This is an automated email from the ASF dual-hosted git repository.
Jefffrey pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/arrow-rs.git
The following commit(s) were added to refs/heads/main by this push:
new 11a58ac3ec chore: update pyo3 dependency to 0.29 (#10134)
11a58ac3ec is described below
commit 11a58ac3ec7086960376ed1b5da7dc75cad9da0d
Author: Tim Saucer <[email protected]>
AuthorDate: Sat Jun 13 03:19:10 2026 +0200
chore: update pyo3 dependency to 0.29 (#10134)
# Which issue does this PR close?
None, just a dependency update.
# Rationale for this change
pyo3 has security vulnerability:
https://rustsec.org/advisories/RUSTSEC-2026-0176.html
This PR updates to 0.29 to resolve this vulnerability.
# What changes are included in this PR?
Update all crates that use the pyo3 dependency to 0.29
# Are these changes tested?
Updated and run against existing integration test suite.
# Are there any user-facing changes?
No
---------
Co-authored-by: Claude Opus 4.8 (1M context) <[email protected]>
---
.github/workflows/rust.yml | 4 +++-
Cargo.lock | 32 ++++++++++++++--------------
arrow-pyarrow-integration-testing/Cargo.toml | 2 +-
arrow-pyarrow-testing/Cargo.toml | 2 +-
arrow-pyarrow/Cargo.toml | 2 +-
arrow-pyarrow/src/lib.rs | 4 +++-
6 files changed, 25 insertions(+), 21 deletions(-)
diff --git a/.github/workflows/rust.yml b/.github/workflows/rust.yml
index 77fccdbebc..f407d8de07 100644
--- a/.github/workflows/rust.yml
+++ b/.github/workflows/rust.yml
@@ -118,7 +118,9 @@ jobs:
uses: ./.github/actions/setup-builder
- name: Install cargo-msrv (if needed)
# cargo-msrv binary may be cached by the cargo cache step in
setup-builder, and cargo install will error if it is already installed
- run: if which cargo-msrv ; then echo "using existing cargo-msrv
binary" ; else cargo install cargo-msrv ; fi
+ # --locked uses cargo-msrv's pinned Cargo.lock; without it an unpinned
transitive
+ # dep (aws-runtime) resolves to a version that fails to compile (E0282)
+ run: if which cargo-msrv ; then echo "using existing cargo-msrv
binary" ; else cargo install cargo-msrv --locked ; fi
- name: Check all packages
run: |
# run `cargo msrv verify --manifest-path "path/to/Cargo.toml"` to
see problematic dependencies
diff --git a/Cargo.lock b/Cargo.lock
index af1c980d45..f3fb4cfb6f 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -106,7 +106,7 @@ version = "1.1.5"
source = "registry+https://github.com/rust-lang/crates.io-index";
checksum = "40c48f72fd53cd289104fc64099abca73db4166ad86ea0b4341abe65af83dadc"
dependencies = [
- "windows-sys 0.60.2",
+ "windows-sys 0.61.2",
]
[[package]]
@@ -117,7 +117,7 @@ checksum =
"291e6a250ff86cd4a820112fb8898808a366d8f9f58ce16d1f538353ad55747d"
dependencies = [
"anstyle",
"once_cell_polyfill",
- "windows-sys 0.60.2",
+ "windows-sys 0.61.2",
]
[[package]]
@@ -1250,7 +1250,7 @@ source =
"registry+https://github.com/rust-lang/crates.io-index";
checksum = "39cab71617ae0d63f51a36d69f866391735b51691dbda63cf6f96d042b63efeb"
dependencies = [
"libc",
- "windows-sys 0.52.0",
+ "windows-sys 0.61.2",
]
[[package]]
@@ -2134,7 +2134,7 @@ version = "0.50.3"
source = "registry+https://github.com/rust-lang/crates.io-index";
checksum = "7957b9740744892f114936ab4a57b3f487491bbeafaf8083688b16841a4240e5"
dependencies = [
- "windows-sys 0.60.2",
+ "windows-sys 0.61.2",
]
[[package]]
@@ -2657,9 +2657,9 @@ dependencies = [
[[package]]
name = "pyo3"
-version = "0.28.3"
+version = "0.29.0"
source = "registry+https://github.com/rust-lang/crates.io-index";
-checksum = "91fd8e38a3b50ed1167fb981cd6fd60147e091784c427b8f7183a7ee32c31c12"
+checksum = "cd274650b21d4bfc26a0a47587962c1edb425f69287324355cd040c3ea66071c"
dependencies = [
"libc",
"once_cell",
@@ -2670,18 +2670,18 @@ dependencies = [
[[package]]
name = "pyo3-build-config"
-version = "0.28.3"
+version = "0.29.0"
