Bump pyo3 from 0.28.3 to 0.29.0 in /bindings/python

[dependabot]

Bumps pyo3 from 0.28.3 to 0.29.0.

Release notes

Sourced from pyo3's releases.

PyO3 0.29.0

This release is a relatively large release with improvements across many areas of PyO3's API.

Build and packaging changes

This release brings full support for Python 3.15 beta. We encourage downstream projects to begin testing and distributing Python 3.15 beta wheels so that the ecosystem can prepare for the 3.15 final release later in the year.

Alongside Python 3.15 support comes support for its new "abi3t" stable ABI which supports both free-threaded and gil-enabled Python builds. For projects distributing stable ABI wheels, we recommend distributing (for each OS/architecture) an abi3 wheel built for your minimum supported Python version, a 3.14t version-specific wheel for free-threaded Python 3.14, and an abi3t wheel to support Python 3.15 (and future versions).

Support for Python 3.7 has been dropped. Support for Python 3.13t, the first experimental free-threaded release of CPython, has also been dropped. 3.14t (and soon 3.15t) is more stable, performant, and the starting point for CPython's own declaration of "support" for the free-threaded build.

The PyO3 build process (via the pyo3-build-config crate) has been adjusted to reduce the cost of rebuilds when the environment used to detect the Python interpreter changes; pyo3-build-config and pyo3-macros will no longer be rebuilt in such cases (although pyo3-ffi and crates downstream of it still will be rebuilt). As a consequence the pyo3_build_config APIs now require crates to have a direct dependency on pyo3 or pyo3-ffi. We hope to continue to reduce rebuild frequency and cost in a future PyO3 release.

Security updates

With the recent boom in AI-assisted security scanning, PyO3 has inevitably had several correctness issues exposed by AI-assisted scanning.

In particular, PyO3 0.29 fixes two security vulnerabilities we will be releasing to the RustSec Advisory Database imminently:

• Missing Sync bound on PyCFunction::new_closure closures
• Possible out of bounds read in BoundTupleIterator::nth_back and BoundListIterator::nth_back

Any code using the above APIs is advised to update as soon as possible.

This release also contains several other minor breaking changes to close soundness holes uncovered by AI-assisted scanning. Our assessment as maintainers was that, excluding the two vulnerability cases listed above, these correctness issues would likely have crashed immediately upon user testing rather than leading to attacker-exploitable pathways. We nevertheless wanted to see them closed without the usual deprecation cycle. These cases are noted in the migration guide.

Other major themes in this release

New in this release is a CLI in pyo3-introspection to generate type stubs along with the experimental-inspect feature. Downstream, maturin has also gained support to generate type stubs using the feature. The feature is reaching a point where substantial amount of type stubs can be generated automatically. We would like to encourage users to begin using this feature and helping us find what functionality is missing, with a hope we can declare its API stable given sufficient feedback.

A substantial amount of effort has been invested in pyo3-ffi as part of the process of extending it with 3.15's new APIs. There have been many missing APIs from older Python versions added. There have also been a number of fixes to incorrect definitions (these are breaking changes, but also necessary for correctness); we hope there will be far fewer such cases in the future due to more comprehensive checking added to PyO3's CI. Finally, many private CPython APIs (those with _Py underscore-named prefix) have been removed from pyo3-ffi's public API.

In closing

There are also many other incremental improvements, bug fixes and smaller features; full detail can be found in the CHANGELOG.

Please consult the migration guide for help upgrading.

Thank you to everyone who contributed code, documentation, design ideas, bug reports, and feedback. The following contributors' commits are included in this release:

@​Alc-Alc @​alex @​anuraaga @​BD103 @​bschoenmaeckers @​Cheukting @​chirizxc @​ChristopherRabotin @​clin1234 @​codeguru42 @​davidhewitt

... (truncated)

Changelog

Sourced from pyo3's changelog.

