[deps]: Update Rust crate pyo3 to 0.24.0 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
pyo3	dependencies	minor	0.22.1 -> 0.24.0

GitHub Vulnerability Alerts

GHSA-pph8-gcv7-4qj5

PyString::from_object took &str arguments and forwarded them directly to the Python C API without checking for terminating nul bytes. This could lead the Python interpreter to read beyond the end of the &str data and potentially leak contents of the out-of-bounds read (by raising a Python exception containing a copy of the data including the overflow).

In PyO3 0.24.1 this function will now allocate a CString to guarantee a terminating nul bytes. PyO3 0.25 will likely offer an alternative API which takes &CStr arguments.

---

Release Notes

pyo3/pyo3 (pyo3)

v0.24.1

Compare Source

This release is a security fix for the PyString::from_object method, which passed &str data to the Python C API without checking for a terminating nul byte. All historical PyO3 versions are affected, and we recommend you upgrade if you are using PyString::from_object. Thank you to @​vthib for the report and @​Dr-Emann for the fix. A RUSTSEC advisory will be published shortly.

Aside from the security fix, this release contains a number of other non-breaking additions:

• An abi3-py313 feature to support compiling with the Python 3.13 stable ABI.
• PyAnyMethods::getattr_opt to get optional attributes without paying the cost of a Python exception when the attribute in question does not exist.
• Constructor for PyInt::new.
• with_critical_section2 for locking two objects at the same time on the free-threaded build.
• Fix for a PyO3 0.24.0 regression with Option<&str> and Option<&T> (where T: PyClass) function arguments no longer being permitted

There are also a few other small bug fixes for edge cases, mostly related to compile errors from PyO3's macro code.

Thank you to the following contributors for the improvements:

@​bschoenmaeckers
@​davidhewitt
@​Dr-Emann
@​emmagordon
@​epontan
@​Icxolu
@​IvanIsCoding
@​jelmer
@​jonaspleyer
@​ngoldbaum
@​Owen-CH-Leung
@​Tpt
@​Trolldemorted
@​XuehaiPan

v0.24.0

Compare Source

Packaging

• Add supported CPython/PyPy versions to cargo package metadata. #​4756
• Bump target-lexicon dependency to 0.13. #​4822
• Add optional jiff dependency to add conversions for jiff datetime types. #​4823
• Bump minimum supported inventory version to 0.3.5. #​4954

Added

• Add PyIterator::send method to allow sending values into a python generator. #​4746
• Add PyCallArgs trait for passing arguments into the Python calling protocol. This enabled using a faster calling convention for certain types, improving performance. #​4768
• Add #[pyo3(default = ...'] option for #[derive(FromPyObject)] to set a default value for extracted fields of named structs. #​4829
• Add #[pyo3(into_py_with = ...)] option for #[derive(IntoPyObject, IntoPyObjectRef)]. #​4850
• Add uuid to/from python conversions. #​4864
• Add FFI definitions PyThreadState_GetFrame and PyFrame_GetBack. #​4866
• Optimize last for BoundListIterator, BoundTupleIterator and BorrowedTupleIterator. #​4878
• Optimize Iterator::count() for PyDict, PyList, PyTuple & PySet. #​4878
• Optimize nth, nth_back, advance_by and advance_back_by for BoundTupleIterator #​4897
• Add support for types.GenericAlias as pyo3::types::PyGenericAlias. #​4917
• Add MutextExt trait to help avoid deadlocks with the GIL while locking a std::sync::Mutex. #​4934
• Add #[pyo3(rename_all = "...")] option for #[derive(FromPyObject)]. #​4941

Changed

• Optimize nth, nth_back, advance_by and advance_back_by for BoundListIterator. #​4810
• Use DerefToPyAny in blanket implementations of From<Py<T>> and From<Bound<'py, T>> for PyObject. #​4593
• Map io::ErrorKind::IsADirectory/NotADirectory to the corresponding Python exception on Rust 1.83+. #​4747
• PyAnyMethods::call and friends now require PyCallArgs for their positional arguments. #​4768
• Expose FFI definitions for PyObject_Vectorcall(Method) on the stable abi on 3.12+. #​4853
• #[pyo3(from_py_with = ...)] now take a path rather than a string literal #​4860
• Format Python traceback in impl Debug for PyErr. #​4900
• Convert PathBuf & Path into Python pathlib.Path instead of PyString. #​4925
• Relax parsing of exotic Python versions. #​4949
• PyO3 threads now hang instead of pthread_exit trying to acquire the GIL when the interpreter is shutting down. This mimics the Python 3.14 behavior and avoids undefined behavior and crashes. #​4874

