fix(deps): bump pyo3 + numpy 0.27 → 0.29 (security)#213
Conversation
Nelson Spence (Fieldnote-Echo)
requested a review
from Navi Bot (project-navi-bot)
as a code owner
|
You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard. |
Code Review by Qodo🐞 Bugs (0) 📘 Rule violations (0) 📎 Requirement gaps (0)
Great, no issues found!Qodo reviewed your code and found no material issues that require review |
PR Summary by QodoBump PyO3 + rust-numpy to 0.29.0 for Python bindings (security) WalkthroughsDescription• Bump PyO3 to 0.29.0 in both Python binding crates to address advisories. • Bump rust-numpy to 0.29.0 to stay aligned with PyO3’s minor line. • Keep abi3-py310 extension-module configuration unchanged; no binding code changes. Diagramgraph TD
A["ordvec-python (binding)"] --> B{{"PyO3 0.29"}} --> E{{"Python abi3"}}
A --> C{{"rust-numpy 0.29"}}
D["ordvec-manifest-python (binding)"] --> B
High-Level AssessmentThe chosen approach (bumping PyO3/rust-numpy minor line in binding manifests) is the most direct and maintainable way to resolve security advisories. Alternatives like pinning only Cargo.lock or attempting a backport/fork would be fragile for fresh builds and increase long-term maintenance cost. File ChangesOther (2)
|
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request upgrades the pyo3 and numpy dependencies to version 0.29.0 across the workspace packages, including ordvec-manifest-python and ordvec-python. Consequently, unused dependencies such as indoc, memoffset, and unindent have been removed from Cargo.lock. There are no review comments, and I have no feedback to provide.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
Codecov Report✅ All modified and coverable lines are covered by tests. 📢 Thoughts on this report? Let us know! |
Resolves two GitHub advisories affecting the Python binding manifests (ordvec-python/Cargo.toml, ordvec-manifest-python/Cargo.toml, Cargo.lock): - GHSA-36hh-v3qg-5jq4 (high): PyO3 out-of-bounds read in nth/nth_back for PyList/PyTuple iterators (vulnerable < 0.29.0). - GHSA-chgr-c6px-7xpp (medium): PyO3 missing Sync bound on PyCFunction::new_closure closures (vulnerable < 0.29.0). numpy moves to 0.29.0 in lockstep (rust-numpy tracks pyo3's minor line). No binding code changes required: clippy -D warnings + fmt are clean for both bindings, maturin develop builds the abi3-py310 wheel, and the full pytest suite (510 passed) is green. The core crate is unaffected (pyo3 is binding-only; MSRV 1.89 preserved — pyo3 0.29 floors at 1.83). Signed-off-by: Nelson Spence <nelson@projectnavi.ai>
Nelson Spence (Fieldnote-Echo)
force-pushed
the
fix/pyo3-0.29-security
branch
from
cd6c6f4 to
1267579
Compare
2 participants
Security: PyO3 0.27 → 0.29
Resolves two GitHub/RustSec advisories on the Python binding manifests (
ordvec-python,ordvec-manifest-python,Cargo.lock):nth/nth_backforPyList/PyTupleiterators (< 0.29.0)Syncbound onPyCFunction::new_closureclosures (< 0.29.0)numpy(rust-numpy) moves to 0.29.0 in lockstep — it tracks pyo3's minor line and requirespyo3 ^0.29.Why this is a clean bump
Bound<>API; the deprecatedinto_py/IntoPycalls still compile warning-free under 0.29.depsno-system-deps gate is-p ordvec-scoped).Validation (local, mirrors the binding gate)
cargo clippy -p ordvec-python --all-targets -- -D warnings✅cargo clippy -p ordvec-manifest-python --all-targets -- -D warnings✅cargo fmt -p ordvec-python -p ordvec-manifest-python --check✅cargo build --locked -p ordvec(core, new lock) ✅maturin develop→ buildsordvec-0.5.0-cp310-abi3-linux_x86_64.whl✅pytest ordvec-python/tests→ 510 passed ✅Scope: dependency bump only; no public API or core changes.