From 40cd6a889c7000c86713605d2d2fcbb0b2e10d4d Mon Sep 17 00:00:00 2001 From: igerber Date: Thu, 25 Jun 2026 07:48:23 -0400 Subject: [PATCH] chore(deps): bump pyo3 + numpy to 0.29 in /rust (RUSTSEC-2026-0176/0177) Bumps the Rust backend's pyo3 and numpy crates 0.28 -> 0.29 in lockstep (numpy 0.29 requires pyo3 ^0.29), resolving two RustSec advisories that affect pyo3 < 0.29: - RUSTSEC-2026-0176 (GHSA-36hh-v3qg-5jq4, High): out-of-bounds read in the PyList/PyTuple nth/nth_back iterators. - RUSTSEC-2026-0177 (GHSA-chgr-c6px-7xpp, Medium): missing Sync bound on PyCFunction::new_closure closures. Neither vulnerable path is reachable in this crate: the Rust source has no PyList/PyTuple iteration, no PyCFunction::new_closure, and builds no free-threaded wheels. This is a binding-layer-only change -- the math/RNG crates (ndarray 0.17, faer 0.24, rand 0.10, rand_xoshiro 0.8) are unchanged, and the Rust-backend bit-identity snapshot test confirms zero numerical drift. Supersedes Dependabot PRs #537 (pyo3) and #538 (numpy), which each bumped one crate alone and so could not resolve (the numpy/pyo3 version constraint couples them). Co-Authored-By: Claude Opus 4.8 (1M context) --- CHANGELOG.md | 10 ++++++++++ rust/Cargo.toml | 6 +++--- 2 files changed, 13 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index f73d63bf..87e89656 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -31,6 +31,16 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 `treatment_fraction` remains inert (balanced 2×2×2); pass `group_frac`/`partition_frac` via `data_generator_kwargs`. See `docs/methodology/REGISTRY.md` §PowerAnalysis. +### Security +- **Bumped the Rust backend's `pyo3` and `numpy` crates 0.28 → 0.29.** Resolves two RustSec + advisories in `pyo3 < 0.29` — RUSTSEC-2026-0176 (out-of-bounds read in `PyList`/`PyTuple` + `nth`/`nth_back`, High) and RUSTSEC-2026-0177 (missing `Sync` bound on + `PyCFunction::new_closure`, Medium). Neither vulnerable path was reachable in this crate + (no `PyList`/`PyTuple` iteration, no `new_closure`, no free-threaded wheels); `numpy` 0.29 is + bumped in lockstep because it requires `pyo3` ^0.29. No API or numerical change — both crates + are FFI/binding layers, and the math/RNG crates (`ndarray`, `faer`, `rand`, `rand_xoshiro`) + are unchanged. + ## [3.5.2] - 2026-06-08 ### Added diff --git a/rust/Cargo.toml b/rust/Cargo.toml index 1ec6e287..a97f5b30 100644 --- a/rust/Cargo.toml +++ b/rust/Cargo.toml @@ -21,9 +21,9 @@ accelerate = ["ndarray/blas", "dep:blas-src", "blas-src/accelerate"] openblas = ["ndarray/blas"] [dependencies] -# PyO3 0.28 supports Python 3.9-3.14 -pyo3 = "0.28" -numpy = "0.28" +# PyO3 0.29 supports Python 3.9-3.14 +pyo3 = "0.29" +numpy = "0.29" ndarray = { version = "0.17", features = ["rayon"] } rand = "0.10" rand_xoshiro = "0.8"