Skip to content

Bump pyo3 in rustez-py to >=0.29 (RUSTSEC-2026-0176/0177) #22

Description

@fastrevmd-lab

Context

cargo audit in CI flags two advisories in pyo3 0.24.2, a transitive dependency of rustez-py:

  • RUSTSEC-2026-0176 — Out-of-bounds read in nth / nth_back for PyList and PyTuple iterators
  • RUSTSEC-2026-0177 — Missing Sync bound on PyCFunction::new_closure closures

Both are resolved by upgrading to pyo3 >= 0.29.0.

Surfaced during PR #21 (rustez-cli) — unrelated to that change, but it turns the audit step red on every build. PR #21 was merged over this known failure since the CLI work was green.

Task

  • Bump pyo3 (and pyo3 build deps, e.g. the maturin/abi3 feature set) in rustez-py/Cargo.toml to >=0.29.
  • Work through the 0.24 → 0.29 API migration (several major versions — expect Bound<'py, T> API changes, IntoPyObject reworks, etc.).
  • Verify cargo clippy -p rustez-py and the Python binding tests pass.
  • Confirm cargo audit is clean (or update .cargo/audit-ignored.md if anything remains).

Alternative (stopgap)

If the bump can't land soon, add RUSTSEC-2026-0176/0177 to .cargo/audit-ignored.md to unblock CI, as already done for RUSTSEC-2023-0071.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions