Skip to content

fix(deps): update rust crate pyo3 to 0.24 [security]#47

Merged
cameronraysmith merged 3 commits intomainfrom
renovate/crate-pyo3-vulnerability
Feb 7, 2026
Merged

fix(deps): update rust crate pyo3 to 0.24 [security]#47
cameronraysmith merged 3 commits intomainfrom
renovate/crate-pyo3-vulnerability

Conversation

@renovate
Copy link
Contributor

@renovate renovate bot commented Feb 5, 2026

This PR contains the following updates:

Package Type Update Change
pyo3 dependencies minor 0.230.24

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

GHSA-pph8-gcv7-4qj5

PyString::from_object took &str arguments and forwarded them directly to the Python C API without checking for terminating nul bytes. This could lead the Python interpreter to read beyond the end of the &str data and potentially leak contents of the out-of-bounds read (by raising a Python exception containing a copy of the data including the overflow).

In PyO3 0.24.1 this function will now allocate a CString to guarantee a terminating nul bytes. PyO3 0.25 will likely offer an alternative API which takes &CStr arguments.


Release Notes

pyo3/pyo3 (pyo3)

v0.24.1

Compare Source

Added
  • Add abi3-py313 feature. #​4969
  • Add PyAnyMethods::getattr_opt. #​4978
  • Add PyInt::new constructor for all supported number types (i32, u32, i64, u64, isize, usize). #​4984
  • Add pyo3::sync::with_critical_section2. #​4992
  • Implement PyCallArgs for Borrowed<'_, 'py, PyTuple>, &Bound<'py, PyTuple>, and &Py<PyTuple>. #​5013
Fixed
  • Fix is_type_of for native types not using same specialized check as is_type_of_bound. #​4981
  • Fix Probe class naming issue with #[pymethods]. #​4988
  • Fix compile failure with required #[pyfunction] arguments taking Option<&str> and Option<&T> (for #[pyclass] types). #​5002
  • Fix PyString::from_object causing of bounds reads with encoding and errors parameters which are not nul-terminated. #​5008
  • Fix compile error when additional options follow after crate for #[pyfunction]. #​5015

v0.24.0

Compare Source

Packaging
  • Add supported CPython/PyPy versions to cargo package metadata. #​4756
  • Bump target-lexicon dependency to 0.13. #​4822
  • Add optional jiff dependency to add conversions for jiff datetime types. #​4823
  • Add optional uuid dependency to add conversions for uuid::Uuid. #​4864
  • Bump minimum supported inventory version to 0.3.5. #​4954
Added
  • Add PyIterator::send method to allow sending values into a python generator. #​4746
  • Add PyCallArgs trait for passing arguments into the Python calling protocol. This enabled using a faster calling convention for certain types, improving performance. #​4768
  • Add #[pyo3(default = ...'] option for #[derive(FromPyObject)] to set a default value for extracted fields of named structs. #​4829
  • Add #[pyo3(into_py_with = ...)] option for #[derive(IntoPyObject, IntoPyObjectRef)]. #​4850
  • Add FFI definitions PyThreadState_GetFrame and PyFrame_GetBack. #​4866
  • Optimize last for BoundListIterator, BoundTupleIterator and BorrowedTupleIterator. #​4878
  • Optimize Iterator::count() for PyDict, PyList, PyTuple & PySet. #​4878
  • Optimize nth, nth_back, advance_by and advance_back_by for BoundTupleIterator #​4897
  • Add support for types.GenericAlias as pyo3::types::PyGenericAlias. #​4917
  • Add MutextExt trait to help avoid deadlocks with the GIL while locking a std::sync::Mutex. #​4934
  • Add #[pyo3(rename_all = "...")] option for #[derive(FromPyObject)]. #​4941
Changed
  • Optimize nth, nth_back, advance_by and advance_back_by for BoundListIterator. #​4810
  • Use DerefToPyAny in blanket implementations of From<Py<T>> and From<Bound<'py, T>> for PyObject. #​4593
  • Map io::ErrorKind::IsADirectory/NotADirectory to the corresponding Python exception on Rust 1.83+. #​4747
  • PyAnyMethods::call and friends now require PyCallArgs for their positional arguments. #​4768
  • Expose FFI definitions for PyObject_Vectorcall(Method) on the stable abi on 3.12+. #​4853
  • #[pyo3(from_py_with = ...)] now take a path rather than a string literal #​4860
  • Format Python traceback in impl Debug for PyErr. #​4900
  • Convert PathBuf & Path into Python pathlib.Path instead of PyString. #​4925
  • Relax parsing of exotic Python versions. #​4949
  • PyO3 threads now hang instead of pthread_exit trying to acquire the GIL when the interpreter is shutting down. This mimics the Python 3.14 behavior and avoids undefined behavior and crashes. #​4874
Removed
  • Remove implementations of Deref for PyAny and other "native" types. #​4593
  • Remove implicit default of trailing optional arguments (see #​2935) #​4729
  • Remove the deprecated implicit eq fallback for simple enums. #​4730
Fixed
  • Correct FFI definition of PyIter_Send to return a PySendResult. #​4746
  • Fix a thread safety issue in the runtime borrow checker used by mutable pyclass instances on the free-threaded build. #​4948

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot added the dependencies Pull requests that update a dependency file label Feb 5, 2026
@renovate
Copy link
Contributor Author

renovate bot commented Feb 7, 2026

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.

@cameronraysmith cameronraysmith force-pushed the renovate/crate-pyo3-vulnerability branch from 1eefd36 to 241274c Compare February 7, 2026 03:26
@sciexp sciexp deleted a comment from github-actions bot Feb 7, 2026
@cameronraysmith cameronraysmith force-pushed the renovate/crate-pyo3-vulnerability branch from 241274c to efede1e Compare February 7, 2026 03:49
@cameronraysmith cameronraysmith force-pushed the renovate/crate-pyo3-vulnerability branch from efede1e to 7783000 Compare February 7, 2026 03:50
@sciexp sciexp deleted a comment from github-actions bot Feb 7, 2026
@cameronraysmith cameronraysmith merged commit 840e198 into main Feb 7, 2026
33 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant

Comments