Bump pytest from 7.2.0 to 9.0.3 in /.ci/docker

[dependabot]

Bumps pytest from 7.2.0 to 9.0.3.

Release notes

Sourced from pytest's releases.

9.0.3

pytest 9.0.3 (2026-04-07)

Bug fixes

• #12444: Fixed pytest.approx which now correctly takes into account ~collections.abc.Mapping keys order to compare them.

• #13634: Blocking a conftest.py file using the -p no: option is now explicitly disallowed.

  Previously this resulted in an internal assertion failure during plugin loading.

  Pytest now raises a clear UsageError explaining that conftest files are not plugins and cannot be disabled via -p.

• #13734: Fixed crash when a test raises an exceptiongroup with __tracebackhide__ = True.

• #14195: Fixed an issue where non-string messages passed to unittest.TestCase.subTest() were not printed.

• #14343: Fixed use of insecure temporary directory (CVE-2025-71176).

Improved documentation

• #13388: Clarified documentation for -p vs PYTEST_PLUGINS plugin loading and fixed an incorrect -p example.
• #13731: Clarified that capture fixtures (e.g. capsys and capfd) take precedence over the -s / --capture=no command-line options in Accessing captured output from a test function <accessing-captured-output>.
• #14088: Clarified that the default pytest_collection hook sets session.items before it calls pytest_collection_finish, not after.
• #14255: TOML integer log levels must be quoted: Updating reference documentation.

Contributor-facing changes

• #12689: The test reports are now published to Codecov from GitHub Actions. The test statistics is visible on the web interface.

  -- by aleguy02

9.0.2

pytest 9.0.2 (2025-12-06)

Bug fixes

• #13896: The terminal progress feature added in pytest 9.0.0 has been disabled by default, except on Windows, due to compatibility issues with some terminal emulators.

  You may enable it again by passing -p terminalprogress. We may enable it by default again once compatibility improves in the future.

  Additionally, when the environment variable TERM is dumb, the escape codes are no longer emitted, even if the plugin is enabled.

• #13904: Fixed the TOML type of the tmp_path_retention_count settings in the API reference from number to string.

• #13946: The private config.inicfg attribute was changed in a breaking manner in pytest 9.0.0. Due to its usage in the ecosystem, it is now restored to working order using a compatibility shim. It will be deprecated in pytest 9.1 and removed in pytest 10.

... (truncated)

Commits

• a7d58d7 Prepare release version 9.0.3
• 089d981 Merge pull request #14366 from bluetech/revert-14193-backport
• 8127eaf Revert "Fix: assertrepr_compare respects dict insertion order (#14050) (#14193)"
• 99a7e60 Merge pull request #14363 from pytest-dev/patchback/backports/9.0.x/95d8423bd...
• ddee02a Merge pull request #14343 from bluetech/cve-2025-71176-simple
• 74eac69 doc: Update training info (#14298) (#14301)
• f92dee7 Merge pull request #14267 from pytest-dev/patchback/backports/9.0.x/d6fa26c62...
• 7ee58ac Merge pull request #12378 from Pierre-Sassoulas/fix-implicit-str-concat-and-d...
• 37da870 Merge pull request #14259 from mitre88/patch-4 (#14268)
• c34bfa3 Add explanation for string context diffs (#14257) (#14266)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[pytorch-bot]

🔗 Helpful Links

🧪 See artifacts and rendered test results at hud.pytorch.org/pr/pytorch/executorch/18846

• 📄 Preview Python docs built from this PR

Note: Links to docs will display an error until the docs builds have been completed.

❗ 1 Active SEVs

There are 1 currently active SEVs. If your PR is affected, please view them below:

• Rolling out OSDC (ARC) runners on pull & trunk workflows in PyTorch main

✅ You can merge normally! (2 Unrelated Failures)

As of commit 2c0d383 with merge base 3779b02 ():

BROKEN TRUNK - The following jobs failed but were present on the merge base:

👉 Rebase onto the `viable/strict` branch to avoid these failures

• pull / unittest / windows / windows-job (gh) (trunk failure)
  ##[error]The operation was canceled.
• pull / unittest-editable / windows / windows-job (gh) (trunk failure)
  ##[error]The operation was canceled.

This comment was automatically generated by Dr. CI and updates every 15 minutes.

