Skip to content

Bump pyo3 to 0.29 (fix RUSTSEC-2026-0176/0177)#23

Merged
fastrevmd-lab merged 1 commit into
mainfrom
fix/pyo3-0.29
Jun 20, 2026
Merged

Bump pyo3 to 0.29 (fix RUSTSEC-2026-0176/0177)#23
fastrevmd-lab merged 1 commit into
mainfrom
fix/pyo3-0.29

Conversation

@fastrevmd-lab

Copy link
Copy Markdown
Owner

Summary

Closes #22. Upgrades rustez-py's pyo3 dependency from 0.24 to 0.29, clearing the two advisories that were turning the cargo audit CI step red:

  • RUSTSEC-2026-0176 — out-of-bounds read in nth/nth_back for PyList/PyTuple iterators
  • RUSTSEC-2026-0177 — missing Sync bound on PyCFunction::new_closure closures

Migration

pyo3 0.26 renamed Python::allow_threadsPython::detach, and 0.29 removed the old alias. The only code change is the mechanical rename of all 19 py.allow_threads(...) call sites in src/lib.rs to py.detach(...). No public binding API changed — Python callers are unaffected. The rest of the API surface (#[pyclass], #[pymethods], Bound, *::new_err) was already on the modern API.

Test Plan

  • cargo clippy -p rustez-py -- --deny warnings clean
  • cargo check (workspace) clean
  • cargo audit --ignore RUSTSEC-2023-0071 exits 0 (both pyo3 advisories gone)
  • scripts/check_versions.py — manifests still aligned at 0.12.0
  • maturin wheel build / Python smoke test (not run locally; detach is a pure rename of allow_threads, semantics identical)

🤖 Generated with Claude Code

Resolves RUSTSEC-2026-0176 and RUSTSEC-2026-0177 (out-of-bounds read and
missing Sync bound in pyo3 0.24). pyo3 0.26 renamed Python::allow_threads
to Python::detach; 0.29 removed the old alias, so all 19 call sites are
updated. No public binding API change. Closes #22.
@fastrevmd-lab fastrevmd-lab merged commit ae51a32 into main Jun 20, 2026
1 check passed
@fastrevmd-lab fastrevmd-lab deleted the fix/pyo3-0.29 branch June 20, 2026 02:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Bump pyo3 in rustez-py to >=0.29 (RUSTSEC-2026-0176/0177)

1 participant