[0.29.0] - 2026-06-11

Packaging

• Support the new PEP 803 abi3t ABI with new abi3t and abi3t-py315 features. #5807
• pyo3-macros-backend no longer depends on pyo3-build-config. #5809
• Drop support for Python 3.13t (3.14t and above continue to be supported; CPython declared free-threading supported starting with Python 3.14). #5865
• Drop support for Python 3.7. #5912
• Extend range of supported versions of hashbrown optional dependency to include version 0.17. #5973
• Support Python 3.15.0b1. #6014
• pyo3-ffi is now no_std. #6022

Added

• Add PyErr::set_traceback to set the traceback of an exception object. #5349
• Add PyUnicodeDecodeError::new_err_from_utf8 to create a PyErr from a str::Utf8Error. #5668
• experimental-inspect: implement INPUT_TYPE and OUTPUT_TYPE on optional third-party crate conversions. #5770
• experimental-inspect: include doc comments in generated stubs. #5782
• Add pyo3_build_config::PythonAbi, pyo3_build_config::PythonAbiKind, pyo3_build_config::PythonAbiBuilder, pyo3_build_config::InterpreterConfig::target_abi, and pyo3_build_config::InterpreterConfigBuilder::target_abi. #5807
• Add Borrowed::get as an equivalent to Bound::get and Py::get. #5849
• Add PyFrame::new, PyTraceBack::new, and PyFrameMethods::line_number. #5857
• Add PyUntypedBuffer::obj to retrieve the Python object owning the buffer. #5870
• Add PyCapsule::new_with_value and PyCapsule::new_with_value_and_destructor. #5881
• Add PyErr::set_context and PyErr::context. #5887
• Add a small CLI to pyo3-introspection to generate stubs. #5904
• Add Python::version_str. #5921
• Add TryFrom<&Bound<T>> for PyRef<T>, PyRefMut<T>, PyClassGuard<T> and PyClassGuardMut<T>. #5922
• Add From<&Bound<T>> for Bound<T> and Py<T> #5922
• Add PyDictMethods::set_default and PyDictMethods::set_default_ref to allow atomically setting default values in a PyDict. #5955
• add PyFrameMethods::outer|code|var|builtins|globals|locals. #5967
• Add From conversions for PyErr from std::time::TryFromFloatSecsError, std::time::SystemTimeError, std::path::StripPrefixError, std::env::JoinPathsError, std::char::ParseCharError, and std::char::CharTryFromError. #6001
• Add pyo3_build_config::InterpreterConfigBuilder. #6034
• Add PyCapsule::import_pointer #6066
• Add PyClassGuardMapMut. #6073
• Expose PyListMethods::get_item_unchecked, PyTupleMethods::get_item_unchecked, and PyTupleMethods::get_borrowed_item_unchecked on abi3. #6075
• Add PyClassGuardMapSuper. #6104
• Add PyClassGuard and PyClassGuardMut to pyo3::prelude. #6112
• Add Debug impls for PyClassGuard and PyClassGuardMut. #6112
• Enable extending PyDateTime, PyDate, PyTime, PyDelta and PyTzInfo on abi3 with python 3.12+. #6115
• Expose PyFunction available on abi3. #6117
• FFI definitions:
  • Added FFI definitions PyUnstable_Object_IsUniquelyReferenced, PyUnstable_Object_IsUniquelyReferencedTemporary, PyUnstable_EnableTryIncref, and PyUnstable_TryIncref. #5828
  • Add FFI definitions ffi::PyErr_GetHandledException and ffi::PyErr_SetHandledException. #5887
  • Add FFI definition Py_HASH_SIPHASH13. #5891
  • Add FFI definition PyStructSequence_UnnamedField constant on Python 3.9 and up (or 3.11 with abi3 features). #5892
  • Add FFI definitions PyUnstable_InterpreterFrame_GetCode, PyUnstable_InterpreterFrame_GetLasti, PyUnstable_InterpreterFrame_GetLine, and PyUnstable_ExecutableKinds. #5932
  • Add FFI definitions PyMarshal_WriteLongToFile, PyMarshal_WriteObjectToFile, PyMarshal_ReadLongFromFile, PyMarshal_ReadShortFromFile, PyMarshal_ReadObjectFromFile, and PyMarshal_ReadLastObjectFromFile. #5934
  • Add FFI definitions PyObject_GetAIter, PyAIter_Check, PyMapping_HasKeyWithError, PyMapping_HasKeyStringWithError, PyMapping_GetOptionalItem, PyMapping_GetOptionalItemString, PySequence_ITEM, PySequence_Fast_GET_SIZE, PySequence_Fast_GET_ITEM, and PySequence_Fast_ITEMS. #5942
  • Add FFI definition compat::PyObject_HasAttrWithError. #5944
  • Add FFI definitions PyDict_SetDefault, PyDict_SetDefaultRef, PyDict_ContainsString, PyDict_Pop, PyDict_PopString, PyDict_ClearWatcher, PyDict_Watch, PyDict_Unwatch, and PyFrozenDict_New. #5947

