Update Rust crate pyo3 to 0.24 [SECURITY] #135

renovate · 2025-04-02T14:19:48Z

This PR contains the following updates:

Package	Type	Update	Change
pyo3	dependencies	minor	`0.23` -> `0.24`

GitHub Vulnerability Alerts

GHSA-pph8-gcv7-4qj5

PyString::from_object took &str arguments and forwarded them directly to the Python C API without checking for terminating nul bytes. This could lead the Python interpreter to read beyond the end of the &str data and potentially leak contents of the out-of-bounds read (by raising a Python exception containing a copy of the data including the overflow).

In PyO3 0.24.1 this function will now allocate a CString to guarantee a terminating nul bytes. PyO3 0.25 will likely offer an alternative API which takes &CStr arguments.

Release Notes

pyo3/pyo3 (pyo3)

`v0.24.1`

Compare Source

Added

Add abi3-py313 feature. #4969
Add PyAnyMethods::getattr_opt. #4978
Add PyInt::new constructor for all supported number types (i32, u32, i64, u64, isize, usize). #4984
Add pyo3::sync::with_critical_section2. #4992
Implement PyCallArgs for Borrowed<'_, 'py, PyTuple>, &Bound<'py, PyTuple>, and &Py<PyTuple>. #5013

Fixed

Fix is_type_of for native types not using same specialized check as is_type_of_bound. #4981
Fix Probe class naming issue with #[pymethods]. #4988
Fix compile failure with required #[pyfunction] arguments taking Option<&str> and Option<&T> (for #[pyclass] types). #5002
Fix PyString::from_object causing of bounds reads whith encoding and errors parameters which are not nul-terminated. #5008
Fix compile error when additional options follow after crate for #[pyfunction]. #5015

`v0.24.0`

Compare Source

Packaging

Add supported CPython/PyPy versions to cargo package metadata. #4756
Bump target-lexicon dependency to 0.13. #4822
Add optional jiff dependency to add conversions for jiff datetime types. #4823
Add optional uuid dependency to add conversions for uuid::Uuid. #4864
Bump minimum supported inventory version to 0.3.5. #4954

Added

Add PyIterator::send method to allow sending values into a python generator. #4746
Add PyCallArgs trait for passing arguments into the Python calling protocol. This enabled using a faster calling convention for certain types, improving performance. #4768
Add #[pyo3(default = ...'] option for #[derive(FromPyObject)] to set a default value for extracted fields of named structs. #4829
Add #[pyo3(into_py_with = ...)] option for #[derive(IntoPyObject, IntoPyObjectRef)]. #4850
Add FFI definitions PyThreadState_GetFrame and PyFrame_GetBack. #4866
Optimize last for BoundListIterator, BoundTupleIterator and BorrowedTupleIterator. #4878
Optimize Iterator::count() for PyDict, PyList, PyTuple & PySet. #4878
Optimize nth, nth_back, advance_by and advance_back_by for BoundTupleIterator #4897
Add support for types.GenericAlias as pyo3::types::PyGenericAlias. #4917


Add MutextExt trait to help avoid deadlocks with the GIL while locking a std::sync::Mutex. #4934
Add #[pyo3(rename_all = "...")] option for #[derive(FromPyObject)]. #4941


Changed

Optimize nth, nth_back, advance_by and advance_back_by for BoundListIterator. #4810
Use DerefToPyAny in blanket implementations of From<Py<T>> and From<Bound<'py, T>> for PyObject. #4593
Map io::ErrorKind::IsADirectory/NotADirectory to the corresponding Python exception on Rust 1.83+. #4747
PyAnyMethods::call and friends now require PyCallArgs for their positional arguments. #4768
Expose FFI definitions for PyObject_Vectorcall(Method) on the stable abi on 3.12+. #4853
#[pyo3(from_py_with = ...)] now take a path rather than a string literal #4860
Format Python traceback in impl Debug for PyErr. #4900
Convert PathBuf & Path into Python pathlib.Path instead of PyString. #4925
Relax parsing of exotic Python versions. #4949
PyO3 threads now hang instead of pthread_exit trying to acquire the GIL when the interpreter is shutting down. This mimics the Python 3.14 behavior and avoids undefined behavior and crashes. #4874