Removed

• Remove implementations of Deref for PyAny and other "native" types. #​4593
• Remove implicit default of trailing optional arguments (see #​2935) #​4729
• Remove the deprecated implicit eq fallback for simple enums. #​4730

Fixed

• Correct FFI definition of PyIter_Send to return a PySendResult. #​4746
• Fix a thread safety issue in the runtime borrow checker used by mutable pyclass instances on the free-threaded build. #​4948

v0.23.5

Compare Source

Packaging

• Add support for PyPy3.11 #​4760

Fixed

• Fix thread-unsafe implementation of freelist pyclasses on the free-threaded build. #​4902
• Re-enable a workaround for situations where CPython incorrectly does not add __builtins__ to __globals__ in code executed by Python::py_run (was removed in PyO3 0.23.0). #​4921

v0.23.4

Compare Source

Added

• Add PyList::locked_for_each, which uses a critical section to lock the list on the free-threaded build. #​4789
• Add pyo3_build_config::add_python_framework_link_args build script API to set rpath when using macOS system Python. #​4833

Changed

• Use datetime.fold to distinguish ambiguous datetimes when converting to and from chrono::DateTime<Tz> (rather than erroring). #​4791
• Optimize PyList iteration on the free-threaded build. #​4789

Fixed

• Fix unnecessary internal py.allow_threads GIL-switch when attempting to access contents of a PyErr which originated from Python (could lead to unintended deadlocks). #​4766
• Fix thread-unsafe access of dict internals in BoundDictIterator on the free-threaded build. #​4788

• Fix unnecessary critical sections in BoundDictIterator on the free-threaded build. #​4788

• Fix time-of-check to time-of-use issues with list iteration on the free-threaded build. #​4789
• Fix chrono::DateTime<Tz> to-Python conversion when Tz is chrono_tz::Tz. #​4790
• Fix #[pyclass] not being able to be named Probe. #​4794
• Fix not treating cross-compilation from x64 to aarch64 on Windows as a cross-compile. #​4800
• Fix missing struct fields on GraalPy when subclassing builtin classes. #​4802
• Fix generating import lib for PyPy when abi3 feature is enabled. #​4806
• Fix generating import lib for python3.13t when abi3 feature is enabled. #​4808
• Fix compile failure for raw identifiers like r#box in derive(FromPyObject). #​4814
• Fix compile failure for #[pyclass] enum variants with more than 12 fields. #​4832

v0.23.3

Compare Source

Packaging

• Bump optional python3-dll-a dependency to 0.2.11. #​4749

Fixed

• Fix unresolved symbol link failures on Windows when compiling for Python 3.13t with abi3 features enabled. #​4733
• Fix unresolved symbol link failures on Windows when compiling for Python 3.13t using the generate-import-lib feature. #​4749
• Fix compile-time regression in PyO3 0.23.0 where changing PYO3_CONFIG_FILE would not reconfigure PyO3 for the new interpreter. #​4758

v0.23.2

Compare Source

Added

• Add IntoPyObjectExt trait. #​4708

Fixed

• Fix compile failures when building for free-threaded Python when the abi3 or abi3-pyxx features are enabled. #​4719
• Fix ambiguous_associated_items lint error in #[pyclass] and #[derive(IntoPyObject)] macros. #​4725

v0.23.1

Compare Source

Re-release of 0.23.0 with fixes to docs.rs build.

v0.23.0

Compare Source

Packaging

• Drop support for PyPy 3.7 and 3.8. #​4582
• Extend range of supported versions of hashbrown optional dependency to include version 0.15. #​4604
• Bump minimum version of eyre optional dependency to 0.6.8. #​4617
• Bump minimum version of hashbrown optional dependency to 0.14.5. #​4617
• Bump minimum version of indexmap optional dependency to 2.5.0. #​4617
• Bump minimum version of num-complex optional dependency to 0.4.6. #​4617
• Bump minimum version of chrono-tz optional dependency to 0.10. #​4617
• Support free-threaded Python 3.13t. #​4588

