Skip to content

ROB-566 Fix CVE-2025-71176 by upgrading pytest and related dependencies#537

Merged
Avi-Robusta merged 2 commits into
mainfrom
claude/pip-pytest-cve-2025-71176-06tnuw
Jul 9, 2026
Merged

ROB-566 Fix CVE-2025-71176 by upgrading pytest and related dependencies#537
Avi-Robusta merged 2 commits into
mainfrom
claude/pip-pytest-cve-2025-71176-06tnuw

Conversation

@moshemorad

Copy link
Copy Markdown
Contributor

Summary

This PR addresses CVE-2025-71176 by upgrading pytest to version 9.0.3 or later and updating related dependencies to compatible versions.

Key Changes

  • pytest: Upgraded from ^7.2.2 to ^9.0.3 to fix the CVE vulnerability
  • pytest-asyncio: Updated from >=0.21,<0.24 to ^1.3 for compatibility with pytest 9.x
  • typing-extensions: Relaxed constraint from 4.6.0 to >=4.12.0,<5 to satisfy pytest-asyncio >=1.3 requirements

Notable Details

  • The typing-extensions version constraint was updated to a range rather than a pinned version to allow flexibility while maintaining compatibility with pytest-asyncio >=1.3, which requires typing-extensions >=4.12
  • Added clarifying comments in pyproject.toml explaining the CVE fix and dependency relationships
  • Lock file was regenerated to reflect the new dependency versions

https://claude.ai/code/session_01TjjSMyvjymxtXMYFQ1NKbu

claude added 2 commits July 9, 2026 10:36
Bump pytest ^7.2.2 -> ^9.0.3 (CVE-2025-71176, medium severity, fixed
in 9.0.3; locked at 9.1.1). This required pytest-asyncio ^1.3 (older
versions cap pytest below 9) which in turn needs typing-extensions
>=4.12, so the stale typing-extensions 4.6.0 pin is relaxed to
>=4.12,<5. requirements.txt updated to match. All 55 tests pass.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01TjjSMyvjymxtXMYFQ1NKbu
Keep the lock-version 2.0 format instead of 2.1 to minimize the diff
and stay readable by older Poetry versions. Resolved versions are
unchanged (pytest 9.1.1, pytest-asyncio 1.4.0, typing-extensions
4.16.0). All 55 tests still pass.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01TjjSMyvjymxtXMYFQ1NKbu
@coderabbitai

coderabbitai Bot commented Jul 9, 2026

Copy link
Copy Markdown

Review Change Stack

Walkthrough

Dependency version constraints were updated across pyproject.toml and requirements.txt: typing-extensions, pytest, and pytest-asyncio were bumped to newer versions to address CVE-related issues, with inline comments documenting the rationale.

Changes

Dependency Updates

Layer / File(s) Summary
pyproject.toml constraint updates
pyproject.toml
typing-extensions widened to >=4.12.0,<5; dev dependencies pytest bumped to ^9.0.3 and pytest-asyncio to ^1.3, with added comments referencing CVE fixes.
requirements.txt pinned bumps
requirements.txt
typing-extensions pinned version bumped from 4.6.0 to 4.16.0, and pytest-asyncio bumped from 0.23.7 to 1.4.0.

Estimated code review effort: 1 (Trivial) | ~3 minutes

Suggested reviewers: Avi-Robusta

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Title check ✅ Passed The title clearly states the CVE fix and the dependency upgrades driving the change.
Description check ✅ Passed The description matches the dependency updates and CVE fix reflected in the changeset.
✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch claude/pip-pytest-cve-2025-71176-06tnuw

Comment @coderabbitai help to get the list of available commands.

@moshemorad moshemorad changed the title Fix CVE-2025-71176 by upgrading pytest and related dependencies ROB-566 Fix CVE-2025-71176 by upgrading pytest and related dependencies Jul 9, 2026
@Avi-Robusta
Avi-Robusta merged commit c4f5c80 into main Jul 9, 2026
3 checks passed
@Avi-Robusta
Avi-Robusta deleted the claude/pip-pytest-cve-2025-71176-06tnuw branch July 9, 2026 11:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants