From d46f18f76439cd7924f8c030d3caeda714cda911 Mon Sep 17 00:00:00 2001 From: Mykhailo Chalyi Date: Fri, 26 Jun 2026 09:14:31 +0000 Subject: [PATCH] chore(deps): drop stale pyo3 advisory ignores resolved by 0.29 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit RUSTSEC-2026-0176 (OOB read in PyList/PyTuple iterators) and RUSTSEC-2026-0177 (missing Sync bound on PyCFunction::new_closure) were both patched in pyo3 >=0.29. The workspace now resolves pyo3 0.29.0 (and pyo3-async-runtimes 0.29.0) after #2122, so these advisory ignores in deny.toml are no longer needed — their own comments flagged them for removal on the 0.29 bump. --- deny.toml | 12 +++--------- 1 file changed, 3 insertions(+), 9 deletions(-) diff --git a/deny.toml b/deny.toml index 0f78dcd0..b5e9410b 100644 --- a/deny.toml +++ b/deny.toml @@ -38,15 +38,9 @@ ignore = [ # Unmaintained build-time proc-macro in the bench harness only (not shipped # library code); no upgrade available (tabled 0.21 is latest) "RUSTSEC-2026-0173", - # pyo3: OOB read in PyList/PyTuple nth/nth_back (RUSTSEC-2026-0176) - # Patched in pyo3 >=0.29, but pyo3-async-runtimes has no 0.29 release yet - # (still pins pyo3 0.28), so we can't upgrade. Host-side Python bindings - # only — not reachable from sandboxed scripts. Remove on pyo3 0.29 bump. - "RUSTSEC-2026-0176", - # pyo3: missing Sync bound on PyCFunction::new_closure (RUSTSEC-2026-0177) - # Same 0.29 blocker; `new_closure` is not called anywhere in this - # workspace, so the unsound API is unreachable. Remove on pyo3 0.29 bump. - "RUSTSEC-2026-0177", + # NOTE: RUSTSEC-2026-0176 and RUSTSEC-2026-0177 (pyo3 OOB read / missing + # Sync bound) were resolved by the pyo3 0.29 bump (#2122); both ignores + # have been removed now that the workspace resolves pyo3 >=0.29. ] [bans]