fix(deps): update rust crate pyo3 to 0.24 [security]#186

Open

renovate[bot] wants to merge 1 commit intomainfrom

renovate/crate-pyo3-vulnerability

Contributor

renovate bot commented Apr 2, 2025 •

edited

Loading

This PR contains the following updates:

Package	Type	Update	Change
pyo3	dependencies	minor	`0.21` → `0.24`

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

GHSA-pph8-gcv7-4qj5

PyString::from_object took &str arguments and forwarded them directly to the Python C API without checking for terminating nul bytes. This could lead the Python interpreter to read beyond the end of the &str data and potentially leak contents of the out-of-bounds read (by raising a Python exception containing a copy of the data including the overflow).

In PyO3 0.24.1 this function will now allocate a CString to guarantee a terminating nul bytes. PyO3 0.25 will likely offer an alternative API which takes &CStr arguments.

Release Notes

pyo3/pyo3 (pyo3)

`v0.24.1`

Added

Add abi3-py313 feature. #4969
Add PyAnyMethods::getattr_opt. #4978
Add PyInt::new constructor for all supported number types (i32, u32, i64, u64, isize, usize). #4984
Add pyo3::sync::with_critical_section2. #4992
Implement PyCallArgs for Borrowed<'_, 'py, PyTuple>, &Bound<'py, PyTuple>, and &Py<PyTuple>. #5013

Fixed

Fix is_type_of for native types not using same specialized check as is_type_of_bound. #4981
Fix Probe class naming issue with #[pymethods]. #4988
Fix compile failure with required #[pyfunction] arguments taking Option<&str> and Option<&T> (for #[pyclass] types). #5002
Fix PyString::from_object causing of bounds reads with encoding and errors parameters which are not nul-terminated. #5008
Fix compile error when additional options follow after crate for #[pyfunction]. #5015

`v0.24.0`

Packaging

Add supported CPython/PyPy versions to cargo package metadata. #4756
Bump target-lexicon dependency to 0.13. #4822
Add optional jiff dependency to add conversions for jiff datetime types. #4823
Add optional uuid dependency to add conversions for uuid::Uuid. #4864
Bump minimum supported inventory version to 0.3.5. #4954

Added

Add PyIterator::send method to allow sending values into a python generator. #4746
Add PyCallArgs trait for passing arguments into the Python calling protocol. This enabled using a faster calling convention for certain types, improving performance. #4768
Add #[pyo3(default = ...'] option for #[derive(FromPyObject)] to set a default value for extracted fields of named structs. #4829
Add #[pyo3(into_py_with = ...)] option for #[derive(IntoPyObject, IntoPyObjectRef)]. #4850
Add FFI definitions PyThreadState_GetFrame and PyFrame_GetBack. #4866
Optimize last for BoundListIterator, BoundTupleIterator and BorrowedTupleIterator. #4878
Optimize Iterator::count() for PyDict, PyList, PyTuple & PySet. #4878
Optimize nth, nth_back, advance_by and advance_back_by for BoundTupleIterator #4897
Add support for types.GenericAlias as pyo3::types::PyGenericAlias. #4917
Add MutextExt trait to help avoid deadlocks with the GIL while locking a std::sync::Mutex. #4934
Add #[pyo3(rename_all = "...")] option for #[derive(FromPyObject)]. #4941

Changed

Optimize nth, nth_back, advance_by and advance_back_by for BoundListIterator. #4810
Use DerefToPyAny in blanket implementations of From<Py<T>> and From<Bound<'py, T>> for PyObject. #4593
Map io::ErrorKind::IsADirectory/NotADirectory to the corresponding Python exception on Rust 1.83+. #4747
PyAnyMethods::call and friends now require PyCallArgs for their positional arguments. #4768
Expose FFI definitions for PyObject_Vectorcall(Method) on the stable abi on 3.12+. #4853
#[pyo3(from_py_with = ...)] now take a path rather than a string literal #4860
Format Python traceback in impl Debug for PyErr. #4900
Convert PathBuf & Path into Python pathlib.Path instead of PyString. #4925
Relax parsing of exotic Python versions. #4949
PyO3 threads now hang instead of pthread_exit trying to acquire the GIL when the interpreter is shutting down. This mimics the Python 3.14 behavior and avoids undefined behavior and crashes. #4874