source = "registry+https://github.com/rust-lang/crates.io-index";
-checksum = "e368e7ddfdeb98c9bca7f8383be1648fd84ab466bf2bc015e94008db6d35611e"
+checksum = "c5e2a7d2f0d013342f295c048ad19237add5154a55b1c5a254c0ec93d4109078"
dependencies = [
"target-lexicon",
]
[[package]]
name = "pyo3-ffi"
-version = "0.28.3"
+version = "0.29.0"
source = "registry+https://github.com/rust-lang/crates.io-index";
-checksum = "7f29e10af80b1f7ccaf7f69eace800a03ecd13e883acfacc1e5d0988605f651e"
+checksum = "ca85c467da1bbc8d866eea5deff9cf29ea5f7785054a17da36e65bda9c05845b"
dependencies = [
"libc",
"pyo3-build-config",
@@ -2960,7 +2960,7 @@ dependencies = [
"errno",
"libc",
"linux-raw-sys",
- "windows-sys 0.52.0",
+ "windows-sys 0.61.2",
]
[[package]]
@@ -3224,7 +3224,7 @@ source =
"registry+https://github.com/rust-lang/crates.io-index";
checksum = "3a766e1110788c36f4fa1c2b71b387a7815aa65f88ce0229841826633d93723e"
dependencies = [
"libc",
- "windows-sys 0.60.2",
+ "windows-sys 0.61.2",
]
[[package]]
@@ -3333,10 +3333,10 @@ source =
"registry+https://github.com/rust-lang/crates.io-index";
checksum = "32497e9a4c7b38532efcdebeef879707aa9f794296a4f0244f6f69e9bc8574bd"
dependencies = [
"fastrand",
- "getrandom 0.3.4",
+ "getrandom 0.4.2",
"once_cell",
"rustix",
- "windows-sys 0.52.0",
+ "windows-sys 0.61.2",
]
[[package]]
@@ -3346,7 +3346,7 @@ source =
"registry+https://github.com/rust-lang/crates.io-index";
checksum = "230a1b821ccbd75b185820a1f1ff7b14d21da1e442e22c0863ea5f08771a8874"
dependencies = [
"rustix",
- "windows-sys 0.60.2",
+ "windows-sys 0.61.2",
]
[[package]]
@@ -4020,7 +4020,7 @@ version = "0.1.11"
source = "registry+https://github.com/rust-lang/crates.io-index";
checksum = "c2a7b1c03c876122aa43f3020e6c3c3ee5c05081c9a00739faf7503aeba10d22"
dependencies = [
- "windows-sys 0.52.0",
+ "windows-sys 0.61.2",
]
[[package]]
diff --git a/arrow-pyarrow-integration-testing/Cargo.toml
b/arrow-pyarrow-integration-testing/Cargo.toml
index 25a4599363..46abd8ad3d 100644
--- a/arrow-pyarrow-integration-testing/Cargo.toml
+++ b/arrow-pyarrow-integration-testing/Cargo.toml
@@ -34,4 +34,4 @@ crate-type = ["cdylib"]
[dependencies]
arrow = { path = "../arrow", features = ["pyarrow"] }
-pyo3 = { version = "0.28.0", features = ["extension-module"] }
+pyo3 = { version = "0.29.0", features = ["extension-module"] }
diff --git a/arrow-pyarrow-testing/Cargo.toml b/arrow-pyarrow-testing/Cargo.toml
index 87e291c35a..d5542e25d6 100644
--- a/arrow-pyarrow-testing/Cargo.toml
+++ b/arrow-pyarrow-testing/Cargo.toml
@@ -48,4 +48,4 @@ publish = false
# Note no dependency on arrow, to ensure arrow-pyarrow can be used by itself
arrow-array = { path = "../arrow-array" }
arrow-pyarrow = { path = "../arrow-pyarrow" }
-pyo3 = { version = "0.28.0", default-features = false }
+pyo3 = { version = "0.29.0", default-features = false }
diff --git a/arrow-pyarrow/Cargo.toml b/arrow-pyarrow/Cargo.toml
index f7b7a42bf9..9f21a9dcb0 100644
--- a/arrow-pyarrow/Cargo.toml
+++ b/arrow-pyarrow/Cargo.toml
@@ -39,4 +39,4 @@ all-features = true
arrow-array = { workspace = true, features = ["ffi"] }
arrow-data = { workspace = true }
arrow-schema = { workspace = true }
-pyo3 = { version = "0.28.0", default-features = false }
+pyo3 = { version = "0.29.0", default-features = false }
diff --git a/arrow-pyarrow/src/lib.rs b/arrow-pyarrow/src/lib.rs
index 484324665c..c0d91d0811 100644
--- a/arrow-pyarrow/src/lib.rs
+++ b/arrow-pyarrow/src/lib.rs
@@ -139,7 +139,9 @@ fn validate_pycapsule(capsule: &Bound<PyCapsule>, name:
&str) -> PyResult<()> {
));
}
- let capsule_name = unsafe { capsule_name.unwrap().as_cstr().to_str()? };
+ let capsule_name = unsafe { capsule_name.unwrap().as_cstr() }
+ .to_str()
+ .map_err(|e| PyValueError::new_err(e.to_string()))?;
if capsule_name != name {
return Err(PyValueError::new_err(format!(
"Expected name '{name}' in PyCapsule, instead got
'{capsule_name}'",
