chore(deps): pin dependency pytest to ==8.1.1 [security] - autoclosed

[khepri-bot]

This PR contains the following updates:

Package	Type	Update	Change
pytest (changelog)	tool.pdm.dev-dependencies	pin	~=8.1.1 → ==8.1.1

---

pytest has vulnerable tmpdir handling

CVE-2025-71176 / GHSA-6w46-j5rx-g56g

More information

Details

pytest through 9.0.2 on UNIX relies on directories with the /tmp/pytest-of-{user} name pattern, which allows local users to cause a denial of service or possibly gain privileges.

Severity

• CVSS Score: 6.8 / 10 (Medium)
• Vector String: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L

References

• https://nvd.nist.gov/vuln/detail/CVE-2025-71176
• https://github.com/pytest-dev/pytest/issues/13669
• https://github.com/pytest-dev/pytest/pull/14343
• https://github.com/pytest-dev/pytest/commit/95d8423bd24992deea5b9df32555fa1741679e2c
• https://github.com/pytest-dev/pytes
• https://github.com/pytest-dev/pytest/releases/tag/9.0.3
• https://www.openwall.com/lists/oss-security/2026/01/21/5

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Add the preset :preserveSemverRanges to your config if you don't want to pin your dependencies.

---

Configuration

📅 Schedule: (in timezone America/New_York)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate.

[khepri-bot]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: pdm.lock

Command failed: pdm update --no-sync --update-eager -dG test pytest
DEPRECATED: `cross_platform` strategy is deprecated in favor of the new lock targets.
See docs: http://pdm-project.org/en/latest/usage/lock-targets/
/opt/pipx/venvs/pdm/lib/python3.12/site-packages/pdm/resolver/providers.py:238: PackageWarning: Skipping pytest@9.0.3 because it requires Python>=3.10 but the lock targets to work with Python>=3.9. Instead, another version of pytest that supports Python>=3.9 will be used.
If you want to install pytest@9.0.3, narrow down the `requires-python` range to include this version. For example, ">=3.10" should work.
  found = self.repository.find_candidates(
/opt/pipx/venvs/pdm/lib/python3.12/site-packages/pdm/resolver/providers.py:238: PackageWarning: Skipping iniconfig@2.3.0 because it requires Python>=3.10 but the lock targets to work with Python>=3.9. Instead, another version of iniconfig that supports Python>=3.9 will be used.
If you want to install iniconfig@2.3.0, narrow down the `requires-python` range to include this version. For example, ">=3.10" should work.
  found = self.repository.find_candidates(
/opt/pipx/venvs/pdm/lib/python3.12/site-packages/pdm/resolver/providers.py:238: PackageWarning: Skipping iniconfig@2.2.0 because it requires Python>=3.10 but the lock targets to work with Python>=3.9. Instead, another version of iniconfig that supports Python>=3.9 will be used.
If you want to install iniconfig@2.2.0, narrow down the `requires-python` range to include this version. For example, ">=3.10" should work.
  found = self.repository.find_candidates(
ERROR: Unable to find a resolution because the following dependencies don't work on all Python versions in the range of the project's `requires-python`: >=3.9.
  python>=3.10 (from <Candidate pytest@9.0.3 from https://pypi.org/simple/pytest/>)
A possible solution is to change the value of `requires-python` in pyproject.toml to >=3.10.
See /home/runner/.local/state/pdm/log/pdm-lock-x9ckqdcz.log for detailed debug log.
[ResolutionError]: Unable to find a resolution
WARNING: Add '-v' to see the detailed traceback