deps: upgrade PyO3 to 0.29#325
Conversation
Bump PyO3 from 0.28 to 0.29.0 to pick up the security fix, moving the whole binding family in lockstep (they must share one PyO3 minor): pyo3 0.28 -> 0.29.0 numpy 0.28 -> 0.29.0 pythonize 0.28 -> 0.29.0 pyo3-arrow 0.17 -> 0.19.0 pyo3-object_store 0.9 -> 0.11.0 (pulls pyo3-async-runtimes 0.29) pyo3-arrow 0.19 and nuts-rs 0.18.3 both require arrow 59, so bump arrow 58 -> 59 and nuts-rs 0.18.0 -> 0.18.3 to keep them aligned. nuts-rs 0.18.3 removed ArrowConfig::new(); use ArrowConfig::default() (store_warmup: true), which preserves the previous behavior. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
There was a problem hiding this comment.
Pull request overview
This PR upgrades the Rust/Python interoperability stack to PyO3 0.29.0 (to pick up the referenced security fix) and updates related crates that must share the same PyO3 minor version, while keeping the Arrow/NUTS integration compatible by bumping Arrow to v59 and nuts-rs to 0.18.3.
Changes:
- Bump PyO3-family dependencies (
pyo3,numpy,pythonize,pyo3-object_store) to 0.29.0-compatible versions. - Align Arrow ecosystem dependencies by upgrading
arrowto 59.0.0 andpyo3-arrowto 0.19.0. - Update sampler storage config initialization to use
ArrowConfig::default()(sinceArrowConfig::new()was removed upstream).
Reviewed changes
Copilot reviewed 2 out of 3 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
src/wrapper.rs |
Replaces removed ArrowConfig::new() with ArrowConfig::default() for nuts-rs 0.18.3 compatibility. |
Cargo.toml |
Updates dependency versions to PyO3 0.29 / Arrow 59 / nuts-rs 0.18.3 aligned set. |
Cargo.lock |
Regenerates lockfile to reflect the upgraded dependency graph and checksums. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
Thanks! |
aseyboldt
changed the title
|
Right, it's just an automated security tool screening issue. I should have been more specific. |
|
No worries, and of course we should fix it anyway :-) |
Summary
Upgrades PyO3 from 0.28 to 0.29.0 to pick up the security fix (patched version
>=0.29.0). Because every PyO3 binding crate links the same FFI symbols, they must share one PyO3 minor version, so the whole family moves in lockstep:pyo3numpypythonizepyo3-arrowpyo3-object_storepyo3-async-runtimes0.29)pyo3-arrow0.19 andnuts-rs0.18.3 both require arrow 59, soarrowis bumped 58 → 59 andnuts-rs0.18.0 → 0.18.3 to keep them aligned.zarrs0.23.2 /zarrs_object_store0.6.0 still satisfy nuts-rs 0.18.3, so no change there.Source change
nuts-rs0.18.3 removedArrowConfig::new(); replaced withArrowConfig::default()(store_warmup: true), which preserves the previous behavior.Verification
cargo buildpasses cleanly against the full upgraded graph (PyO3 0.29.0, arrow 59, nuts-rs 0.18.3). The lockfile regeneration is isolated in its own commit.🤖 Generated with Claude Code