed.

• #14343: Fixed use of insecure temporary directory (CVE-2025-71176).

Improved documentation

• #13388: Clarified documentation for -p vs PYTEST_PLUGINS plugin loading and fixed an incorrect -p example.
• #13731: Clarified that capture fixtures (e.g. capsys and capfd) take precedence over the -s / --capture=no command-line options in Accessing captured output from a test function <accessing-captured-output>.
• #14088: Clarified that the default pytest_collection hook sets session.items before it calls pytest_collection_finish, not after.
• #14255: TOML integer log levels must be quoted: Updating reference documentation.

Contributor-facing changes

• #12689: The test reports are now published to Codecov from GitHub Actions. The test statistics is visible on the web interface.

  -- by aleguy02

9.0.2

pytest 9.0.2 (2025-12-06)

Bug fixes

• #13896: The terminal progress feature added in pytest 9.0.0 has been disabled by default, except on Windows, due to compatibility issues with some terminal emulators.

  You may enable it again by passing -p terminalprogress. We may enable it by default again once compatibility improves in the future.

  Additionally, when the environment variable TERM is dumb, the escape codes are no longer emitted, even if the plugin is enabled.

• #13904: Fixed the TOML type of the tmp_path_retention_count settings in the API reference from number to string.

• #13946: The private config.inicfg attribute was changed in a breaking manner in pytest 9.0.0. Due to its usage in the ecosystem, it is now restored to working order using a compatibility shim. It will be deprecated in pytest 9.1 and removed in pytest 10.

... (truncated)

Commits

• a7d58d7 Prepare release version 9.0.3
• 089d981 Merge pull request #14366 from bluetech/revert-14193-backport
• 8127eaf Revert "Fix: assertrepr_compare respects dict insertion order (#14050) (#14193)"
• 99a7e60 Merge pull request #14363 from pytest-dev/patchback/backports/9.0.x/95d8423bd...
• ddee02a Merge pull request #14343 from bluetech/cve-2025-71176-simple
• 74eac69 doc: Update training info (#14298) (#14301)
• f92dee7 Merge pull request #14267 from pytest-dev/patchback/backports/9.0.x/d6fa26c62...
• 7ee58ac Merge pull request #12378 from Pierre-Sassoulas/fix-implicit-str-concat-and-d...
• 37da870 Merge pull request #14259 from mitre88/patch-4 (#14268)
• c34bfa3 Add explanation for string context diffs (#14257) (#14266)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[sonar-review-alpha]

Summary

⚠️ The PR description exceeded the analysis limit and was truncated. The review may not reflect all context.

This is a major version upgrade of pytest from 5.3.5 (2019) to 9.0.3 (April 2026). The single-line change in requirements-dev.txt updates the test framework used in CI.

The project is a simple GitHub Action that splits strings. The test suite in test_main.py consists of unit tests using pytest's parametrize decorators and basic assertions. A quick check of the existing tests shows they should remain compatible with pytest 9.0.3—no custom fixtures or advanced pytest features are in use that would be affected by the major version jump.

Notable improvements in pytest 9.0.3 include fixes for a security vulnerability (CVE-2025-71176 in temporary directory handling), better error messages for plugin loading issues, and various bug fixes across the test framework.

What reviewers should know

What to check:

• Run the tests locally with the new version to ensure they still pass (CI will validate this via the unit test job at line 30-33 of .github/workflows/ci.yml)
• Note that pytest 9.0.2 had a breaking change where terminal progress reporting was disabled by default due to compatibility issues—this was reverted in 9.0.3 but worth knowing if you see any output changes
• The CVE fix in 9.0.3 relates to temporary directory security, which shouldn't affect this codebase but is good to have

Where to focus:

• The actual test code in test_main.py uses straightforward pytest patterns (parametrize, raises, assertions) that are well-supported across pytest versions
• No custom pytest plugins or configuration—the tests just run via pytest with no special options

No compatibility concerns: The codebase doesn't use any advanced pytest internals or configurations that typically break between major versions.

---

• Generate Walkthrough
• Generate Diagram

🗣️ Give feedback

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	pytest@​5.3.5 ⏵ 9.0.3	-9	+2

View full report

[sonar-review-alpha]

LGTM! ✅

Clean dependency bump with no logic changes. The test suite uses only stable pytest primitives (parametrize, raises, class grouping) that are fully compatible across this version range. No issues found.

🗣️ Give feedback

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit dc0d001. Configure here.}

[cursor]

pytest 9.0.3 incompatible with Python 3.8 CI environment

High Severity

pytest==9.0.3 requires Python >= 3.10, but the CI workflow in ci.yml sets up python-version: 3.8 for the unit test job. This will cause pip install -r requirements-dev.txt to fail, completely breaking the test pipeline. The Dockerfile also uses python:3.8.2-slim-buster.

 

^{Reviewed by Cursor Bugbot for commit dc0d001. Configure here.}