Removed

Remove implementations of Deref for PyAny and other "native" types. #4593
Remove implicit default of trailing optional arguments (see #2935) #4729
Remove the deprecated implicit eq fallback for simple enums. #4730

Fixed

Correct FFI definition of PyIter_Send to return a PySendResult. #4746
Fix a thread safety issue in the runtime borrow checker used by mutable pyclass instances on the free-threaded build. #4948



Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.


 If you want to rebase/retry this PR, check this box


This PR was generated by Mend Renovate. View the repository job log.



          
          
  
  
    
  
  
  
    
    Sorry, something went wrong.
  

  
    
  
    
      

              Uh oh!

              
There was an error while loading. Please reload this page.


  
  


          
        
  
    
    
      
        
            
    All reactions

renovate · 2025-05-27T13:11:54Z

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

any of the package files in this branch needs updating, or
the branch becomes conflicted, or
you click the rebase/retry checkbox if found above, or
you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: Cargo.lock

Command failed: cargo update --config net.git-fetch-with-cli=true --manifest-path shaperglot-py/Cargo.toml --workspace
    Updating crates.io index
error: failed to select a version for `pyo3`.
    ... required by package `pythonize v0.23.0`
    ... which satisfies dependency `pythonize = "^0.23.0"` of package `shaperglot-py v1.0.2 (/tmp/renovate/repos/github/googlefonts/shaperglot/shaperglot-py)`
versions that meet the requirements `^0.23.1` are: 0.23.5, 0.23.4, 0.23.3

the package `pyo3` links to the native library `python`, but it conflicts with a previous package which links to `python` as well:
package `pyo3 v0.24.0`
    ... which satisfies dependency `pyo3 = "^0.24"` of package `shaperglot-py v1.0.2 (/tmp/renovate/repos/github/googlefonts/shaperglot/shaperglot-py)`
Only one package in the dependency graph may specify the same links value. This helps ensure that only one copy of a native library is linked in the final binary. Try to adjust your dependencies so that only one package uses the `links = "python"` value. For more information, see https://doc.rust-lang.org/cargo/reference/resolver.html#links.

failed to select a version for `pyo3` which could resolve this conflict

renovate bot force-pushed the renovate/crate-pyo3-vulnerability branch from 3f2bd82 to ab420a1 Compare April 24, 2025 07:47

renovate bot changed the title ~~Update Rust crate pyo3 to 0.24.1 [SECURITY]~~ Update Rust crate pyo3 to 0.24.2 [SECURITY] Apr 24, 2025

renovate bot force-pushed the renovate/crate-pyo3-vulnerability branch from ab420a1 to e9843cb Compare April 24, 2025 14:32

renovate bot changed the title ~~Update Rust crate pyo3 to 0.24.2 [SECURITY]~~ Update Rust crate pyo3 to 0.24.1 [SECURITY] Apr 24, 2025

renovate bot force-pushed the renovate/crate-pyo3-vulnerability branch from e9843cb to bde2d8d Compare April 30, 2025 13:44

renovate bot changed the title ~~Update Rust crate pyo3 to 0.24.1 [SECURITY]~~ Update Rust crate pyo3 to 0.24.2 [SECURITY] Apr 30, 2025

renovate bot changed the title ~~Update Rust crate pyo3 to 0.24.2 [SECURITY]~~ Update Rust crate pyo3 to 0.24.1 [SECURITY] Apr 30, 2025

renovate bot force-pushed the renovate/crate-pyo3-vulnerability branch from bde2d8d to 8c4cadc Compare April 30, 2025 19:58

renovate bot changed the title ~~Update Rust crate pyo3 to 0.24.1 [SECURITY]~~ Update Rust crate pyo3 to 0.24.2 [SECURITY] May 7, 2025

renovate bot force-pushed the renovate 8000 /crate-pyo3-vulnerability branch 2 times, most recently from 6777fe5 to 56ba52f Compare May 7, 2025 16:08

renovate bot changed the title ~~Update Rust crate pyo3 to 0.24.2 [SECURITY]~~ Update Rust crate pyo3 to 0.24.1 [SECURITY] May 7, 2025

renovate bot force-pushed the renovate/crate-pyo3-vulnerability branch from 56ba52f to d21630f Compare May 12, 2025 06:53

renovate bot changed the title ~~Update Rust crate pyo3 to 0.24.1 [SECURITY]~~ Update Rust crate pyo3 to 0.24.2 [SECURITY] May 12, 2025

renovate bot force-pushed the renovate/crate-pyo3-vulnerability branch from d21630f to 426260a Compare May 12, 2025 10:36

renovate bot changed the title ~~Update Rust crate pyo3 to 0.24.2 [SECURITY]~~ Update Rust crate pyo3 to 0.24.1 [SECURITY] May 12, 2025

renovate bot force-pushed the renovate/crate-pyo3-vulnerability branch from 426260a to e528a1d Compare May 13, 2025 10:57

renovate bot changed the title ~~Update Rust crate pyo3 to 0.24.1 [SECURITY]~~ Update Rust crate pyo3 to 0.24.2 [SECURITY] May 13, 2025

renovate bot force-pushed the renovate/crate-pyo3-vulnerability branch from e528a1d to 32df021 Compare May 13, 2025 17:37

renovate bot changed the title ~~Update Rust crate pyo3 to 0.24.2 [SECURITY]~~ Update Rust crate pyo3 to 0.24.1 [SECURITY] May 13, 2025

renovate bot force-pushed the renovate/crate-pyo3-vulnerability branch from 32df021 to 58de8c5 Compare May 19, 2025 18:20

renovate bot changed the title ~~Update Rust crate pyo3 to 0.24.1 [SECURITY]~~ Update Rust crate pyo3 to 0.25.0 [SECURITY] May 19, 2025

renovate bot changed the title ~~Update Rust crate pyo3 to 0.25.0 [SECURITY]~~ Update Rust crate pyo3 to 0.24.1 [SECURITY] May 19, 2025

renovate bot force-pushed the renovate/crate-pyo3-vulnerability branch from 58de8c5 to 50e2ed7 Compare May 19, 2025 23:45

Update Rust crate pyo3 to 0.24 [SECURITY]

73f3a96

renovate bot force-pushed the renovate/crate-pyo3-vulnerability branch from 50e2ed7 to 73f3a96 Compare May 27, 2025 13:11

renovate bot changed the title ~~Update Rust crate pyo3 to 0.24.1 [SECURITY]~~ Update Rust crate pyo3 to 0.24 [SECURITY] May 27, 2025

simoncozens merged commit 97fcd04 into main May 27, 2025
7 of 38 checks passed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Update Rust crate pyo3 to 0.24 [SECURITY] #135

Update Rust crate pyo3 to 0.24 [SECURITY] #135

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Update Rust crate pyo3 to 0.24 [SECURITY] #135

Update Rust crate pyo3 to 0.24 [SECURITY] #135

Uh oh!

Conversation

Uh oh!

GitHub Vulnerability Alerts

GHSA-pph8-gcv7-4qj5

Release Notes

v0.24.1

Added

Fixed

v0.24.0

Packaging

Added

Changed

Removed

Fixed

Configuration

Uh oh!

⚠️ Artifact update problem

File name: Cargo.lock

Uh oh!

Uh oh!

Uh oh!

`v0.24.1`

`v0.24.0`