Skip to content

Commit 40cd6a8

Browse files
igerberclaude
andcommitted
chore(deps): bump pyo3 + numpy to 0.29 in /rust (RUSTSEC-2026-0176/0177)
Bumps the Rust backend's pyo3 and numpy crates 0.28 -> 0.29 in lockstep (numpy 0.29 requires pyo3 ^0.29), resolving two RustSec advisories that affect pyo3 < 0.29: - RUSTSEC-2026-0176 (GHSA-36hh-v3qg-5jq4, High): out-of-bounds read in the PyList/PyTuple nth/nth_back iterators. - RUSTSEC-2026-0177 (GHSA-chgr-c6px-7xpp, Medium): missing Sync bound on PyCFunction::new_closure closures. Neither vulnerable path is reachable in this crate: the Rust source has no PyList/PyTuple iteration, no PyCFunction::new_closure, and builds no free-threaded wheels. This is a binding-layer-only change -- the math/RNG crates (ndarray 0.17, faer 0.24, rand 0.10, rand_xoshiro 0.8) are unchanged, and the Rust-backend bit-identity snapshot test confirms zero numerical drift. Supersedes Dependabot PRs #537 (pyo3) and #538 (numpy), which each bumped one crate alone and so could not resolve (the numpy/pyo3 version constraint couples them). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
1 parent 35f56f6 commit 40cd6a8

2 files changed

Lines changed: 13 additions & 3 deletions

File tree

CHANGELOG.md

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -31,6 +31,16 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
3131
`treatment_fraction` remains inert (balanced 2×2×2); pass `group_frac`/`partition_frac`
3232
via `data_generator_kwargs`. See `docs/methodology/REGISTRY.md` §PowerAnalysis.
3333

34+
### Security
35+
- **Bumped the Rust backend's `pyo3` and `numpy` crates 0.28 → 0.29.** Resolves two RustSec
36+
advisories in `pyo3 < 0.29` — RUSTSEC-2026-0176 (out-of-bounds read in `PyList`/`PyTuple`
37+
`nth`/`nth_back`, High) and RUSTSEC-2026-0177 (missing `Sync` bound on
38+
`PyCFunction::new_closure`, Medium). Neither vulnerable path was reachable in this crate
39+
(no `PyList`/`PyTuple` iteration, no `new_closure`, no free-threaded wheels); `numpy` 0.29 is
40+
bumped in lockstep because it requires `pyo3` ^0.29. No API or numerical change — both crates
41+
are FFI/binding layers, and the math/RNG crates (`ndarray`, `faer`, `rand`, `rand_xoshiro`)
42+
are unchanged.
43+
3444
## [3.5.2] - 2026-06-08
3545

3646
### Added

rust/Cargo.toml

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -21,9 +21,9 @@ accelerate = ["ndarray/blas", "dep:blas-src", "blas-src/accelerate"]
2121
openblas = ["ndarray/blas"]
2222

2323
[dependencies]
24-
# PyO3 0.28 supports Python 3.9-3.14
25-
pyo3 = "0.28"
26-
numpy = "0.28"
24+
# PyO3 0.29 supports Python 3.9-3.14
25+
pyo3 = "0.29"
26+
numpy = "0.29"
2727
ndarray = { version = "0.17", features = ["rayon"] }
2828
rand = "0.10"
2929
rand_xoshiro = "0.8"

0 commit comments

Comments
 (0)