From 12675798b0bdb1a94bcca4673a53ce07753cdb77 Mon Sep 17 00:00:00 2001 From: Nelson Spence Date: Sun, 14 Jun 2026 07:39:36 -0500 Subject: [PATCH] =?UTF-8?q?fix(deps):=20bump=20pyo3=20+=20numpy=200.27=20?= =?UTF-8?q?=E2=86=92=200.29=20(security)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Resolves two GitHub advisories affecting the Python binding manifests (ordvec-python/Cargo.toml, ordvec-manifest-python/Cargo.toml, Cargo.lock): - GHSA-36hh-v3qg-5jq4 (high): PyO3 out-of-bounds read in nth/nth_back for PyList/PyTuple iterators (vulnerable < 0.29.0). - GHSA-chgr-c6px-7xpp (medium): PyO3 missing Sync bound on PyCFunction::new_closure closures (vulnerable < 0.29.0). numpy moves to 0.29.0 in lockstep (rust-numpy tracks pyo3's minor line). No binding code changes required: clippy -D warnings + fmt are clean for both bindings, maturin develop builds the abi3-py310 wheel, and the full pytest suite (510 passed) is green. The core crate is unaffected (pyo3 is binding-only; MSRV 1.89 preserved — pyo3 0.29 floors at 1.83). Signed-off-by: Nelson Spence --- Cargo.lock | 52 +++++++------------------------ ordvec-manifest-python/Cargo.toml | 2 +- ordvec-python/Cargo.toml | 4 +-- 3 files changed, 15 insertions(+), 43 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 918d07b..235bcd8 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -436,15 +436,6 @@ dependencies = [ "serde_core", ] -[[package]] -name = "indoc" -version = "2.0.7" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "79cf5c93f93228cf8efb3ba362535fb11199ac548a09ce117c9b1adc3030d706" -dependencies = [ - "rustversion", -] - [[package]] name = "is_terminal_polyfill" version = "1.70.2" @@ -520,15 +511,6 @@ version = "2.8.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "f8ca58f447f06ed17d5fc4043ce1b10dd205e060fb3ce5b979b8ed8e59ff3f79" -[[package]] -name = "memoffset" -version = "0.9.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "488016bfae457b036d996092f6cb448677611ce4449e970ceaf42695203f218a" -dependencies = [ - "autocfg", -] - [[package]] name = "ndarray" version = "0.17.2" @@ -573,9 +555,9 @@ dependencies = [ [[package]] name = "numpy" -version = "0.27.1" +version = "0.29.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "7aac2e6a6e4468ffa092ad43c39b81c79196c2bb773b8db4085f695efe3bba17" +checksum = "6a5b15d63a5ff39e378daed0e1340d3a5964703ea9712eb09a0dc66fade996f4" dependencies = [ "libc", "ndarray", @@ -707,35 +689,32 @@ dependencies = [ [[package]] name = "pyo3" -version = "0.27.2" +version = "0.29.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ab53c047fcd1a1d2a8820fe84f05d6be69e9526be40cb03b73f86b6b03e6d87d" +checksum = "cd274650b21d4bfc26a0a47587962c1edb425f69287324355cd040c3ea66071c" dependencies = [ - "indoc", "libc", - "memoffset", "once_cell", "portable-atomic", "pyo3-build-config", "pyo3-ffi", "pyo3-macros", - "unindent", ] [[package]] name = "pyo3-build-config" -version = "0.27.2" +version = "0.29.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b455933107de8642b4487ed26d912c2d899dec6114884214a0b3bb3be9261ea6" +checksum = "c5e2a7d2f0d013342f295c048ad19237add5154a55b1c5a254c0ec93d4109078" dependencies = [ "target-lexicon", ] [[package]] name = "pyo3-ffi" -version = "0.27.2" +version = "0.29.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "1c85c9cbfaddf651b1221594209aed57e9e5cff63c4d11d1feead529b872a089" +checksum = "ca85c467da1bbc8d866eea5deff9cf29ea5f7785054a17da36e65bda9c05845b" dependencies = [ "libc", "pyo3-build-config", @@ -743,9 +722,9 @@ dependencies = [ [[package]] name = "pyo3-macros" -version = "0.27.2" +version = "0.29.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "0a5b10c9bf9888125d917fb4d2ca2d25c8df94c7ab5a52e13313a07e050a3b02" +checksum = "9ac53762fd065daa3194dd09337a38bd793a188100fd1a9304c4ab312d901771" dependencies = [ "proc-macro2", "pyo3-macros-backend", @@ -755,13 +734,12 @@ dependencies = [ [[package]] name = "pyo3-macros-backend" -version = "0.27.2" +version = "0.29.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "03b51720d314836e53327f5871d4c0cfb4fb37cc2c4a11cc71907a86342c40f9" +checksum = "4ca3a1557399783172dc5bf39cfca835157732532cba56b71d2292161e53b362" dependencies = [ "heck", "proc-macro2", - "pyo3-build-config", "quote", "syn", ] @@ -1048,12 +1026,6 @@ version = "0.2.6" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "ebc1c04c71510c7f702b52b7c350734c9ff1295c464a03335b00bb84fc54f853" -[[package]] -name = "unindent" -version = "0.2.4" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "7264e107f553ccae879d21fbea1d6724ac785e8c3bfc762137959b5802826ef3" - [[package]] name = "utf8parse" version = "0.2.2" diff --git a/ordvec-manifest-python/Cargo.toml b/ordvec-manifest-python/Cargo.toml index e9f8ea4..89663be 100644 --- a/ordvec-manifest-python/Cargo.toml +++ b/ordvec-manifest-python/Cargo.toml @@ -15,6 +15,6 @@ crate-type = ["cdylib"] [dependencies] ordvec_manifest_core = { package = "ordvec-manifest", path = "../ordvec-manifest", default-features = false } -pyo3 = { version = "0.27.0", features = ["extension-module", "abi3-py310"] } +pyo3 = { version = "0.29.0", features = ["extension-module", "abi3-py310"] } serde = { version = "1.0", features = ["derive"] } serde_json = "1.0" diff --git a/ordvec-python/Cargo.toml b/ordvec-python/Cargo.toml index 052e2d4..2f1f56b 100644 --- a/ordvec-python/Cargo.toml +++ b/ordvec-python/Cargo.toml @@ -18,5 +18,5 @@ crate-type = ["cdylib"] # Alias the core crate as `ordvec_core` so binding code is unambiguous and never # mixes `ordvec::` with the Python-facing `ordvec` package name. ordvec_core = { package = "ordvec", path = ".." } -pyo3 = { version = "0.27.0", features = ["extension-module", "abi3-py310"] } -numpy = "0.27.0" +pyo3 = { version = "0.29.0", features = ["extension-module", "abi3-py310"] } +numpy = "0.29.0"