chore(deps): bump pytest to 9.0.3 and fold pytest-matrix latest#413
Merged
Abhijeet Prasad (AbhiPrasad) merged 2 commits intoMay 11, 2026
Merged
Conversation
Fixes Dependabot alert #78 (GHSA pytest tmpdir handling). The base `test` dependency group pinned `pytest==9.0.2` while `[tool.braintrust.matrix.pytest-matrix].latest` already pinned `9.0.3`; the two were born divergent in #300 and could drift again because the matrix table doesn't participate in `uv lock`. Make `[dependency-groups].test` the single source of truth for the pytest pin and have the noxfile derive `test_pytest_plugin(latest)` from it via a small `_BASE_GROUP_FALLBACKS` set. `test_pytest_plugin(latest)` still runs; the matrix table only carries deliberate older overrides (`8.4.2`). Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
starfolkai
Bot
force-pushed
the
fix/dependabot-78-pytest-9.0.3
branch
from
fb9f5af to
55bda9a
Compare
Follow-up on the prior commit. Restore `latest = "pytest==9.0.3"` in [tool.braintrust.matrix.pytest-matrix] as the single source of truth and keep [dependency-groups].test in sync mechanically: - Add py/scripts/sync-pytest-pin.py — reads matrix latest, rewrites the dep-group pin (or fails with --check) so the lockfile-anchored pin matches what test_pytest_plugin(latest) installs. - Wire it into pre-commit as a --check gate on py/pyproject.toml. - Add `make sync-pytest-pin` mirroring make check-stale-cassettes. - Revert the noxfile _BASE_GROUP_FALLBACKS introduced earlier; the matrix table now has a `latest` entry, so the existing _install_matrix_dep path works without special-casing. TOML/PEP 735 have no variable substitution and uv resolves dep-groups statically, so a tiny rewrite step is the simplest way to keep one visible canonical pin while preserving uv.lock reproducibility. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
starfolkai
Bot
force-pushed
the
fix/dependabot-78-pytest-9.0.3
branch
from
9510098 to
a4c0ee2
Compare
Abhijeet Prasad (AbhiPrasad)
approved these changes
May 11, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
testdependency group frompytest==9.0.2→pytest==9.0.3.latest = "pytest==9.0.3"from[tool.braintrust.matrix.pytest-matrix]and derivestest_pytest_plugin(latest)from[dependency-groups].testvia a new_BASE_GROUP_FALLBACKSset inpy/noxfile.py. The pin can't drift again because the matrix table doesn't participate inuv lock, but the dependency group does.test_pytest_plugin(latest)andtest_pytest_plugin(8.4.2)both still enumerate; only the duplicate version string is gone.Why was this drift possible?
The two pins were introduced divergent in #300. The weekly
uv lock --upgradeworkflow only refreshes[dependency-groups]; matrix-table strings are managed separately, so they drift.Test plan
nox -l | grep test_pytest_pluginshows both(latest)and(8.4.2).uv lock --checkclean;uv.lockresolvespytestto9.0.3.scripts/check-stale-cassettes.pystill passes.noxmatrix +static_checks.nox -s "test_pytest_plugin(latest)"locally.nox -s "test_pytest_plugin(8.4.2)"locally.🤖 Generated with Claude Code