dependabot[bot] opened a new pull request, #3244: URL: https://github.com/apache/arrow-datafusion/pull/3244
Updates the requirements on [pyo3](https://github.com/pyo3/pyo3) to permit the latest version. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/pyo3/pyo3/releases";>pyo3's releases</a>.</em></p> <blockquote> <h2>PyO3 0.16.6</h2> <p>This release is a tactical set of soundness fixes identified for the <code>PyCapsule</code> bindings released in PyO3 0.16. To avoid breaking API changes capsules created with <code>PyCapsule::new</code> and <code>PyCapsule::new_with_destructor</code> will now leak their contents (and not call the destructor) if released on a thread other than the one they were created.</p> <p>PyO3 0.17 will be released shortly with breaking API changes which resolve the <code>PyCapsule</code> issues with better design (e.g. the <code>destructor</code> has a <code>Send</code> bound added). Users are encouraged to upgrade at their earliest convenience.</p> <p>Thanks to <a href="https://github.com/saethlin";><code>@saethlin</code></a> for reporting the issue, and to <a href="https://github.com/adamreichold";><code>@adamreichold</code></a> and <a href="https://github.com/davidhewitt";><code>@davidhewitt</code></a> for implementing the resolution.</p> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/PyO3/pyo3/blob/main/CHANGELOG.md";>pyo3's changelog</a>.</em></p> <blockquote> <h2>[0.16.6] - 2022-08-23</h2> <p>### Changed</p> <ul> <li>Fix soundness issues with <code>PyCapsule</code> type with select workarounds. Users are encourage to upgrade to PyO3 0.17 at their earliest convenience which contains API breakages which fix the issues in a long-term fashion. <a href="https://github-redirect.dependabot.com/PyO3/pyo3/pull/2522";>#2522</a> <ul> <li><code>PyCapsule::new</code> and <code>PyCapsule::new_with_destructor</code> now take ownership of a copy of the <code>name</code> to resolve a possible use-after-free.</li> <li><code>PyCapsule::name</code> now returns an empty <code>CStr</code> instead of dereferencing a null pointer if the capsule has no name.</li> <li>The destructor <code>F</code> in <code>PyCapsule::new_with_destructor</code> will never be called if the capsule is deleted from a thread other than the one which the capsule was created in (a warning will be emitted).</li> </ul> </li> <li>Panics during drop of panic payload caught by PyO3 will now abort. <a href="https://github-redirect.dependabot.com/PyO3/pyo3/pull/2544";>#2544</a></li> </ul> <h2>[0.16.5] - 2022-05-15</h2> <h3>Added</h3> <ul> <li>Add an experimental <code>generate-import-lib</code> feature to support auto-generating non-abi3 python import libraries for Windows targets. <a href="https://github-redirect.dependabot.com/PyO3/pyo3/pull/2364";>#2364</a></li> <li>Add FFI definition <code>Py_ExitStatusException</code>. <a href="https://github-redirect.dependabot.com/PyO3/pyo3/pull/2374";>#2374</a></li> </ul> <h3>Changed</h3> <ul> <li>Deprecate experimental <code>generate-abi3-import-lib</code> feature in favor of the new <code>generate-import-lib</code> feature. <a href="https://github-redirect.dependabot.com/PyO3/pyo3/pull/2364";>#2364</a></li> </ul> <h3>Fixed</h3> <ul> <li>Added missing <code>warn_default_encoding</code> field to <code>PyConfig</code> on 3.10+. The previously missing field could result in incorrect behavior or crashes. <a href="https://github-redirect.dependabot.com/PyO3/pyo3/pull/2370";>#2370</a></li> <li>Fixed order of <code>pathconfig_warnings</code> and <code>program_name</code> fields of <code>PyConfig</code> on 3.10+. Previously, the order of the fields was swapped and this could lead to incorrect behavior or crashes. <a href="https://github-redirect.dependabot.com/PyO3/pyo3/pull/2370";>#2370</a></li> </ul> <h2>[0.16.4] - 