chore(deps-dev): bump pytest from 8.4.2 to 9.0.3#3110
Conversation
Bumps [pytest](https://github.com/pytest-dev/pytest) from 8.4.2 to 9.0.3. - [Release notes](https://github.com/pytest-dev/pytest/releases) - [Changelog](https://github.com/pytest-dev/pytest/blob/main/CHANGELOG.rst) - [Commits](pytest-dev/pytest@8.4.2...9.0.3) --- updated-dependencies: - dependency-name: pytest dependency-version: 9.0.3 dependency-type: direct:development ... Signed-off-by: dependabot[bot] <support@github.com>
There was a problem hiding this comment.
LGTM — standard Dependabot dev-dependency bump of pytest 8.4.2 → 9.0.3 in uv.lock only.
What was reviewed:
- Verified the diff touches only the
pytestentry inuv.lock; sdist/wheel URLs and hashes follow the normal PyPI pattern and the dependency list is unchanged. - Checked
pyproject.toml— the existingpytest>=8.4.0constraint already permits 9.x, so no manifest edit was required and no floor was raised. - Noted this is a major-version bump of the test framework, but it is dev-only: any behavioral breakage (e.g. pytest 9 changes interacting with
filterwarnings = ["error"]) would surface directly in CI's full 3.10–3.14 matrix rather than in shipped code.
Extended reasoning...
Overview
This PR is a Dependabot-generated bump of the pytest dev dependency from 8.4.2 to 9.0.3, touching only uv.lock. The lockfile change is the standard shape for a single-package update: version, sdist, and wheel entries replaced with new PyPI URLs, sha256 hashes, and upload timestamps; pytest's own dependency list (colorama, exceptiongroup, iniconfig, etc.) is unchanged.
Security risks
None specific to this repo's code. The update actually pulls in an upstream security fix (CVE-2025-71176, insecure temporary directory use in pytest). The artifact URLs point at files.pythonhosted.org with pinned hashes, so there is no supply-chain concern beyond trusting PyPI itself, which is the status quo.
Level of scrutiny
Low. pytest is a development-only dependency (dependency-type: direct:development per Dependabot metadata) — it never ships in the mcp wheel and cannot affect runtime users. The one notable aspect is that 8 → 9 is a major version bump of the test framework, which could break test collection or warning behavior (the repo runs with filterwarnings = ["error"]). However, that failure mode is fully gated: CI runs the complete suite with 100% coverage enforcement across Python 3.10–3.14 on Ubuntu and Windows, so any incompatibility fails visibly in CI rather than silently. The pyproject.toml constraint pytest>=8.4.0 already allows 9.x, so no manifest or floor change was needed, consistent with the repo's dependency policy.
Other factors
The bug hunting system found no issues, and there are no reviewer comments or prior reviews on the PR. There is nothing here for a human to weigh in on beyond what CI already validates mechanically.
Bumps pytest from 8.4.2 to 9.0.3.
Release notes
Sourced from pytest's releases.
... (truncated)
Commits
a7d58d7Prepare release version 9.0.3089d981Merge pull request #14366 from bluetech/revert-14193-backport8127eafRevert "Fix: assertrepr_compare respects dict insertion order (#14050) (#14193)"99a7e60Merge pull request #14363 from pytest-dev/patchback/backports/9.0.x/95d8423bd...ddee02aMerge pull request #14343 from bluetech/cve-2025-71176-simple74eac69doc: Update training info (#14298) (#14301)f92dee7Merge pull request #14267 from pytest-dev/patchback/backports/9.0.x/d6fa26c62...7ee58acMerge pull request #12378 from Pierre-Sassoulas/fix-implicit-str-concat-and-d...37da870Merge pull request #14259 from mitre88/patch-4 (#14268)c34bfa3Add explanation for string context diffs (#14257) (#14266)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)You can disable automated security fix PRs for this repo from the Security Alerts page.