... (truncated)

Commits

• 0f90242 release: 0.29.0 (#6107)
• cd128ed doc: mention abi3t, python3t.dll, and abi3t_compat folder in FAQ (#6124)
• 7e2ef18 Avoid type checks in methods where CPython already guarantees the received ty...
• f930199 docs: additional detail in migration guide for 0.29 (#6123)
• 91ab0d1 Enable Windows abi3t tests (#6106)
• fe0fdd5 add PyLong* API (3.14+) (#6016)
• f41b1df Hang when reattaching after detach during shutdown (#6085)
• 5ae66a8 Fix double import on RustPython (#6122)
• ad4a510 PyFunction: enable some extra tests with abi3 (#6118)
• c79ac0e ci: Add test for minimum supported debug build of Python (#5852)
• Additional commits viewable in compare view

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	cargo/​pyo3@​0.28.3 ⏵ 0.29.0	+2

View full report

[codacy-production]

Up to standards ✅

🟢 Issues 0 issues

Results:
0 new issues

View in Codacy

🟢 Metrics 0 complexity · 0 duplication

Metric	Results
Complexity	0
Duplication	0

View in Codacy

AI Reviewer: first review requested successfully. AI can make mistakes. Always validate suggestions.

_{TIP This summary will be updated as you push new changes.}

[codacy-production]

Pull Request Overview

While the Codacy analysis is up to standards, this update introduces critical breaking changes, including the removal of support for Python 3.7 and 3.13t, and stricter Sync bounds on closures. Furthermore, there is a discrepancy between the files changed (Cargo.lock only) and the acceptance criteria requiring a manifest update (Cargo.toml). Verification of the build and existing test suite is necessary to mitigate the risk of compilation failures or runtime regressions.

About this PR

• New stricter Sync bounds on closures may cause compilation failures in the current Rust code. The PR currently lacks verification logs or evidence that the bindings still compile correctly under these new constraints.
• While the acceptance criteria requires updating the dependency in Cargo.toml, only Cargo.lock is present in the PR. Ensure the manifest is correctly updated and that the version change is intentional.
• The updated dependency version removes support for Python 3.7 and 3.13t. Verify that this does not impact existing consumers or the project's supported environment matrix.

Test suggestions

• Verify the bindings/python crate compiles successfully against the updated version to ensure no breaking API changes affect the current implementation.
• Execute the existing Python test suite to confirm that the extension module functions correctly at runtime with the new dependency version.

Prompt proposal for missing tests

Consider implementing these tests if applicable:
1. Verify the bindings/python crate compiles successfully against the updated version to ensure no breaking API changes affect the current implementation.
2. Execute the existing Python test suite to confirm that the extension module functions correctly at runtime with the new dependency version.

_{TIP Improve review quality by adding custom instructions
TIP How was this review? Give us feedback}

[mkh-user]

@dependabot rebase