[deps]: Update Rust crate pyo3 to 0.24.0 [SECURITY]

[renovate[bot]]

This PR contains the following updates:

Package	Type	Update	Change
pyo3	dependencies	minor	0.22.1 -> 0.24.0

GitHub Vulnerability Alerts

GHSA-pph8-gcv7-4qj5

PyString::from_object took &str arguments and forwarded them directly to the Python C API without checking for terminating nul bytes. This could lead the Python interpreter to read beyond the end of the &str data and potentially leak contents of the out-of-bounds read (by raising a Python exception containing a copy of the data including the overflow).

In PyO3 0.24.1 this function will now allocate a CString to guarantee a terminating nul bytes. PyO3 0.25 will likely offer an alternative API which takes &CStr arguments.

---

Release Notes

pyo3/pyo3 (pyo3)

v0.24.1

Compare Source

This release is a security fix for the PyString::from_object method, which passed &str data to the Python C API without checking for a terminating nul byte. All historical PyO3 versions are affected, and we recommend you upgrade if you are using PyString::from_object. Thank you to @​vthib for the report and @​Dr-Emann for the fix. A RUSTSEC advisory will be published shortly.

Aside from the security fix, this release contains a number of other non-breaking additions:

• An abi3-py313 feature to support compiling with the Python 3.13 stable ABI.
• PyAnyMethods::getattr_opt to get optional attributes without paying the cost of a Python exception when the attribute in question does not exist.
• Constructor for PyInt::new.
• with_critical_section2 for locking two objects at the same time on the free-threaded build.
• Fix for a PyO3 0.24.0 regression with Option<&str> and Option<&T> (where T: PyClass) function arguments no longer being permitted

There are also a few other small bug fixes for edge cases, mostly related to compile errors from PyO3's macro code.

Thank you to the following contributors for the improvements:

@​bschoenmaeckers @​davidhewitt @​Dr-Emann @​emmagordon @​epontan @​Icxolu @​IvanIsCoding @​jelmer @​jonaspleyer @​ngoldbaum @​Owen-CH-Leung @​Tpt @​Trolldemorted @​XuehaiPan

v0.24.0

Compare Source

Packaging

• Add supported CPython/PyPy versions to cargo package metadata. #​4756
• Bump target-lexicon dependency to 0.13. #​4822
• Add optional jiff dependency to add conversions for jiff datetime types. #​4823
• Bump minimum supported inventory version to 0.3.5. #​4954

Added

• Add PyIterator::send method to allow sending values into a python generator. #​4746
• Add PyCallArgs trait for passing arguments into the Python calling protocol. This enabled using a faster calling convention for certain types, improving performance. #​4768
• Add #[pyo3(default = ...'] option for #[derive(FromPyObject)] to set a default value for extracted fields of named structs. #​4829
• Add #[pyo3(into_py_with = ...)] option for #[derive(IntoPyObject, IntoPyObjectRef)]. #​4850
• Add uuid to/from python conversions. #​4864
• Add FFI definitions PyThreadState_GetFrame and PyFrame_GetBack. #​4866
• Optimize last for BoundListIterator, BoundTupleIterator and BorrowedTupleIterator. #​4878
• Optimize Iterator::count() for PyDict, PyList, PyTuple & PySet. #​4878
• Optimize nth, nth_back, advance_by and advance_back_by for BoundTupleIterator #​4897
• Add support for types.GenericAlias as pyo3::types::PyGenericAlias. #​4917
• Add MutextExt trait to help avoid deadlocks with the GIL while locking a std::sync::Mutex. #​4934
• Add #[pyo3(rename_all = "...")] option for #[derive(FromPyObject)]. #​4941

Changed

• Optimize nth, nth_back, advance_by and advance_back_by for BoundListIterator. #​4810
• Use DerefToPyAny in blanket implementations of From<Py<T>> and From<Bound<'py, T>> for PyObject. #​4593
• Map io::ErrorKind::IsADirectory/NotADirectory to the corresponding Python exception on Rust 1.83+. #​4747
• PyAnyMethods::call and friends now require PyCallArgs for their positional arguments. #​4768
• Expose FFI definitions for PyObject_Vectorcall(Method) on the stable abi on 3.12+. #​4853
• #[pyo3(from_py_with = ...)] now take a path rather than a string literal #​4860
• Format Python traceback in impl Debug for PyErr. #​4900
• Convert PathBuf & Path into Python pathlib.Path instead of PyString. #​4925
• Relax parsing of exotic Python versions. #​4949
• PyO3 threads now hang instead of pthread_exit trying to acquire the GIL when the interpreter is shutting down. This mimics the Python 3.14 behavior and avoids undefined behavior and crashes. #​4874

