fix(deps): update rust crate pyo3 to v0.22.4 [security] #22
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
0.22.0
->0.22.4
GitHub Vulnerability Alerts
CVE-2024-9979
The family of functions to read "borrowed" values from Python weak references were fundamentally unsound, because the weak reference does itself not have ownership of the value. At any point the last strong reference could be cleared and the borrowed value would become dangling.
In PyO3 0.22.4 these functions have all been deprecated and patched to leak a strong reference as a mitigation. PyO3 0.23 will remove these functions entirely.
Release Notes
pyo3/pyo3 (pyo3)
v0.22.4
Compare Source
Added
PyWeakref_GetRef
andcompat::PyWeakref_GetRef
. #4528Changed
_borrowed
methods onPyWeakRef
andPyWeakrefProxy
(just use the owning forms). #4590Fixed
_PyLong_NumBits
on Python 3.13 and later. #4450__traverse__
functions for base classes not being called by subclasses created with#[pyclass(extends = ...)]
. #4563#![forbid(unsafe_code)]
. #4574_borrowed
methods onPyWeakRef
andPyWeakrefProxy
by leaking their contents. #4590PyType_GetSlot
on static types before Python 3.10. #4599v0.22.3
Compare Source
Added
pyo3::ffi::compat
namespace with compatibility shims for C API functions added in recent versions of Python.PyDict_GetItemRef
on Python 3.13 and newer, andcompat::PyDict_GetItemRef
for all versions. #4355PyList_GetItemRef
on Python 3.13 and newer, andpyo3_ffi::compat::PyList_GetItemRef
for all versions. #4410compat::Py_NewRef
andcompat::Py_XNewRef
. #4445compat::PyObject_CallNoArgs
andcompat::PyObject_CallMethodNoArgs
. #4461GilOnceCell<Py<T>>::clone_ref
. #4511Changed
#[pyfunction]
defined inside#[pymethods]
. #4349Removed
_Py_PackageContext
. #4420Fixed
#[pymodule]
under presence of#![no_implicit_prelude]
. #4328PyDict::get_item
(unsafe in free-threaded Python). #4355#[pyclass(eq)]
macro hygiene issues for structs and enums. #4359'#[pyfunction]
and#[pymethods]
generated code which affected expansion inmacro_rules
context. #4382unsafe_code
lint error in#[pyclass]
generated code. #4396PyList::get_item
(unsafe in free-threaded Python). #4410PyArg_ParseTupleAndKeywords
to take*const *const c_char
instead of*mut *mut c_char
on Python 3.13 and up. #4420PyClassInitializer
: panic if adding subclass to existing instance viaPyClassInitializer::from(Py<BaseClass>).add_subclass(SubClass)
. #4454__traverse__
handlers. #4479v0.22.2
Compare Source
Packaging
UNSAFE_PYO3_BUILD_FREE_THREADED=1
environment variable (it is not yet supported by PyO3). #4327Changed
#[pymodule(...)]
now directly accepts all relevant#[pyo3(...)]
options. #4330Fixed
#[pymodule]
under presence of#![no_implicit_prelude]
. #4328v0.22.1
Compare Source
Added
#[pyo3(submodule)]
option for declarative#[pymodule]
s. #4301PartialEq<bool>
forBound<'py, PyBool>
. #4305Fixed
NotImplemented
instead of raisingTypeError
from generated equality method when comparing different types. #4287#[pyo3::prelude::pymodule]
and similar for#[pyclass]
and#[pyfunction]
in declarative modules.#4288#[setter]
function. #4304Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.