security: upgrade pyo3 to 0.24.x and patch transitive vulnerabilities (python bindings)#7
Merged
Merged
Conversation
Clears all 4 advisories in the standalone bindings/python/Cargo.lock
(cargo audit: 0 vulnerabilities after):
- pyo3 0.22.6 -> 0.24.2 — RUSTSEC-2025-0020 (PyString::from_object buffer
overflow). Kept the `abi3-py38` feature: 0.24 still supports Python 3.8
(0.25+ drops it), so the wheel stays cp38-abi3 — no loss of 3.8 support.
- rustls-webpki 0.103.x -> 0.103.13 — RUSTSEC-2026-0104 (CRL-parse panic,
High) + RUSTSEC-2026-0098/-0099 (cert name-constraint bypasses).
- rand -> 0.9.4 / 0.8.6 — clears the rng() unsoundness notice.
The binding was already on PyO3's Bound API, so the 0.22->0.24 break was
limited to the deprecated transitional aliases (no logic change):
PyModule::import_bound -> PyModule::import (1 site)
PyDict::new_bound -> PyDict::new (4 sites)
Verified: `cargo audit` clean; `maturin build` -> cp38-abi3 wheel;
`import rdapify_py` (version 0.7.0, all 9 functions present) and a live
`domain("example.com")` lookup both succeed.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
The wheel was tagged 0.4.0 while the crate's __version__ (from CARGO_PKG_VERSION) and the rest of the ecosystem are 0.7.0. Align pyproject.toml so built wheels are tagged rdapify_py-0.7.0-cp38-abi3. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Hardens the standalone
bindings/pythoncrate, whose separateCargo.lockwas not covered by PR #5.cargo auditon that lock now reports 0 vulnerabilities (was 4).Advisories cleared
pyo3PyString::from_objectbuffer overflowrustls-webpkirustls-webpkirandrng()unsoundnessPyO3 0.22 → 0.24 — minimal break
Kept
abi3-py38(0.24 still supports Python 3.8; 0.25+ drops it), so the wheel stayscp38-abi3— no loss of 3.8 support. The binding was already on the Bound API, so the only changes were the deprecated transitional aliases (no logic change):PyModule::import_bound→PyModule::import(1)PyDict::new_bound→PyDict::new(4)Verification
cargo audit(python lock) → 0 vulnerabilitiesmaturin build→rdapify_py-…-cp38-abi3-manylinux_2_34_x86_64.whlimport rdapify_py→ version0.7.0, all 9 functions presentdomain("example.com")→ returns RDAP data (entities/events/handle/ldhName/…)🤖 Generated with Claude Code