[github-actions]

This PR needs a release notes: label

If your change should be included in the release notes (i.e. would users of this library care about this change?), please use a label starting with release notes:. This helps us keep track and include your important work in the next release notes.

To add a label, you can comment to pytorchbot, for example
@pytorchbot label "release notes: none"

For more information, see
https://github.com/pytorch/pytorch/wiki/PyTorch-AutoLabel-Bot#why-categorize-for-release-notes-and-how-does-it-work.

[Copilot]

Pull request overview

Updates the CI Docker Python test dependency set by bumping pytest to a newer release in the container requirements used for CI images under .ci/docker.

Changes:

• Bump pytest from 7.2.0 to 9.0.3 in .ci/docker/requirements-ci.txt.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[kirklandsign]

@claude is this still true

[claude]

Claude finished @kirklandsign's task in 1m 39s —— View job

---

CI Status Check

• Check current CI status for this PR
• Verify the PR change is correct
• Provide summary

Yes, the pytorch-bot's assessment is still accurate - this PR is safe to merge.

Current CI status (15 workflow runs):

• 14 passed (Lint, Build Presets, Build documentation, docker-builds, Cadence, Vulkan, QNN, ARM, XNNPACK, CoreML, Labeler, Check Labels, periodic, PR Bump pytest from 7.2.0 to 9.0.3 in /.ci/docker #18846)
• 1 cancelled (pull workflow) - this is the one that contained the 2 Windows jobs (windows-job under unittest and unittest-editable) that were previously reported as "BROKEN TRUNK" failures. These were pre-existing failures on the merge base commit (3779b02) and are unrelated to this PR's change.
• 0 currently failing

The change itself is a single-line bump in .ci/docker/requirements-ci.txt:12 from pytest==7.2.0 to pytest==9.0.3. This is a security update that includes a fix for CVE-2025-71176 (insecure temporary directory). All Linux CI jobs that ran with this version passed successfully.

[kirklandsign]

@claude do we need to bump pytest-cov==4.1.0 hypothesis==6.84.2 as well

[claude]

Claude finished @kirklandsign's task in 1m 51s —— View job

---

• Check current versions of pytest-cov and hypothesis in requirements-ci.txt
• Check latest available versions
• Provide recommendation

Recommendation

Yes, it would be worth bumping both in a follow-up PR (or in this one). The current pins are quite dated:

Package	Current	Latest (approx)	Notes
pytest-cov	4.1.0 (mid-2023)	6.x	5.0+ improved internals for newer pytest; 6.x fully supports pytest 9
hypothesis	6.84.2	6.130+	Releases very frequently; no tight pytest coupling, but newer versions have bug fixes and performance improvements

Both are compatible with pytest 9.0.3 at their latest versions. Since this PR is a Dependabot security bump (CVE-2025-71176), it's fine to merge as-is and bump the other two separately — or they can be added here if you'd prefer to keep them in sync.

Neither pytest-cov nor hypothesis have known CVEs driving urgency, so this is more of a "while we're here" housekeeping opportunity.

---

[kirklandsign]

@claude can you send a new PR

[claude]

Claude finished @kirklandsign's task in 4m 34s —— View job

---

Creating a new PR to bump pytest-cov and hypothesis

Unfortunately, I'm unable to create a new PR from this CI environment due to sandbox restrictions — the environment is blocking git branch creation, network access (pip/curl/gh API to external repos), and branch switching commands.

What needs to be done:

Update .ci/docker/requirements-ci.txt on a new branch from main:

-pytest-cov==4.1.0
+pytest-cov==6.1.1
-hypothesis==6.84.2
+hypothesis==6.131.15

(Verify the latest versions on PyPI before submitting — the versions above are approximate.)

Suggested approach — pick one:

1. Dependabot: If Dependabot is configured for these packages, it may create PRs automatically once CVEs or version gaps are detected.
2. Manual PR: Create a branch, update the two lines in .ci/docker/requirements-ci.txt, and open a PR.
3. Claude Code locally: Run this in Claude Code CLI on a local checkout:

   @claude Bump pytest-cov and hypothesis to their latest versions in .ci/docker/requirements-ci.txt and create a PR
   

Sorry I couldn't complete this directly — the GitHub Actions sandbox for this action doesn't allow the git operations needed to create a new branch and PR.

---

[dependabot]

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version. You can also ignore all major, minor, or patch releases for a dependency by adding an ignore condition with the desired update_types to your config file.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.

[kirklandsign]

#19172