From 009b1190a97b70c6c232f0f16deb8f51e0d8dd6b Mon Sep 17 00:00:00 2001 From: Connor Tsui Date: Thu, 11 Jun 2026 18:04:16 -0400 Subject: [PATCH 1/2] bump pyo3 to 0.29 Signed-off-by: Connor Tsui --- Cargo.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Cargo.toml b/Cargo.toml index 35cc2549a84..a804ae950c8 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -209,7 +209,7 @@ proc-macro2 = "1.0.95" prost = "0.14" prost-build = "0.14" prost-types = "0.14" -pyo3 = { version = "0.28.0" } +pyo3 = { version = "0.29.0" } pyo3-bytes = "0.6" pyo3-log = "0.13.0" pyo3-object_store = "0.9.0" From 258839bc2b39d4b47e69e38240e6d97eca6e4427 Mon Sep 17 00:00:00 2001 From: Connor Tsui Date: Thu, 11 Jun 2026 18:17:52 -0400 Subject: [PATCH 2/2] ignore pyo3 rustsec Signed-off-by: Connor Tsui --- Cargo.toml | 2 +- deny.toml | 7 ++++++- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/Cargo.toml b/Cargo.toml index a804ae950c8..35cc2549a84 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -209,7 +209,7 @@ proc-macro2 = "1.0.95" prost = "0.14" prost-build = "0.14" prost-types = "0.14" -pyo3 = { version = "0.29.0" } +pyo3 = { version = "0.28.0" } pyo3-bytes = "0.6" pyo3-log = "0.13.0" pyo3-object_store = "0.9.0" diff --git a/deny.toml b/deny.toml index b9f9c79a796..a2a6935ba5b 100644 --- a/deny.toml +++ b/deny.toml @@ -16,7 +16,12 @@ ignore = [ # Paste is no longer maintained because its essentially "finished". "RUSTSEC-2024-0436", # proc-macro-error-2 is unmaintained, only used by the `test_with` test dependency - "RUSTSEC-2026-0173" + "RUSTSEC-2026-0173", + # Out-of-bounds read in `nth`/`nth_back` on pyo3 list/tuple iterators, fixed only in pyo3 + # 0.29.0. We cannot bump until pyo3-bytes, pyo3-log, and pyo3-object_store support 0.29 (all + # pin pyo3 to <0.29, and pyo3-ffi `links = "python"` forbids two pyo3 versions in the graph). + # Not exploitable here: `vortex-python` never calls `nth`/`nth_back` on these iterators. + "RUSTSEC-2026-0176" ] [licenses]