Added

• Add IntoPyObject (fallible) conversion trait to convert from Rust to Python values. #​4060
• Add #[pyclass(str="<format string>")] option to generate __str__ based on a Display implementation or format string. #​4233
• Implement PartialEq for Bound<'py, PyInt> with u8, u16, u32, u64, u128, usize, i8, i16, i32, i64, i128 and isize. #​4317
• Implement PartialEq<f64> and PartialEq<f32> for Bound<'py, PyFloat>. #​4348
• Add as_super and into_super methods for Bound<T: PyClass>. #​4351
• Add FFI definitions PyCFunctionFast and PyCFunctionFastWithKeywords #​4415
• Add FFI definitions for PyMutex on Python 3.13 and newer. #​4421
• Add PyDict::locked_for_each to iterate efficiently on freethreaded Python. #​4439
• Add FFI definitions PyObject_GetOptionalAttr, PyObject_GetOptionalAttrString, PyObject_HasAttrWithError, PyObject_HasAttrStringWithError, Py_CONSTANT_* constants, Py_GetConstant, Py_GetConstantBorrowed, and PyType_GetModuleByDef on Python 3.13 and newer. #​4447
• Add FFI definitions for the Python critical section API available on Python 3.13 and newer. #​4477
• Add derive macro for IntoPyObject. #​4495
• Add Borrowed::as_ptr. #​4520
• Add FFI definition for PyImport_AddModuleRef. #​4529
• Add PyAnyMethods::try_iter. #​4553
• Add pyo3::sync::with_critical_section, a wrapper around the Python Critical Section API added in Python 3.13. #​4587
• Add #[pymodule(gil_used = false)] option to declare that a module supports the free-threaded build. #​4588
• Add PyModule::gil_used method to declare that a module supports the free-threaded build. #​4588
• Add FFI definition PyDateTime_CAPSULE_NAME. #​4634
• Add PyMappingProxy type to represent the mappingproxy Python class. #​4644
• Add FFI definitions PyList_Extend and PyList_Clear. #​4667
• Add derive macro for IntoPyObjectRef. #​4674
• Add pyo3::sync::OnceExt and pyo3::sync::OnceLockExt traits. #​4676

Changed

• Prefer IntoPyObject over IntoPy<Py<PyAny>>> for #[pyfunction] and #[pymethods] return types. #​4060
• Report multiple errors from #[pyclass] and #[pyo3(..)] attributes. #​4243
• Nested declarative #[pymodule] are automatically treated as submodules (no PyInit_ entrypoint is created). #​4308
• Deprecate PyAnyMethods::is_ellipsis (Py::is_ellipsis was deprecated in PyO3 0.20). #​4322
• Deprecate PyLong in favor of PyInt. #​4347
• Rename IntoPyDict::into_py_dict_bound to IntoPyDict::into_py_dict. #​4388
• PyModule::from_code now expects &CStr as arguments instead of &str. #​4404
• Use "fastcall" Python calling convention for #[pyfunction]s when compiling on abi3 for Python 3.10 and up. #​4415
• Remove Copy and Clone from PyObject struct FFI definition. #​4434
• Python::eval and Python::run now take a &CStr instead of &str. #​4435
• Deprecate IPowModulo, PyClassAttributeDef, PyGetterDef, PyMethodDef, PyMethodDefType, and PySetterDef from PyO3's public API. #​4441
• IntoPyObject impls for Vec<u8>, &[u8], [u8; N], Cow<[u8]> and SmallVec<[u8; N]> now convert into Python bytes rather than a list of integers. #​4442
• Emit a compile-time error when attempting to subclass a class that doesn't allow subclassing. #​4453
• IntoPyDict::into_py_dict is now fallible due to IntoPyObject migration. #​4493
• The abi3 feature will now override config files provided via PYO3_BUILD_CONFIG. #​4497
• Disable the GILProtected struct on free-threaded Python. #​4504
• Updated FFI definitions for functions and struct fields that have been deprecated or removed from CPython. #​4534
• Disable PyListMethods::get_item_unchecked on free-threaded Python. #​4539
• Add GILOnceCell::import. #​4542
• Deprecate PyAnyMethods::iter in favour of PyAnyMethods::try_iter. #​4553
• The #[pyclass] macro now requires a types to be Sync. (Except for #[pyclass(unsendable)] types). #​4566
• PyList::new and PyTuple::new are now fallible due to IntoPyObject migration. #​4580
• PyErr::matches is now fallible due to IntoPyObject migration. #​4595
• Deprecate ToPyObject in favour of IntoPyObject #​4595
• Deprecate PyWeakrefMethods::get_option. #​4597
• Seal PyWeakrefMethods trait. #​4598
• Remove PyNativeTypeInitializer and PyObjectInit from the PyO3 public API. #​4611
• Deprecate IntoPy in favor of IntoPyObject #​4618
• Eagerly normalize exceptions in PyErr::take() and PyErr::fetch() on Python 3.11 and older. #​4655
• Move IntoPy::type_output to IntoPyObject::type_output. #​4657
• Change return type of PyMapping::keys, PyMapping::values and PyMapping::items to Bound<'py, PyList> instead of Bound<'py, PySequence>. #​4661
• Complex enums now allow field types that either implement IntoPyObject by reference or by value together with Clone. This makes Py<T> available as field type. #​4694

Removed

• Remove all functionality deprecated in PyO3 0.20. #​4322
• Remove all functionality deprecated in PyO3 0.21. #​4323
• Deprecate PyUnicode in favour of PyString. #​4370
• Remove deprecated gil-refs feature. #​4378
• Remove private FFI definitions _Py_IMMORTAL_REFCNT, _Py_IsImmortal, _Py_TPFLAGS_STATIC_BUILTIN, _Py_Dealloc, _Py_IncRef, _Py_DecRef. #​4447
• Remove private FFI definitions _Py_c_sum, _Py_c_diff, _Py_c_neg, _Py_c_prod, _Py_c_quot, _Py_c_pow, _Py_c_abs. #​4521
• Remove _borrowed methods of PyWeakRef and PyWeakRefProxy. #​4528
• Removed private FFI definition _PyErr_ChainExceptions. #​4534

Fixed

• Fix invalid library search path lib_dir when cross-compiling. #​4389
• Fix FFI definition Py_Is for PyPy on 3.10 to call the function defined by PyPy. #​4447
• Fix compile failure when using #[cfg] attributes for simple enum variants. #​4509
• Fix compiler warning for non_snake_case method names inside #[pymethods] generated code. #​4567
• Fix compile error with #[derive(FromPyObject)] generic struct with trait bounds. #​4645
• Fix compile error for #[classmethod] and #[staticmethod] on magic methods. #​4654
• Fix compile warning for unsafe_op_in_unsafe_fn in generated macro code. #​4674
• Fix incorrect deprecation warning for #[pyclass] enums with custom __eq__ implementation. #​4692
• Fix non_upper_case_globals lint firing for generated __match_args__ on complex enums. #​4705

v0.22.6: PyO3 0.22.6

Compare Source

This release corrects the check for free-threaded Python introduced in PyO3 0.22.2 to prevent users accidentally installing PyO3 packages on Python 3.13t; PyO3 0.22 does not support free-threaded Python. (Stay tuned for the 0.23 release coming very soon!)

Thanks @​minrk for the report and @​davidhewitt for the fix!

v0.22.5

Compare Source

Fixed

• Fix regression in 0.22.4 of naming collision in __clear__ slot and clear method generated code. #​4619

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: Cargo.lock

Command failed: cargo update --config net.git-fetch-with-cli=true --manifest-path crates/bitwarden-py/Cargo.toml --workspace
    Updating crates.io index
error: failed to select a version for `pyo3-ffi`.
    ... required by package `pyo3 v0.21.0`
    ... which satisfies dependency `pyo3 = ">=0.21, <0.23"` of package `pyo3-log v0.11.0`
    ... which satisfies dependency `pyo3-log = "^0.11.0"` of package `bitwarden-py v0.1.0 (/tmp/renovate/repos/github/bitwarden/sdk-sm/crates/bitwarden-py)`
versions that meet the requirements `=0.21.0` are: 0.21.0

the package `pyo3-ffi` links to the native library `python`, but it conflicts with a previous package which links to `python` as well:
package `pyo3-ffi v0.24.0`
    ... which satisfies dependency `pyo3-ffi = "=0.24.0"` of package `pyo3 v0.24.0`
    ... which satisfies dependency `pyo3 = "^0.24.0"` of package `bitwarden-py v0.1.0 (/tmp/renovate/repos/github/bitwarden/sdk-sm/crates/bitwarden-py)`
Only one package in the dependency graph may specify the same links value. This helps ensure that only one copy of a native library is linked in the final binary. Try to adjust your dependencies so that only one package uses the `links = "python"` value. For more information, see https://doc.rust-lang.org/cargo/reference/resolver.html#links.

failed to select a version for `pyo3-ffi` which could resolve this conflict

[github-actions]

Checkmarx One – Scan Summary & Details – 9dbf8f86-ecf2-456b-8948-79c20442ceba

Great job, no security vulnerabilities found in this Pull Request

[renovate]

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 10.17%. Comparing base (81dc653) to head (f4b9697).

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #1226   +/-   ##
=======================================
  Coverage   10.17%   10.17%           
=======================================
  Files          19       19           
  Lines        1101     1101           
=======================================
  Hits          112      112           
  Misses        989      989           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.