Context
cargo audit in CI flags two advisories in pyo3 0.24.2, a transitive dependency of rustez-py:
- RUSTSEC-2026-0176 — Out-of-bounds read in
nth / nth_back for PyList and PyTuple iterators
- RUSTSEC-2026-0177 — Missing
Sync bound on PyCFunction::new_closure closures
Both are resolved by upgrading to pyo3 >= 0.29.0.
Surfaced during PR #21 (rustez-cli) — unrelated to that change, but it turns the audit step red on every build. PR #21 was merged over this known failure since the CLI work was green.
Task
- Bump
pyo3 (and pyo3 build deps, e.g. the maturin/abi3 feature set) in rustez-py/Cargo.toml to >=0.29.
- Work through the 0.24 → 0.29 API migration (several major versions — expect
Bound<'py, T> API changes, IntoPyObject reworks, etc.).
- Verify
cargo clippy -p rustez-py and the Python binding tests pass.
- Confirm
cargo audit is clean (or update .cargo/audit-ignored.md if anything remains).
Alternative (stopgap)
If the bump can't land soon, add RUSTSEC-2026-0176/0177 to .cargo/audit-ignored.md to unblock CI, as already done for RUSTSEC-2023-0071.
Context
cargo auditin CI flags two advisories inpyo3 0.24.2, a transitive dependency ofrustez-py:nth/nth_backforPyListandPyTupleiteratorsSyncbound onPyCFunction::new_closureclosuresBoth are resolved by upgrading to pyo3 >= 0.29.0.
Surfaced during PR #21 (rustez-cli) — unrelated to that change, but it turns the audit step red on every build. PR #21 was merged over this known failure since the CLI work was green.
Task
pyo3(andpyo3build deps, e.g. the maturin/abi3 feature set) inrustez-py/Cargo.tomlto>=0.29.Bound<'py, T>API changes,IntoPyObjectreworks, etc.).cargo clippy -p rustez-pyand the Python binding tests pass.cargo auditis clean (or update.cargo/audit-ignored.mdif anything remains).Alternative (stopgap)
If the bump can't land soon, add RUSTSEC-2026-0176/0177 to
.cargo/audit-ignored.mdto unblock CI, as already done for RUSTSEC-2023-0071.