Removed

Remove implementations of Deref for PyAny and other "native" types. #4593
Remove implicit default of trailing optional arguments (see #2935) #4729
Remove the deprecated implicit eq fallback for simple enums. #4730

Fixed

Correct FFI definition of PyIter_Send to return a PySendResult. #4746
Fix a thread safety issue in the runtime borrow checker used by mutable pyclass instances on the free-threaded build. #4948

`v0.23.5`

Packaging

Add support for PyPy3.11 #4760

Fixed

Fix thread-unsafe implementation of freelist pyclasses on the free-threaded build. #4902
Re-enable a workaround for situations where CPython incorrectly does not add __builtins__ to __globals__ in code executed by Python::py_run (was removed in PyO3 0.23.0). #4921

`v0.23.4`

Added

Add PyList::locked_for_each, which uses a critical section to lock the list on the free-threaded build. #4789
Add pyo3_build_config::add_python_framework_link_args build script API to set rpath when using macOS system Python. #4833

Changed

Use datetime.fold to distinguish ambiguous datetimes when converting to and from chrono::DateTime<Tz> (rather than erroring). #4791
Optimize PyList iteration on the free-threaded build. #4789

Fixed

Fix unnecessary internal py.allow_threads GIL-switch when attempting to access contents of a PyErr which originated from Python (could lead to unintended deadlocks). #4766
Fix thread-unsafe access of dict internals in BoundDictIterator on the free-threaded build. #4788

Fix unnecessary critical sections in BoundDictIterator on the free-threaded build. #4788

Fix time-of-check to time-of-use issues with list iteration on the free-threaded build. #4789
Fix chrono::DateTime<Tz> to-Python conversion when Tz is chrono_tz::Tz. #4790
Fix #[pyclass] not being able to be named Probe. #4794
Fix not treating cross-compilation from x64 to aarch64 on Windows as a cross-compile. #4800
Fix missing struct fields on GraalPy when subclassing builtin classes. #4802
Fix generating import lib for PyPy when abi3 feature is enabled. #4806
Fix generating import lib for python3.13t when abi3 feature is enabled. #4808
Fix compile failure for raw identifiers like r#box in derive(FromPyObject). #4814
Fix compile failure for #[pyclass] enum variants with more than 12 fields. #4832

`v0.23.3`

Packaging

Bump optional python3-dll-a dependency to 0.2.11. #4749

Fixed

Fix unresolved symbol link failures on Windows when compiling for Python 3.13t with abi3 features enabled. #4733
Fix unresolved symbol link failures on Windows when compiling for Python 3.13t using the generate-import-lib feature. #4749
Fix compile-time regression in PyO3 0.23.0 where changing PYO3_CONFIG_FILE would not reconfigure PyO3 for the new interpreter. #4758

`v0.23.2`

Added

Add IntoPyObjectExt trait. #4708

Fixed

Fix compile failures when building for free-threaded Python when the abi3 or abi3-pyxx features are enabled. #4719
Fix ambiguous_associated_items lint error in #[pyclass] and #[derive(IntoPyObject)] macros. #4725

`v0.23.1`

Re-release of 0.23.0 with fixes to docs.rs build.

`v0.23.0`

Packaging

Add support for PyPy3.11 #4760

Fixed

Fix thread-unsafe implementation of freelist pyclasses on the free-threaded build. #4902
Re-enable a workaround for situations where CPython incorrectly does not add __builtins__ to __globals__ in code executed by Python::py_run (was removed in PyO3 0.23.0). #4921

`v0.22.6`: PyO3 0.22.6

This release corrects the check for free-threaded Python introduced in PyO3 0.22.2 to prevent users accidentally installing PyO3 packages on Python 3.13t; PyO3 0.22 does not support free-threaded Python. (Stay tuned for the 0.23 release coming very soon!)

Thanks @minrk for the report and @davidhewitt for the fix!

