chore(deps): bump pyo3 + numpy to 0.29 in /rust (RUSTSEC-2026-0176/0177)

[igerber]

Summary

Bumps the Rust backend's pyo3 and numpy crates 0.28 → 0.29 in lockstep, resolving the two open Dependabot security alerts (both for pyo3 < 0.29, both fixed in 0.29.0 — the current latest stable):

Alert	Severity	Advisory	Vulnerable API
#1	High	GHSA-36hh-v3qg-5jq4 / RUSTSEC-2026-0176	OOB read in nth/nth_back of PyList/PyTuple iterators
#2	Medium	GHSA-chgr-c6px-7xpp / RUSTSEC-2026-0177	Missing Sync bound on PyCFunction::new_closure

numpy is bumped alongside pyo3 because numpy 0.29 requires pyo3 ^0.29 — they're version-coupled and must move together.

Exposure

Neither vulnerable code path is reachable in this crate: the Rust source has no PyList/PyTuple iteration (.nth/.nth_back), no PyCFunction::new_closure, and the wheel pipeline builds no free-threaded targets. This is dependency hygiene / alert cleanup.

No numerical change

pyo3 and the Rust numpy crate are FFI/binding layers — they marshal bytes across the Python↔Rust boundary and do no floating-point arithmetic. All math (ndarray 0.17, faer 0.24, BLAS) and the bootstrap RNG (rand 0.10, rand_xoshiro 0.8) are unchanged (verified: math/RNG crates byte-identical in the regenerated lockfile; only the pyo3 family + numpy moved). MSRV unaffected (pyo3 0.29 MSRV 1.83 ≤ the crate's 1.85 pin).

Verification (local)

• cargo build --release (default) and --features accelerate (matches the wheel build) ✅
• cargo test --release — 40 passed ✅
• maturin develop --release + DIFF_DIFF_BACKEND=rust pytest tests/test_rust_backend.py -m '' — 96 passed, including test_bootstrap_weights_bit_identity_snapshot (byte-for-byte zero-drift proof) and the decimal=10 linalg parity checks ✅
• Broad numerical smoke (linalg / estimators / SDID / SCM / stacked / wild-bootstrap / Callaway) — 966 passed ✅

Supersedes

Closes out Dependabot PRs #537 (pyo3) and #538 (numpy), which each bumped one crate in isolation and so couldn't resolve (the coupling makes either-alone unsatisfiable).

🤖 Generated with Claude Code

[github-actions]

PR Review Report

Overall Assessment

✅ Looks good — no unmitigated P0 or P1 findings.

Executive Summary

• Scope is limited to pyo3/Rust numpy dependency versions and changelog documentation.
• No estimator, math, weighting, variance/SE, identification assumption, or default behavior is changed.
• docs/methodology/REGISTRY.md has no implicated method entry because no causal estimator implementation changed.
• No rust/Cargo.lock is present, so the manifest-only dependency bump is not omitting a tracked lockfile.
• Rust source search found no direct use of the advisory APIs named in the changelog (PyList/PyTuple iterator nth/nth_back, PyCFunction::new_closure).
• I did not run builds/tests because this review environment is read-only.

Methodology

• Severity: P3 informational
  Impact: No affected methods. The only implementation change is dependency versions in rust/Cargo.toml:L24-L26; no estimator equations, weights, inference fields, SE/variance routines, assumptions, or defaults are modified.
  Concrete fix: None.

Code Quality

• Severity: P3 informational
  Impact: The manifest change is narrow and consistent: pyo3 and Rust numpy are bumped together in rust/Cargo.toml:L24-L26.
  Concrete fix: None.

Performance

• Severity: P3 informational
  Impact: No performance-sensitive code paths are changed. Math/RNG dependency entries remain unchanged in rust/Cargo.toml:L27-L30.
  Concrete fix: None.

Maintainability

• Severity: P3 informational
  Impact: Changelog documents the dependency bump and rationale at CHANGELOG.md:L34-L42. There is no committed rust/Cargo.lock, so no lockfile update is required for consistency.
  Concrete fix: None.

Tech Debt

• Severity: P3 informational
  Impact: No new deferred technical debt is introduced by the diff, and existing TODO.md Rust backend items are not implicated by this dependency bump.
  Concrete fix: None.

Security

• Severity: P3 informational
  Impact: The PR moves the Rust backend away from the vulnerable pyo3 < 0.29 range in rust/Cargo.toml:L25. Source search found no direct use of the advisory-specific APIs in the crate. No secrets or new unsafe surfaces are introduced by the diff.
  Concrete fix: None.

Documentation/Tests

• Severity: P3 informational
  Impact: Changelog coverage is adequate for a dependency/security maintenance PR at CHANGELOG.md:L34-L42. Existing Rust CI should exercise cargo test, maturin builds, and Rust-backend Python tests because the PR touches rust/**.
  Concrete fix: Ensure the existing Rust backend CI matrix passes.