2022-04-14</h2> <h3>Added</h3> <ul> <li>Add <code>PyTzInfoAccess</code> trait for safe access to time zone information. <a href="https://github-redirect.dependabot.com/PyO3/pyo3/pull/2263";>#2263</a></li> <li>Add an experimental <code>generate-abi3-import-lib</code> feature to auto-generate <code>python3.dll</code> import libraries for Windows. <a href="https://github-redirect.dependabot.com/PyO3/pyo3/pull/2282";>#2282</a></li> <li>Add FFI definitions for <code>PyDateTime_BaseTime</code> and <code>PyDateTime_BaseDateTime</code>. <a href="https://github-redirect.dependabot.com/PyO3/pyo3/pull/2294";>#2294</a></li> </ul> <h3>Changed</h3> <ul> <li>Improved performance of failing calls to <code>FromPyObject::extract</code> which is common when functions accept multiple distinct types. <a href="https://github-redirect.dependabot.com/PyO3/pyo3/pull/2279";>#2279</a></li> <li>Default to "m" ABI tag when choosing <code>libpython</code> link name for CPython 3.7 on Unix. <a href="https://github-redirect.dependabot.com/PyO3/pyo3/pull/2288";>#2288</a></li> <li>Allow to compile "abi3" extensions without a working build host Python interpreter. <a href="https://github-redirect.dependabot.com/PyO3/pyo3/pull/2293";>#2293</a></li> </ul> <h3>Fixed</h3> <ul> <li>Crates depending on PyO3 can collect code coverage via LLVM instrumentation using stable Rust. <a href="https://github-redirect.dependabot.com/PyO3/pyo3/pull/2286";>#2286</a></li> <li>Fix segfault when calling FFI methods <code>PyDateTime_DATE_GET_TZINFO</code> or <code>PyDateTime_TIME_GET_TZINFO</code> on <code>datetime</code> or <code>time</code> without a tzinfo. <a href="https://github-redirect.dependabot.com/PyO3/pyo3/pull/2289";>#2289</a></li> <li>Fix directory names starting with the letter <code>n</code> breaking serialization of the interpreter configuration on Windows since PyO3 0.16.3. <a href="https://github-redirect.dependabot.com/PyO3/pyo3/pull/2299";>#2299</a></li> </ul> <h2>[0.16.3] - 2022-04-05</h2> <h3>Packaging</h3> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/PyO3/pyo3/commit/4fdebfc630b7c956b05c0e03b21e36bb7f79f72a";><code>4fdebfc</code></a> release: 0.16.6</li> <li><a href="https://github.com/PyO3/pyo3/commit/dde98a00c412de77fb6cf9b897d8cef1e86166e1";><code>dde98a0</code></a> pin bumpalo</li> <li><a href="https://github.com/PyO3/pyo3/commit/30211a66ea1f0d838d7d6c9cef1301fa0aef3777";><code>30211a6</code></a> ui test fixes</li> <li><a href="https://github.com/PyO3/pyo3/commit/5c74ddfe926fec90c36292e337c989ed46efc7d9";><code>5c74ddf</code></a> clippy fixes</li> <li><a href="https://github.com/PyO3/pyo3/commit/7426aea75e5712f21123f2f1e1529e68d2477d64";><code>7426aea</code></a> safety: abort on uncaught panics</li> <li><a href="https://github.com/PyO3/pyo3/commit/916abf686471146cd6795c2c0d09a30e49108e15";><code>916abf6</code></a> Merge pull request <a href="https://github-redirect.dependabot.com/pyo3/pyo3/issues/2522";>#2522</a> from davidhewitt/capsule-soundness-backport</li> <li><a href="https://github.com/PyO3/pyo3/commit/c267acee8ca271935bc68c4f4822394623da7b4b";><code>c267ace</code></a> ci: fix nightly UI tests</li> <li><a href="https://github.com/PyO3/pyo3/commit/86740f9714d3f4ecbe4675f91566376b6a9319f7";><code>86740f9</code></a> ci: fix nightly ui tests</li> <li><a href="https://github.com/PyO3/pyo3/commit/96427ee30a60c7878e0fd2167a0702c2b06ce405";><code>96427ee</code></a> Use proper method for pinning MSRV minimal package versions</li> <li><a href="https://github.com/PyO3/pyo3/commit/1e8f6d9213889e8bb3ef994401f95d9a36307a19";><code>1e8f6d9</code></a> Try fix hashbrown version on msrv</li> <li>Additional commits viewable in <a href="https://github.com/pyo3/pyo3/compare/v0.16.0...v0.16.6";>compare view</a></li> </ul> </details> <br /> Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
