Skip to content

security: pyo3 0.24.2 has 2 security advisories — upgrade to >=0.29.0 #167

Description

@metavacua

Summary

crates/larql-python/Cargo.toml uses pyo3 = { version = "0.24", features = ["extension-module"] }, which resolves to pyo3 0.24.2. Two security advisories were disclosed against this version:

Advisory Title Severity
RUSTSEC-2026-0176 Out-of-bounds read in nth/nth_back for PyList/PyTuple iterators High
RUSTSEC-2026-0177 Missing Sync bound on PyCFunction::new_closure closures High

Affected APIs

  • RUSTSEC-2026-0176: PyList/PyTuple iterator nth and nth_back methods
  • RUSTSEC-2026-0177: PyCFunction::new_closure

Neither affected API is used by the code in crates/larql-python/src/ (the bindings use Bound<'py, ...>, #[pyfunction], #[pyclass]); exploitation risk against this codebase is therefore nil. Nonetheless, any cargo-audit or cargo-deny scan will fail until pyo3 is upgraded.

Fix

In crates/larql-python/Cargo.toml:

# before
pyo3 = { version = "0.24", features = ["extension-module"] }

# after  
pyo3 = { version = "0.29", features = ["extension-module"] }

The codebase already uses the modern Bound<'py, ...> API (introduced pyo3 0.21), so the migration surface is small. Migration guide: https://pyo3.rs/v0.29.0/migration

Run cargo update -p pyo3 after bumping the version requirement.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions