From 6f67a231fc8b620997266663a584d10450f30d61 Mon Sep 17 00:00:00 2001
From: Rich Chiodo false <rchiodo@microsoft.com>
Date: Wed, 24 Jun 2026 11:09:22 -0700
Subject: [PATCH] Pin secure versions of test dependencies to address CVEs

The Debugpy-Build pipeline installs tests/requirements.txt, and Component
Governance flags vulnerable versions in the installed dependency tree.
Add secure minimum-version floors:

- pytest>=9.0.3   (CVE-2025-71176)
- requests>=2.33.0 (CVE-2026-25645)
- urllib3>=2.7.0   (CVE-2026-44431, CVE-2026-44432; transitive via requests)

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---
 tests/requirements.txt | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/tests/requirements.txt b/tests/requirements.txt
index 77fcfbe1e..195e94fba 100644
--- a/tests/requirements.txt
+++ b/tests/requirements.txt
@@ -1,6 +1,6 @@
 ## Used to run the tests:
 
-pytest
+pytest>=9.0.3  # CVE-2025-71176 (vulnerable <= 9.0.2)
 pytest-xdist
 pytest-cov
 pytest-timeout
@@ -18,7 +18,10 @@ django
 flask
 gevent
 numpy
-requests
+requests>=2.33.0  # CVE-2026-25645 (vulnerable < 2.33.0)
+# urllib3 is pulled in transitively by requests; pin a secure floor for
+# CVE-2026-44431 and CVE-2026-44432 (vulnerable 2.6.0 <= x < 2.7.0).
+urllib3>=2.7.0
 typing_extensions
 
 # Used to build pydevd attach to process binaries: