fix(deps): update rust crate pyo3 to 0.24 [security]

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
pyo3	dependencies	minor	0.23 → 0.24

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

GHSA-pph8-gcv7-4qj5

PyString::from_object took &str arguments and forwarded them directly to the Python C API without checking for terminating nul bytes. This could lead the Python interpreter to read beyond the end of the &str data and potentially leak contents of the out-of-bounds read (by raising a Python exception containing a copy of the data including the overflow).

In PyO3 0.24.1 this function will now allocate a CString to guarantee a terminating nul bytes. PyO3 0.25 will likely offer an alternative API which takes &CStr arguments.

---

Release Notes

pyo3/pyo3 (pyo3)

v0.24.1

Compare Source

Added

• Add abi3-py313 feature. #​4969
• Add PyAnyMethods::getattr_opt. #​4978
• Add PyInt::new constructor for all supported number types (i32, u32, i64, u64, isize, usize). #​4984
• Add pyo3::sync::with_critical_section2. #​4992
• Implement PyCallArgs for Borrowed<'_, 'py, PyTuple>, &Bound<'py, PyTuple>, and &Py<PyTuple>. #​5013

Fixed

• Fix is_type_of for native types not using same specialized check as is_type_of_bound. #​4981
• Fix Probe class naming issue with #[pymethods]. #​4988
• Fix compile failure with required #[pyfunction] arguments taking Option<&str> and Option<&T> (for #[pyclass] types). #​5002
• Fix PyString::from_object causing of bounds reads with encoding and errors parameters which are not nul-terminated. #​5008
• Fix compile error when additional options follow after crate for #[pyfunction]. #​5015

v0.24.0

Compare Source

Packaging

• Add supported CPython/PyPy versions to cargo package metadata. #​4756
• Bump target-lexicon dependency to 0.13. #​4822
• Add optional jiff dependency to add conversions for jiff datetime types. #​4823
• Add optional uuid dependency to add conversions for uuid::Uuid. #​4864
• Bump minimum supported inventory version to 0.3.5. #​4954

Added

• Add PyIterator::send method to allow sending values into a python generator. #​4746
• Add PyCallArgs trait for passing arguments into the Python calling protocol. This enabled using a faster calling convention for certain types, improving performance. #​4768
• Add #[pyo3(default = ...'] option for #[derive(FromPyObject)] to set a default value for extracted fields of named structs. #​4829
• Add #[pyo3(into_py_with = ...)] option for #[derive(IntoPyObject, IntoPyObjectRef)]. #​4850
• Add FFI definitions PyThreadState_GetFrame and PyFrame_GetBack. #​4866
• Optimize last for BoundListIterator, BoundTupleIterator and BorrowedTupleIterator. #​4878
• Optimize Iterator::count() for PyDict, PyList, PyTuple & PySet. #​4878
• Optimize nth, nth_back, advance_by and advance_back_by for BoundTupleIterator #​4897
• Add support for types.GenericAlias as pyo3::types::PyGenericAlias. #​4917
• Add MutextExt trait to help avoid deadlocks with the GIL while locking a std::sync::Mutex. #​4934
• Add #[pyo3(rename_all = "...")] option for #[derive(FromPyObject)]. #​4941

Changed

• Optimize nth, nth_back, advance_by and advance_back_by for BoundListIterator. #​4810
• Use DerefToPyAny in blanket implementations of From<Py<T>> and From<Bound<'py, T>> for PyObject. #​4593
• Map io::ErrorKind::IsADirectory/NotADirectory to the corresponding Python exception on Rust 1.83+. #​4747
• PyAnyMethods::call and friends now require PyCallArgs for their positional arguments. #​4768
• Expose FFI definitions for PyObject_Vectorcall(Method) on the stable abi on 3.12+. #​4853
• #[pyo3(from_py_with = ...)] now take a path rather than a string literal #​4860
• Format Python traceback in impl Debug for PyErr. #​4900
• Convert PathBuf & Path into Python pathlib.Path instead of PyString. #​4925
• Relax parsing of exotic Python versions. #​4949
• PyO3 threads now hang instead of pthread_exit trying to acquire the GIL when the interpreter is shutting down. This mimics the Python 3.14 behavior and avoids undefined behavior and crashes. #​4874

Removed

• Remove implementations of Deref for PyAny and other "native" types. #​4593
• Remove implicit default of trailing optional arguments (see #​2935) #​4729
• Remove the deprecated implicit eq fallback for simple enums. #​4730

Fixed

• Correct FFI definition of PyIter_Send to return a PySendResult. #​4746
• Fix a thread safety issue in the runtime borrow checker used by mutable pyclass instances on the free-threaded build. #​4948

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.