Removed

• Remove implementations of Deref for PyAny and other "native" types. #​4593
• Remove implicit default of trailing optional arguments (see #​2935) #​4729
• Remove the deprecated implicit eq fallback for simple enums. #​4730

Fixed

• Correct FFI definition of PyIter_Send to return a PySendResult. #​4746
• Fix a thread safety issue in the runtime borrow checker used by mutable pyclass instances on the free-threaded build. #​4948

v0.23.5

Compare Source

Packaging

• Add support for PyPy3.11 #​4760

Fixed

• Fix thread-unsafe implementation of freelist pyclasses on the free-threaded build. #​4902
• Re-enable a workaround for situations where CPython incorrectly does not add __builtins__ to __globals__ in code executed by Python::py_run (was removed in PyO3 0.23.0). #​4921

v0.23.4

Compare Source

Added

• Add PyList::locked_for_each, which uses a critical section to lock the list on the free-threaded build. #​4789
• Add pyo3_build_config::add_python_framework_link_args build script API to set rpath when using macOS system Python. #​4833

Changed

• Use datetime.fold to distinguish ambiguous datetimes when converting to and from chrono::DateTime<Tz> (rather than erroring). #​4791
• Optimize PyList iteration on the free-threaded build. #​4789

Fixed

• Fix unnecessary internal py.allow_threads GIL-switch when attempting to access contents of a PyErr which originated from Python (could lead to unintended deadlocks). #​4766
• Fix thread-unsafe access of dict internals in BoundDictIterator on the free-threaded build. #​4788

• Fix unnecessary critical sections in BoundDictIterator on the free-threaded build. #​4788

• Fix time-of-check to time-of-use issues with list iteration on the free-threaded build. #​4789
• Fix chrono::DateTime<Tz> to-Python conversion when Tz is chrono_tz::Tz. #​4790
• Fix #[pyclass] not being able to be named Probe. #​4794
• Fix not treating cross-compilation from x64 to aarch64 on Windows as a cross-compile. #​4800
• Fix missing struct fields on GraalPy when subclassing builtin classes. #​4802
• Fix generating import lib for PyPy when abi3 feature is enabled. #​4806
• Fix generating import lib for python3.13t when abi3 feature is enabled. #​4808
• Fix compile failure for raw identifiers like r#box in derive(FromPyObject). #​4814
• Fix compile failure for #[pyclass] enum variants with more than 12 fields. #​4832

v0.23.3

Compare Source

Packaging

• Bump optional python3-dll-a dependency to 0.2.11. #​4749

Fixed

• Fix unresolved symbol link failures on Windows when compiling for Python 3.13t with abi3 features enabled. #​4733
• Fix unresolved symbol link failures on Windows when compiling for Python 3.13t using the generate-import-lib feature. #​4749
• Fix compile-time regression in PyO3 0.23.0 where changing PYO3_CONFIG_FILE would not reconfigure PyO3 for the new interpreter. #​4758

v0.23.2

Compare Source

Added

• Add IntoPyObjectExt trait. #​4708

Fixed

• Fix compile failures when building for free-threaded Python when the abi3 or abi3-pyxx features are enabled. #​4719
• Fix ambiguous_associated_items lint error in #[pyclass] and #[derive(IntoPyObject)] macros. #​4725

v0.23.1

Compare Source

Re-release of 0.23.0 with fixes to docs.rs build.

v0.23.0

Compare Source

Packaging

• Drop support for PyPy 3.7 and 3.8. #​4582
• Extend range of supported versions of hashbrown optional dependency to include version 0.15. #​4604
• Bump minimum version of eyre optional dependency to 0.6.8. #​4617
• Bump minimum version of hashbrown optional dependency to 0.14.5. #​4617
• Bump minimum version of indexmap optional dependency to 2.5.0. #​4617
• Bump minimum version of num-complex optional dependency to 0.4.6. #​4617
• Bump minimum version of chrono-tz optional dependency to 0.10. #​4617
• Support free-threaded Python 3.13t. #​4588

