fix(deps): bump pytest to >=9,<10 (CVE-2025-71176)

[TexasCoding]

Summary

pip-audit on main flagged pytest 8.4.2 for CVE-2025-71176 — predictable /tmp/pytest-of-{user} directory enables local DoS / privilege escalation on UNIX. Fix is in pytest 9.0.3.

Dev-only dep; zero risk to SDK users. Affects developers running the suite on shared UNIX systems.

Notes

• uv.lock on main already had pytest 9.0.3 + pytest-asyncio 1.3.0 resolved (cascaded from chore(deps-dev): update pytest-asyncio requirement from <1,>=0.24 to >=0.24,<2 #119's pytest-asyncio bump), so this commit only realigns pyproject.toml with the lockfile.
• cryptography CVE-2026-26007 + CVE-2026-34073 also surfaced by pip-audit; the existing >=43,<49 pin already permits the fixed 46.0+ range and the floating lockfile picks up 48.0.0 — no pyproject change needed for those.
• Pre-existing integration-test failures (11 of them) verified to be unrelated to this bump (same set fails against plain main with pytest 8.4.2). Tracking separately — see follow-up issue.

Test plan

• uv run pytest tests/ --ignore=tests/integration -q → 1607 passed, 51 warnings
• uv run ruff check . clean
• uv run mypy kalshi/ clean (76 source files, strict)
• uv run --with pip-audit pip-audit → No known vulnerabilities

[claude]

Code Review

Overview

This is a single-line dependency bump in pyproject.toml — pytest>=8,<9 → pytest>=9,<10 — to address CVE-2025-71176 (predictable /tmp/pytest-of-{user} directory enabling local DoS / privilege escalation on shared UNIX systems). The PR description is thorough and accurate.

---

Code Quality & Style ✅

• Change is minimal and surgical — exactly one line, exactly what was asked.
• The version constraint follows the existing pattern (>=MAJOR,<NEXT_MAJOR), consistent with all other dev dependency pins in the file.
• No formatting or unrelated changes introduced.

Correctness ✅

• The lockfile (uv.lock) already resolves to pytest 9.0.3, so this is realigning the constraint with reality rather than introducing a new resolution. Low risk of surprise behavior.
• pytest-asyncio>=0.24,<2 is already compatible with pytest 9.x (the 1.3.0 release in the lockfile confirms this).
• The test plan shows 1607 passed — more tests than the CLAUDE.md baseline of 1455, consistent with ongoing development.

Security ✅

• CVE-2025-71176 is a dev-only vector; it does not affect SDK consumers. The fix is correct and the pip-audit output confirms no remaining known vulnerabilities.
• The cryptography CVEs noted in the description are handled by the existing floating pin — no action needed here.

Test Coverage ✅

• All non-integration tests pass. The 11 pre-existing integration failures are correctly identified as unrelated (same failures on unpatched main). Tracking them separately is the right call.

Performance ✅

• No runtime impact — this is a test-only dependency.

---

Suggestions / Minor Notes

1. pytest-asyncio upper bound — The pin >=0.24,<2 is very wide. Now that pytest-asyncio 1.3.0 is resolved in the lockfile and working, consider tightening to >=1,<2 in a follow-up to match the pytest>=9,<10 style and avoid accidentally picking up a future hypothetical 2.x breaking release. Not blocking.

2. pytest 9 breaking changes awareness — pytest 9 shipped several deprecation removals (e.g., --strict renamed to --strict-markers, some fixture scoping changes). The passing test suite confirms none of those bit here, but worth a mental note if contributors run into unexpected failures on older pytest 8 local installs after this merges.

---

Verdict

Approve. Correct, minimal, well-justified security fix. The description is unusually thorough for a one-liner — appreciated. Ready to merge.