fix(deps): bump pyo3 to 0.29 to resolve two security advisories#2122
Merged
Conversation
Deploying with
|
| Status | Name | Latest Commit | Preview URL | Updated (UTC) |
|---|---|---|---|---|
| ✅ Deployment successful! View logs |
bashkit | 5b89da6 | Commit Preview URL Branch Preview URL |
Jun 23 2026, 09:54 AM |
Bumps pyo3 and pyo3-async-runtimes from 0.28 to 0.29, resolving two Dependabot security advisories in the bashkit-python extension: - GHSA-36hh-v3qg-5jq4 (high): out-of-bounds read in `nth`/`nth_back` for `PyList`/`PyTuple` iterators - GHSA-chgr-c6px-7xpp (medium): missing `Sync` bound on `PyCFunction::new_closure` closures The upgrade was blocked by `monty` -> `jiter 0.15.0`, whose optional `pyo3 = "^0.28.2"` constrains the whole graph through pyo3-ffi's `links = "python"` global uniqueness (monty enables jiter's `num-bigint` feature, whose weak `pyo3?/num-bigint` reference forces the resolver to honour that bound even though jiter's `python` feature is never activated). jiter `main` is still version 0.15.0 — so semver-compatible with monty's `^0.15.0` — but already tracks pyo3 0.29, so it is pinned via `[patch.crates-io]` to unblock the bump without a fork. - Update `PyCapsule::new` -> `PyCapsule::new_with_value` (0.29 API) - Allow the pydantic/jiter git source in deny.toml - Refresh cargo-vet exemptions to pyo3 0.29.0 Verified: cargo check/clippy -D warnings, cargo vet --locked, and the bashkit-python filesystem-capsule interop tests all pass under 0.29.
chaliy
force-pushed
the
claude/friendly-einstein-utblyo
branch
from
ccab1e7 to
5b89da6
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Bumps
pyo3andpyo3-async-runtimesfrom 0.28 to 0.29, resolving two open Dependabot security advisories affecting thebashkit-pythonextension:nth/nth_backforPyList/PyTupleiteratorsSyncbound onPyCFunction::new_closureclosuresWhy it needed a jiter patch
The upgrade was blocked by
monty→jiter 0.15.0, whose optionalpyo3 = "^0.28.2"pins the whole workspace below 0.29 through pyo3-ffi'slinks = "python"global uniqueness. monty enables jiter'snum-bigintfeature, whose weakpyo3?/num-bigintreference forces the resolver to honour that 0.28 bound even though jiter'spythonfeature is never activated here.jiter
mainis still version0.15.0(semver-compatible with monty's^0.15.0) but already tracks pyo3 0.29, so it is pinned via[patch.crates-io]to upstream main — unblocking the bump without a fork. The patch can be dropped once monty ships a release tracking a published jiter with pyo3 0.29.Changes
Cargo.toml: pyo3/pyo3-async-runtimes → 0.29;[patch.crates-io]jiter → upstream main (with rationale comment)Cargo.lock: pyo3 stack → 0.29.0 (kept git-dep-free, matching the repo convention)crates/bashkit-python/src/lib.rs:PyCapsule::new→PyCapsule::new_with_value(0.29 API)deny.toml: allow thepydantic/jitergit sourcesupply-chain/config.toml: refresh cargo-vet exemptions to pyo3 0.29.0Verification
cargo check/cargo clippy -- -D warnings(bashkit-python) ✅cargo vet --locked(full graph) ✅cargo fmt --check✅maturin developand the random-fs fixture; runtime smoke (exec + VFS) and thetest_filesystem_interop.pycapsule export/import tests (the changed code path) all pass under pyo3 0.29 ✅