Added

• Add IntoPyObject (fallible) conversion trait to convert from Rust to Python values. #​4060
• Add #[pyclass(str="<format string>")] option to generate __str__ based on a Display implementation or format string. #​4233
• Implement PartialEq for Bound<'py, PyInt> with u8, u16, u32, u64, u128, usize, i8, i16, i32, i64, i128 and isize. #​4317
• Implement PartialEq<f64> and PartialEq<f32> for Bound<'py, PyFloat>. #​4348
• Add as_super and into_super methods for Bound<T: PyClass>. #​4351
• Add FFI definitions PyCFunctionFast and PyCFunctionFastWithKeywords #​4415
• Add FFI definitions for PyMutex on Python 3.13 and newer. #​4421
• Add PyDict::locked_for_each to iterate efficiently on freethreaded Python. #​4439
• Add FFI definitions PyObject_GetOptionalAttr, PyObject_GetOptionalAttrString, PyObject_HasAttrWithError, PyObject_HasAttrStringWithError, Py_CONSTANT_* constants, Py_GetConstant, Py_GetConstantBorrowed, and PyType_GetModuleByDef on Python 3.13 and newer. #​4447
• Add FFI definitions for the Python critical section API available on Python 3.13 and newer. #​4477
• Add derive macro for IntoPyObject. #​4495
• Add Borrowed::as_ptr. #​4520
• Add FFI definition for PyImport_AddModuleRef. #​4529
• Add PyAnyMethods::try_iter. #​4553
• Add pyo3::sync::with_critical_section, a wrapper around the Python Critical Section API added in Python 3.13. #​4587
• Add #[pymodule(gil_used = false)] option to declare that a module supports the free-threaded build. #​4588
• Add PyModule::gil_used method to declare that a module supports the free-threaded build. #​4588
• Add FFI definition PyDateTime_CAPSULE_NAME. #​4634
• Add PyMappingProxy type to represent the mappingproxy Python class. #​4644
• Add FFI definitions PyList_Extend and PyList_Clear. #​4667
• Add derive macro for IntoPyObjectRef. #​4674
• Add pyo3::sync::OnceExt and pyo3::sync::OnceLockExt traits. #​4676

Changed

• Prefer IntoPyObject over IntoPy<Py<PyAny>>> for #[pyfunction] and #[pymethods] return types. #​4060
• Report multiple errors from #[pyclass] and #[pyo3(..)] attributes. #​4243
• Nested declarative #[pymodule] are automatically treated as submodules (no PyInit_ entrypoint is created). #​4308
• Deprecate PyAnyMethods::is_ellipsis (Py::is_ellipsis was deprecated in PyO3 0.20). #​4322
• Deprecate PyLong in favor of PyInt. #​4347
• Rename IntoPyDict::into_py_dict_bound to IntoPyDict::into_py_dict. #​4388
• PyModule::from_code now expects &CStr as arguments instead of &str. #​4404
• Use "fastcall" Python calling convention for #[pyfunction]s when compiling on abi3 for Python 3.10 and up. #​4415
• Remove Copy and Clone from PyObject struct FFI definition. #​4434
• Python::eval and Python::run now take a &CStr instead of &str. #​4435
• Deprecate IPowModulo, PyClassAttributeDef, PyGetterDef, PyMethodDef, PyMethodDefType, and PySetterDef from PyO3's public API. #​4441
• IntoPyObject impls for Vec<u8>, &[u8], [u8; N], Cow<[u8]> and SmallVec<[u8; N]> now convert into Python bytes rather than a list of integers. #​4442
• Emit a compile-time error when attempting to subclass a class that doesn't allow subclassing. #​4453
• IntoPyDict::into_py_dict is now fallible due to IntoPyObject migration. #​4493
• The abi3 feature will now override config files provided via PYO3_BUILD_CONFIG. #​4497
• Disable the GILProtected struct on free-threaded Python. #​4504
• Updated FFI definitions for functions and struct fields that have been deprecated or removed from CPython. #​4534
• Disable PyListMethods::get_item_unchecked on free-threaded Python. #​4539
• Add GILOnceCell::import. #​4542
• Deprecate PyAnyMethods::iter in favour of PyAnyMethods::try_iter. #​4553
• The #[pyclass] macro now requires a types to be Sync. (Except for #[pyclass(unsendable)] types). #​4566
• PyList::new and PyTuple::new are now fallible due to IntoPyObject migration. #​4580
• PyErr::matches is now fallible due to IntoPyObject migration. #​4595
• Deprecate ToPyObject in favour of IntoPyObject #​4595
• Deprecate PyWeakrefMethods::get_option. #​4597
• Seal PyWeakrefMethods trait. #​4598
• Remove PyNativeTypeInitializer and PyObjectInit from the PyO3 public API. #​4611
• Deprecate IntoPy in favor of IntoPyObject #​4618
• Eagerly normalize exceptions in PyErr::take() and PyErr::fetch() on Python 3.11 and older. #​4655
• Move IntoPy::type_output to IntoPyObject::type_output. #​4657
• Change return type of PyMapping::keys, PyMapping::values and PyMapping::items to Bound<'py, PyList> instead of Bound<'py, PySequence>. #​4661
• Complex enums now allow field types that either implement IntoPyObject by reference or by value together with Clone. This makes Py<T> available as field type. #​4694

