DLPX-97338 depbump: bump pytest from 9.0.2 to 9.0.3 (consolidates 9 PRs)

[SumoSourabh]

DLPX-97338 depbump: bump pytest from 9.0.2 to 9.0.3

Auto-generated by depbump. Tracked in DLPX-97338.

TL;DR

Consolidated 9 stale Dependabot PRs for pytest across all 5 modules into one PR. Bumped from 9.0.2 → 9.0.3 (latest within current major). 762 tests pass before AND after, 0 install errors, 0 transitive dep moves. One CVE patched in this range (GHSA-6w46-j5rx-g56g); vSDK is exposed via 156 tmpdir / tmp_path fixture call sites — fix is recommended.

Risk tier: MEDIUM

✅ depbump verified: build passes pre/post-change, smoke plugin built clean, flake8 clean, CVE is medium-severity, no breaking changes. Eligible for merge_ready.

JIRA tracking

• DLPX-97338 — created by depbump before this PR

Manifests affected (5)

• common/requirements.txt: pytest 9.0.2 → 9.0.3
• libs/requirements.txt: pytest 9.0.2 → 9.0.3
• platform/requirements.txt: pytest 9.0.2 → 9.0.3
• tools/requirements.txt: pytest 9.0.2 → 9.0.3
• dvp/requirements.txt: pytest 9.0.2 → 9.0.3

Source PRs consolidated (9)

depbump does not close these. Once this PR merges, Dependabot auto-closes them on next scan.

• Bump pytest from 9.0.2 to 9.0.3 in /common #634, Bump pytest from 9.0.2 to 9.0.3 in /dvp #635, Bump pytest from 9.0.2 to 9.0.3 in /libs #636, Bump pytest from 9.0.2 to 9.0.3 in /platform #637 (~42 days old)
• Bump pytest from 9.0.2 to 9.0.3 in /platform #641, Bump pytest from 9.0.2 to 9.0.3 in /dvp #645, Bump pytest from 9.0.2 to 9.0.3 in /libs #648, Bump pytest from 9.0.2 to 9.0.3 in /common #653, Bump pytest from 9.0.2 to 9.0.3 in /tools #655 (~25 days old)

CVE findings (1)

GHSA-6w46-j5rx-g56g · CVE-2025-71176 · CVSS medium

• Fixed in: pytest 9.0.3
• Summary: pytest has vulnerable tmpdir handling
• Description: pytest through 9.0.2 on UNIX relies on directories with the /tmp/pytest-of-{user} name pattern, which allows local users to cause a denial of service or possibly gain privileges.
• Your usage: 🟡 EXPOSED via pytest fixtures — 156 call sites of tmpdir / tmp_path across common/src, libs/src, platform/src, tools/src, dvp/src.

Commit breakdown (10 commits between 9.0.2 and 9.0.3)

• 1 security/CVE fix (CVE-2025-71176)
• 4 bug fixes
• 1 docs
• 4 merge / patchback commits

No breaking changes detected.

Build verification

Phase	Result	Summary
Baseline (pre-change)	✅ PASS	762 tests passed across 5 modules
Post-change	✅ PASS	762 tests passed (same suite)

Installed package changes (pip freeze diff)

- pytest==9.0.2
+ pytest==9.0.3

1 explicit + 0 transitive changes — clean patch bump.

Additional automations

Pre-push

• ✅ sh bin/build_project.sh -f — flake8 0 issues across 5 modules
• ✅ sh bin/smoke_plugin_build.sh — dvp init + dvp build --dev → artifact.json 1.11 MB

Post-push

• ✅ git blackbox … → tracking URL: https://selfservice-jenkins.eng-tools-prd.aws.delphixcloud.com/job/blackbox-self-service/217529/

---

Generated by depbump · policy: latest-minor-within-major

[SumoSourabh]

Closing — depbump dry-run rehearsal complete. The v2 flow (JIRA + amend commit + post-push blackbox + PR + label + linkback) all worked end-to-end. JIRA ticket DLPX-97338 will be similarly cleaned up.