`v0.22.5`

Fixed

Fix regression in 0.22.4 of naming collision in __clear__ slot and clear method generated code. #4619

`v0.22.4`

Fixed

Fix regression in 0.22.4 of naming collision in __clear__ slot and clear method generated code. #4619

`v0.22.3`

Added

Add FFI definition PyWeakref_GetRef and compat::PyWeakref_GetRef. #4528

Changed

Deprecate _borrowed methods on PyWeakRef and PyWeakrefProxy (just use the owning forms). #4590

Fixed

Revert removal of private FFI function _PyLong_NumBits on Python 3.13 and later. #4450
Fix __traverse__ functions for base classes not being called by subclasses created with #[pyclass(extends = ...)]. #4563
Fix regression in 0.22.3 failing compiles under #![forbid(unsafe_code)]. #4574
Fix create_exception macro triggering lint and compile errors due to interaction with gil-refs feature. #4589
Workaround possible use-after-free in _borrowed methods on PyWeakRef and PyWeakrefProxy by leaking their contents. #4590
Fix crash calling PyType_GetSlot on static types before Python 3.10. #4599

`v0.22.2`

Packaging

Require opt-in to freethreaded Python using the UNSAFE_PYO3_BUILD_FREE_THREADED=1 environment variable (it is not yet supported by PyO3). #4327

Changed

Use FFI function calls for reference counting on all abi3 versions. #4324
#[pymodule(...)] now directly accepts all relevant #[pyo3(...)] options. #4330

Fixed

Fix compile failure in declarative #[pymodule] under presence of #![no_implicit_prelude]. #4328
Fix compile failure due to c-string literals on Rust < 1.79. #4353

`v0.22.1`

Added

Add #[pyo3(submodule)] option for declarative #[pymodule]s. #4301
Implement PartialEq<bool> for Bound<'py, PyBool>. #4305

Fixed

Return NotImplemented instead of raising TypeError from generated equality method when comparing different types. #4287
Handle full-path #[pyo3::prelude::pymodule] and similar for #[pyclass] and #[pyfunction] in declarative modules. #4288
Fix 128-bit int regression on big-endian platforms with Python <3.13. #4291
Stop generating code that will never be covered with declarative modules. #4297
Fix invalid deprecation warning for trailing optional on #[setter] function. #4304

`v0.22.0`

Packaging

Update heck dependency to 0.5. #3966
Extend range of supported versions of chrono-tz optional dependency to include version 0.10. #4061
Update MSRV to 1.63. #4129
Add optional num-rational feature to add conversions with Python's fractions.Fraction. #4148
Support Python 3.13. #4184

Added

Add PyWeakref, PyWeakrefReference and PyWeakrefProxy. #3835
Support #[pyclass] on enums that have tuple variants. #4072
Add support for scientific notation in Decimal conversion. #4079
Add pyo3_disable_reference_pool conditional compilation flag to avoid the overhead of the global reference pool at the cost of known limitations as explained in the performance section of the guide. #4095
Add #[pyo3(constructor = (...))] to customize the generated constructors for complex enum variants. #4158
Add PyType::module, which always matches Python __module__. #4196
Add PyType::fully_qualified_name which matches the "fully qualified name" defined in PEP 737. #4196
Add PyTypeMethods::mro and PyTypeMethods::bases. #4197
Add #[pyclass(ord)] to implement ordering based on PartialOrd. #4202
Implement ToPyObject and IntoPy<PyObject> for PyBackedStr and PyBackedBytes. #4205
Add #[pyclass(hash)] option to implement __hash__ in terms of the Hash implementation #4206
Add #[pyclass(eq)] option to generate __eq__ based on PartialEq, and #[pyclass(eq_int)] for simple enums to implement equality based on their discriminants. #4210
Implement From<Bound<'py, T>> for PyClassInitializer<T>. #4214
Add as_super methods to PyRef and PyRefMut for accessing the base class by reference. #4219
Implement PartialEq<str> for Bound<'py, PyString>. #4245
Implement PyModuleMethods::filename on PyPy. #4249
Implement PartialEq<[u8]> for Bound<'py, PyBytes>. #4250
Add pyo3_ffi::c_str macro to create &'static CStr on Rust versions which don't have 1.77's c"" literals. #4255
Support bool conversion with numpy 2.0's numpy.bool type #4258
Add PyAnyMethods::{bitnot, matmul, floor_div, rem, divmod}. #4264

