Skip to content

security: clear 6 high Dependabot alerts (pyo3 0.24→0.29, tornado, soupsieve)#686

Open
jhamon wants to merge 1 commit into
mainfrom
security/deps-highs
Open

security: clear 6 high Dependabot alerts (pyo3 0.24→0.29, tornado, soupsieve)#686
jhamon wants to merge 1 commit into
mainfrom
security/deps-highs

Conversation

@jhamon

@jhamon jhamon commented Jul 11, 2026

Copy link
Copy Markdown
Collaborator

Security fast-track (PIN-6)

Clears all 6 high Dependabot alerts on the Python SDK. Highest-blast-radius SDK after go-pinecone; pyo3 is a runtime dependency (the gRPC extension module), the rest are transitive dev/test deps.

Runtime dependency

  • pyo3 0.240.29 (rust/Cargo.toml, Cargo.lock) — fixes out-of-bounds read in nth/nth_back for PyList/PyTuple iterators.
    • Migrated the extension to the pyo3 0.29 API — all pure renames, no behavioral change:
      • Python::with_gilPython::attach
      • Python::allow_threadsPython::detach
      • Bound::downcast / downcast_intocast / cast_into
      • removed PyObject prelude alias → Py<PyAny>

Transitive (dev/test) deps — uv.lock

  • tornado 6.5.56.5.7 — auth header forwarded across cross-origin redirects + gzip-bomb (2 high)
  • soupsieve 2.8.32.8.4 — ReDoS + memory exhaustion in the selector parser (2 high)

Verification

  • cargo check + cargo clippy clean against pyo3 0.29 ✅
  • maturin develop builds the abi3 wheel and it imports ✅
  • 279 grpc unit tests pass (18 skipped) — exercises the migrated prost↔Python conversion and error-mapping code paths ✅
  • Full integration + smoke suites run in CI.

Part of the fleet-wide security fast-track. One PR per repo.


Note

Medium Risk
pyo3 is a runtime dependency for the gRPC extension; the changes are mechanical API migrations but touch every Python↔Rust boundary and blocking RPC path, so regressions would affect all gRPC client operations.

Overview
Security / dependency bumps to clear high Dependabot alerts: runtime pyo3 0.240.29 in rust/Cargo.toml with matching Cargo.lock updates (drops transitive crates like indoc, memoffset, unindent).

The gRPC extension in transport.rs is updated for pyo3 0.29 with API renames onlyPython::with_gilPython::attach, allow_threadsdetach, downcast/downcast_intocast/cast_into, and PyObjectPy<PyAny> in prost↔Python conversion—across error mapping, metadata handling, throttle callbacks, and all async RPC paths.

uv.lock bumps the editable package to 9.1.0 and transitive dev/test deps tornado 6.5.56.5.7 and soupsieve 2.8.32.8.4.

Reviewed by Cursor Bugbot for commit 778dce2. Bugbot is set up for automated code reviews on this repo. Configure here.

Runtime dependency:
- pyo3 0.24 -> 0.29 in rust/Cargo.toml + Cargo.lock. Fixes the pyo3
  out-of-bounds read in nth/nth_back for PyList/PyTuple iterators (high).
  Migrated the extension to the 0.29 API: Python::with_gil -> Python::attach,
  Python::allow_threads -> Python::detach, Bound::downcast[_into] -> cast[_into],
  and the removed PyObject prelude alias -> Py<PyAny>. Pure renames; no
  behavioral change.

Transitive (dev/test) deps in uv.lock:
- tornado 6.5.5 -> 6.5.7 (auth-header cross-origin redirect leak + gzip-bomb, 2 high)
- soupsieve 2.8.3 -> 2.8.4 (ReDoS + memory exhaustion in selector parser, 2 high)

Verified: cargo check + cargo clippy clean against pyo3 0.29; maturin develop
builds the abi3 wheel; extension imports; 279 grpc unit tests pass (18 skipped),
covering the migrated prost<->Python conversion and error-mapping paths.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@jhamon

jhamon commented Jul 11, 2026

Copy link
Copy Markdown
Collaborator Author

Independently verified the pyo3 0.24→0.29 Rust migration locally (PIN-38, closes Dependabot alerts #73/#74). All green:

cargo check              → clean (the 22 pre-migration errors are gone)
cargo clippy --all-targets -- -D warnings → clean
cargo fmt --check        → clean
maturin build            → built pinecone-9.1.0-cp310-abi3 wheel
python import _grpc.abi3.so → loads OK, exports GrpcChannel

The API changes are the correct 0.29 renames: Python::with_gilPython::attach, py.allow_threadspy.detach, PyObjectPy<PyAny>, downcast(_into)cast(_into). Native module loads under Python 3, so the abi3 ABI is intact.

Not covered here (needs PINECONE_API_KEY): the live gRPC integration suite. That's an env gap, not a migration defect — the extension compiles and imports cleanly.

Supersedes Dependabot PR #676, which bumps the version without the transport.rs port and would not compile.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant