Skip to content

Update dependency pytest to v9 [SECURITY] #250

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
renovate wants to merge 1 commit into
base: main
Choose a base branch
from
+10 −10
Open

Update dependency pytest to v9 [SECURITY] #250

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 7 additions & 7 deletions chart_data_extractor/poetry.lock
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion chart_data_extractor/pyproject.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@ matplotlib = "^3.10.3"
pydantic = "^2.9.1"

[tool.poetry.group.dev.dependencies]
pytest = "^8.3.5"
pytest = "^9.0.0"
python-dotenv = "^1.2.1"
pytest-dotenv = "^0.5.2"
ruff = "^0.11.12"
Expand Down
2 changes: 1 addition & 1 deletion python/pyproject.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@ attrs = ">=21.3.0"
e2b = "^2.7.0"

[tool.poetry.group.dev.dependencies]
pytest = "^8.2.0"
pytest = "^9.0.0"
Copy link
Copy Markdown

@chatgpt-codex-connector chatgpt-codex-connector bot Apr 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Badge Regenerate lockfile when bumping pytest

Bumping pytest in python/pyproject.toml without updating python/poetry.lock causes the install step to fail before tests run in workflows that execute poetry install (for example .github/workflows/python_tests.yml and .github/workflows/lint.yml). Running poetry install --with dev after this change exits with pyproject.toml changed significantly since poetry.lock was last generated, so CI and local setup are blocked until the lockfile is regenerated and committed.

Useful? React with 👍 / 👎.

python-dotenv = "^1.0.0"
pytest-dotenv = "^0.5.2"
pytest-asyncio = "^0.24.0"
Comment on lines +20 to 23
Copy link
Copy Markdown

@claude claude bot Apr 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔴 This PR introduces an unsatisfiable dependency constraint: pytest = "^9.0.0" conflicts with pytest-asyncio = "^0.24.0" because pytest-asyncio 0.24.x declares a strict upper bound of pytest <9. Renovate's own artifact update already failed with this error, and poetry.lock was not updated, leaving the repo broken. Fix by upgrading pytest-asyncio to ^0.25.0 (which added pytest 9 support) alongside this PR's pytest upgrade.

Extended reasoning...

What the bug is and how it manifests

The PR bumps pytest from ^8.2.0 to ^9.0.0 in python/pyproject.toml, but the existing pytest-asyncio = "^0.24.0" constraint was not updated. pytest-asyncio 0.24.x declares its dependency as pytest (>=8.2,<9) — a strict upper bound that excludes pytest 9. These two constraints cannot be satisfied simultaneously by any version of pytest.

The specific code path that triggers it

In python/pyproject.toml, lines 20–23 now read:

pytest = "^9.0.0"
...
pytest-asyncio = "^0.24.0"

When Poetry (or pip) attempts to resolve dependencies, it must find a version of pytest that satisfies both ^9.0.0 (i.e., >=9.0.0,<10) and <9 (from pytest-asyncio's constraint). No such version exists.

Why existing code doesn't prevent it

Poetry's constraint solver catches this at lock/install time, not at the toml edit stage. Renovate updated only the pytest version in pyproject.toml without bumping pytest-asyncio, and the poetry.lock update failed as a result — leaving the lock file in its old state (pointing to pytest 8.x) while pyproject.toml demands pytest 9.x. The repo is now in an inconsistent state.

What the impact would be

Anyone who clones the repo and runs poetry install or poetry lock will get an immediate resolution failure:

Because pytest-asyncio (0.24.0) depends on pytest (>=8.2,<9) and no versions of pytest-asyncio match >0.24.0,<0.25.0, pytest-asyncio (>=0.24.0,<0.25.0) requires pytest (>=8.2,<9). So, because e2b-code-interpreter depends on both pytest (^9.0.0) and pytest-asyncio (^0.24.0), version solving failed.

CI pipelines that re-lock dependencies will also fail. The stale poetry.lock means the pinned versions are no longer consistent with pyproject.toml.

How to fix it

Upgrade pytest-asyncio to ^0.25.0 alongside the pytest bump. pytest-asyncio 0.25.0 dropped the <9 upper bound and officially added pytest 9 support. The change in pyproject.toml would be:

pytest-asyncio = "^0.25.0"

After that, poetry lock should succeed and generate an updated poetry.lock.

Step-by-step proof

  1. pyproject.toml requires pytest ^9.0.0 → resolves to versions in range [9.0.0, 10).
  2. pyproject.toml also requires pytest-asyncio ^0.24.0 → the only released version in that range is 0.24.0.
  3. pytest-asyncio 0.24.0's own metadata declares Requires: pytest (>=8.2,<9).
  4. The solver needs a pytest version satisfying both >=9.0.0 (step 1) and <9 (step 3) — no such version exists.
  5. Renovate confirmed this in the PR timeline artifact failure comment, and poetry.lock was left unchanged (still locked to pytest 8.x), producing an inconsistent repo state.

Expand Down
2 changes: 1 addition & 1 deletion template/requirements.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@ opencv-python==4.11.0.86
openpyxl==3.1.5
plotly==6.0.1
kaleido==1.0.0
pytest==8.3.5
pytest==9.0.3
python-docx==1.1.2
pytz==2025.2
requests==2.33.0
Expand Down
Loading