Changed

Change the type of PySliceIndices::slicelength and the length parameter of PySlice::indices(). #3761
Deprecate implicit default for trailing optional arguments #4078
Cloneing pointers into the Python heap has been moved behind the py-clone feature, as it must panic without the GIL being held as a soundness fix. #4095
Add #[track_caller] to all Py<T>, Bound<'py, T> and Borrowed<'a, 'py, T> methods which can panic. #4098
Change PyAnyMethods::dir to be fallible and return PyResult<Bound<'py, PyList>> (and similar for PyAny::dir). #4100
The global reference pool (to track pending reference count decrements) is now initialized lazily to avoid the overhead of taking a mutex upon function entry when the functionality is not actually used. #4178
Emit error messages when using weakref or dict when compiling for abi3 for Python older than 3.9. #4194
Change PyType::name to always match Python __name__. #4196
Remove CPython internal ffi call for complex number including: add, sub, mul, div, neg, abs, pow. Added PyAnyMethods::{abs, pos, neg} #4201
Deprecate implicit integer comparison for simple enums in favor of #[pyclass(eq_int)]. #4210
Set the module= attribute of declarative modules' child #[pymodule]s and #[pyclass]es. #4213
Set the module option for complex enum variants from the value set on the complex enum module. #4228
Respect the Python "limited API" when building for the abi3 feature on PyPy or GraalPy. #4237
Optimize code generated by #[pyo3(get)] on #[pyclass] fields. #4254
PyCFunction::new, PyCFunction::new_with_keywords and PyCFunction::new_closure now take &'static CStr name and doc arguments (previously was &'static str). #4255
The experimental-declarative-modules feature is now stabilized and available by default. #4257

Fixed

Fix panic when PYO3_CROSS_LIB_DIR is set to a missing path. #4043
Fix a compile error when exporting an exception created with create_exception! living in a different Rust module using the declarative-module feature. #4086
Fix FFI definitions of PY_VECTORCALL_ARGUMENTS_OFFSET and PyVectorcall_NARGS to fix a false-positive assertion. #4104
Disable PyUnicode_DATA on PyPy: not exposed by PyPy. #4116
Correctly handle #[pyo3(from_py_with = ...)] attribute on dunder (__magic__) method arguments instead of silently ignoring it. #4117
Fix a compile error when declaring a standalone function or class method with a Python name that is a Rust keyword. #4226
Fix declarative modules discarding doc comments on the mod node. #4236
Fix __dict__ attribute missing for #[pyclass(dict)] instances when building for abi3 on Python 3.9. #4251

Configuration

📅 Schedule: Branch creation - "" in timezone Asia/Tokyo, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.


          fix(deps): update rust crate pyo3 to 0.24 [security]

8c0ded7

renovate bot added the security label

Contributor Author

renovate bot commented Apr 2, 2025 •

edited

Loading

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

any of the package files in this branch needs updating, or
the branch becomes conflicted, or
you click the rebase/retry checkbox if found above, or
you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: Cargo.lock

Command failed: cargo update --config net.git-fetch-with-cli=true --manifest-path Cargo.toml --workspace
    Updating crates.io index
    Updating git repository `https://github.com/harphield/riichi-tools-rs`
From https://github.com/harphield/riichi-tools-rs
 * [new ref]         cc3eb9faad91edd5dd3fc7509a171b8840926f49 -> refs/commit/cc3eb9faad91edd5dd3fc7509a171b8840926f49
error: failed to select a version for `pyo3`.
    ... required by package `numpy v0.21.0`
    ... which satisfies dependency `numpy = "^0.21"` of package `mjai v0.2.1 (/tmp/renovate/repos/github/smly/mjai.app)`
versions that meet the requirements `^0.21.0` are: 0.21.2, 0.21.1, 0.21.0

package `pyo3` links to the native library `python`, but it conflicts with a previous package which links to `python` as well:
package `pyo3 v0.24.0`
    ... which satisfies dependency `pyo3 = "^0.24"` of package `mjai v0.2.1 (/tmp/renovate/repos/github/smly/mjai.app)`
Only one package in the dependency graph may specify the same links value. This helps ensure that only one copy of a native library is linked in the final binary. Try to adjust your dependencies so that only one package uses the `links = "python"` value. For more information, see https://doc.rust-lang.org/cargo/reference/resolver.html#links.

failed to select a version for `pyo3` which could resolve this conflict

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels