Commit 40cd6a8
chore(deps): bump pyo3 + numpy to 0.29 in /rust (RUSTSEC-2026-0176/0177)
Bumps the Rust backend's pyo3 and numpy crates 0.28 -> 0.29 in lockstep
(numpy 0.29 requires pyo3 ^0.29), resolving two RustSec advisories that
affect pyo3 < 0.29:
- RUSTSEC-2026-0176 (GHSA-36hh-v3qg-5jq4, High): out-of-bounds read in the
PyList/PyTuple nth/nth_back iterators.
- RUSTSEC-2026-0177 (GHSA-chgr-c6px-7xpp, Medium): missing Sync bound on
PyCFunction::new_closure closures.
Neither vulnerable path is reachable in this crate: the Rust source has no
PyList/PyTuple iteration, no PyCFunction::new_closure, and builds no
free-threaded wheels. This is a binding-layer-only change -- the math/RNG
crates (ndarray 0.17, faer 0.24, rand 0.10, rand_xoshiro 0.8) are unchanged,
and the Rust-backend bit-identity snapshot test confirms zero numerical drift.
Supersedes Dependabot PRs #537 (pyo3) and #538 (numpy), which each bumped one
crate alone and so could not resolve (the numpy/pyo3 version constraint
couples them).
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>1 parent 35f56f6 commit 40cd6a8
2 files changed
Lines changed: 13 additions & 3 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
31 | 31 | | |
32 | 32 | | |
33 | 33 | | |
| 34 | + | |
| 35 | + | |
| 36 | + | |
| 37 | + | |
| 38 | + | |
| 39 | + | |
| 40 | + | |
| 41 | + | |
| 42 | + | |
| 43 | + | |
34 | 44 | | |
35 | 45 | | |
36 | 46 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
21 | 21 | | |
22 | 22 | | |
23 | 23 | | |
24 | | - | |
25 | | - | |
26 | | - | |
| 24 | + | |
| 25 | + | |
| 26 | + | |
27 | 27 | | |
28 | 28 | | |
29 | 29 | | |
| |||
0 commit comments