security: clear 6 high Dependabot alerts (pyo3 0.24→0.29, tornado, soupsieve)#686
Open
jhamon wants to merge 1 commit into
Open
security: clear 6 high Dependabot alerts (pyo3 0.24→0.29, tornado, soupsieve)#686jhamon wants to merge 1 commit into
jhamon wants to merge 1 commit into
Conversation
Runtime dependency: - pyo3 0.24 -> 0.29 in rust/Cargo.toml + Cargo.lock. Fixes the pyo3 out-of-bounds read in nth/nth_back for PyList/PyTuple iterators (high). Migrated the extension to the 0.29 API: Python::with_gil -> Python::attach, Python::allow_threads -> Python::detach, Bound::downcast[_into] -> cast[_into], and the removed PyObject prelude alias -> Py<PyAny>. Pure renames; no behavioral change. Transitive (dev/test) deps in uv.lock: - tornado 6.5.5 -> 6.5.7 (auth-header cross-origin redirect leak + gzip-bomb, 2 high) - soupsieve 2.8.3 -> 2.8.4 (ReDoS + memory exhaustion in selector parser, 2 high) Verified: cargo check + cargo clippy clean against pyo3 0.29; maturin develop builds the abi3 wheel; extension imports; 279 grpc unit tests pass (18 skipped), covering the migrated prost<->Python conversion and error-mapping paths. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Collaborator
Author
|
Independently verified the pyo3 0.24→0.29 Rust migration locally (PIN-38, closes Dependabot alerts #73/#74). All green: The API changes are the correct 0.29 renames: Not covered here (needs Supersedes Dependabot PR #676, which bumps the version without the transport.rs port and would not compile. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Security fast-track (PIN-6)
Clears all 6 high Dependabot alerts on the Python SDK. Highest-blast-radius SDK after go-pinecone;
pyo3is a runtime dependency (the gRPC extension module), the rest are transitive dev/test deps.Runtime dependency
0.24→0.29(rust/Cargo.toml,Cargo.lock) — fixes out-of-bounds read innth/nth_backforPyList/PyTupleiterators.Python::with_gil→Python::attachPython::allow_threads→Python::detachBound::downcast/downcast_into→cast/cast_intoPyObjectprelude alias →Py<PyAny>Transitive (dev/test) deps —
uv.lock6.5.5→6.5.7— auth header forwarded across cross-origin redirects + gzip-bomb (2 high)2.8.3→2.8.4— ReDoS + memory exhaustion in the selector parser (2 high)Verification
cargo check+cargo clippyclean against pyo3 0.29 ✅maturin developbuilds the abi3 wheel and it imports ✅Part of the fleet-wide security fast-track. One PR per repo.
Note
Medium Risk
pyo3 is a runtime dependency for the gRPC extension; the changes are mechanical API migrations but touch every Python↔Rust boundary and blocking RPC path, so regressions would affect all gRPC client operations.
Overview
Security / dependency bumps to clear high Dependabot alerts: runtime pyo3
0.24→0.29inrust/Cargo.tomlwith matchingCargo.lockupdates (drops transitive crates likeindoc,memoffset,unindent).The gRPC extension in
transport.rsis updated for pyo3 0.29 with API renames only—Python::with_gil→Python::attach,allow_threads→detach,downcast/downcast_into→cast/cast_into, andPyObject→Py<PyAny>in prost↔Python conversion—across error mapping, metadata handling, throttle callbacks, and all async RPC paths.uv.lockbumps the editable package to 9.1.0 and transitive dev/test deps tornado6.5.5→6.5.7and soupsieve2.8.3→2.8.4.Reviewed by Cursor Bugbot for commit 778dce2. Bugbot is set up for automated code reviews on this repo. Configure here.