Removed

• Remove all functionality deprecated in PyO3 0.20. #​4322
• Remove all functionality deprecated in PyO3 0.21. #​4323
• Deprecate PyUnicode in favour of PyString. #​4370
• Remove deprecated gil-refs feature. #​4378
• Remove private FFI definitions _Py_IMMORTAL_REFCNT, _Py_IsImmortal, _Py_TPFLAGS_STATIC_BUILTIN, _Py_Dealloc, _Py_IncRef, _Py_DecRef. #​4447
• Remove private FFI definitions _Py_c_sum, _Py_c_diff, _Py_c_neg, _Py_c_prod, _Py_c_quot, _Py_c_pow, _Py_c_abs. #​4521
• Remove _borrowed methods of PyWeakRef and PyWeakRefProxy. #​4528
• Removed private FFI definition _PyErr_ChainExceptions. #​4534

Fixed

• Fix invalid library search path lib_dir when cross-compiling. #​4389
• Fix FFI definition Py_Is for PyPy on 3.10 to call the function defined by PyPy. #​4447
• Fix compile failure when using #[cfg] attributes for simple enum variants. #​4509
• Fix compiler warning for non_snake_case method names inside #[pymethods] generated code. #​4567
• Fix compile error with #[derive(FromPyObject)] generic struct with trait bounds. #​4645
• Fix compile error for #[classmethod] and #[staticmethod] on magic methods. #​4654
• Fix compile warning for unsafe_op_in_unsafe_fn in generated macro code. #​4674
• Fix incorrect deprecation warning for #[pyclass] enums with custom __eq__ implementation. #​4692
• Fix non_upper_case_globals lint firing for generated __match_args__ on complex enums. #​4705

v0.22.6: PyO3 0.22.6

Compare Source

This release corrects the check for free-threaded Python introduced in PyO3 0.22.2 to prevent users accidentally installing PyO3 packages on Python 3.13t; PyO3 0.22 does not support free-threaded Python. (Stay tuned for the 0.23 release coming very soon!)

Thanks @​minrk for the report and @​davidhewitt for the fix!

v0.22.5

Compare Source

Fixed

• Fix regression in 0.22.4 of naming collision in __clear__ slot and clear method generated code. #​4619

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• [ ] If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate[bot]]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: Cargo.lock

Command failed: cargo update --config net.git-fetch-with-cli=true --manifest-path crates/bitwarden-py/Cargo.toml --workspace
    Updating git repository `https://github.com/bitwarden/sdk-internal.git`
From https://github.com/bitwarden/sdk-internal
 * [new ref]           49d027c1f5144d6d319e3cab56782f8b844cd8c2 -> refs/commit/49d027c1f5144d6d319e3cab56782f8b844cd8c2
    Updating crates.io index
error: failed to select a version for `pyo3`.
    ... required by package `pyo3-log v0.11.0`
    ... which satisfies dependency `pyo3-log = "^0.11.0"` of package `bitwarden-py v0.1.0 (/tmp/renovate/repos/github/bitwarden/sdk-sm/crates/bitwarden-py)`
versions that meet the requirements `>=0.21, <0.23` are: 0.22.6, 0.22.5, 0.22.4, 0.21.2, 0.21.1, 0.21.0

package `pyo3` links to the native library `python`, but it conflicts with a previous package which links to `python` as well:
package `pyo3 v0.24.0`
    ... which satisfies dependency `pyo3 = "^0.24.0"` of package `bitwarden-py v0.1.0 (/tmp/renovate/repos/github/bitwarden/sdk-sm/crates/bitwarden-py)`
Only one package in the dependency graph may specify the same links value. This helps ensure that only one copy of a native library is linked in the final binary. Try to adjust your dependencies so that only one package uses the `links = "python"` value. For more information, see https://doc.rust-lang.org/cargo/reference/resolver.html#links.

failed to select a version for `pyo3` which could resolve this conflict

[github-actions[bot]]

Checkmarx One – Scan Summary & Details – 9dbf8f86-ecf2-456b-8948-79c20442ceba

Great job, no security vulnerabilities found in this Pull Request

[sonarqubecloud[bot]]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[codecov[bot]]

Codecov Report

All modified and coverable lines are covered by tests :white_check_mark:

Project coverage is 10.17%. Comparing base (81dc653) to head (f4b9697).

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #1226   +/-   ##
=======================================
  Coverage   10.17%   10.17%           
=======================================
  Files          19       19           
  Lines        1101     1101           
=======================================
  Hits          112      112           
  Misses        989      989           

:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.

:rocket: New features to boost your workflow:

• :snowflake: Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• :package: JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.