Bump pyo3 from 0.28.2 to 0.29.0

[dependabot]

Bumps pyo3 from 0.28.2 to 0.29.0.

Release notes

Sourced from pyo3's releases.

PyO3 0.29.0

This release is a relatively large release with improvements across many areas of PyO3's API.

Build and packaging changes

This release brings full support for Python 3.15 beta. We encourage downstream projects to begin testing and distributing Python 3.15 beta wheels so that the ecosystem can prepare for the 3.15 final release later in the year.

Alongside Python 3.15 support comes support for its new "abi3t" stable ABI which supports both free-threaded and gil-enabled Python builds. For projects distributing stable ABI wheels, we recommend distributing (for each OS/architecture) an abi3 wheel built for your minimum supported Python version, a 3.14t version-specific wheel for free-threaded Python 3.14, and an abi3t wheel to support Python 3.15 (and future versions).

Support for Python 3.7 has been dropped. Support for Python 3.13t, the first experimental free-threaded release of CPython, has also been dropped. 3.14t (and soon 3.15t) is more stable, performant, and the starting point for CPython's own declaration of "support" for the free-threaded build.

The PyO3 build process (via the pyo3-build-config crate) has been adjusted to reduce the cost of rebuilds when the environment used to detect the Python interpreter changes; pyo3-build-config and pyo3-macros will no longer be rebuilt in such cases (although pyo3-ffi and crates downstream of it still will be rebuilt). As a consequence the pyo3_build_config APIs now require crates to have a direct dependency on pyo3 or pyo3-ffi. We hope to continue to reduce rebuild frequency and cost in a future PyO3 release.

Security updates

With the recent boom in AI-assisted security scanning, PyO3 has inevitably had several correctness issues exposed by AI-assisted scanning.

In particular, PyO3 0.29 fixes two security vulnerabilities we will be releasing to the RustSec Advisory Database imminently:

• Missing Sync bound on PyCFunction::new_closure closures
• Possible out of bounds read in BoundTupleIterator::nth_back and BoundListIterator::nth_back

Any code using the above APIs is advised to update as soon as possible.

This release also contains several other minor breaking changes to close soundness holes uncovered by AI-assisted scanning. Our assessment as maintainers was that, excluding the two vulnerability cases listed above, these correctness issues would likely have crashed immediately upon user testing rather than leading to attacker-exploitable pathways. We nevertheless wanted to see them closed without the usual deprecation cycle. These cases are noted in the migration guide.

Other major themes in this release

New in this release is a CLI in pyo3-introspection to generate type stubs along with the experimental-inspect feature. Downstream, maturin has also gained support to generate type stubs using the feature. The feature is reaching a point where substantial amount of type stubs can be generated automatically. We would like to encourage users to begin using this feature and helping us find what functionality is missing, with a hope we can declare its API stable given sufficient feedback.

A substantial amount of effort has been invested in pyo3-ffi as part of the process of extending it with 3.15's new APIs. There have been many missing APIs from older Python versions added. There have also been a number of fixes to incorrect definitions (these are breaking changes, but also necessary for correctness); we hope there will be far fewer such cases in the future due to more comprehensive checking added to PyO3's CI. Finally, many private CPython APIs (those with _Py underscore-named prefix) have been removed from pyo3-ffi's public API.

In closing

There are also many other incremental improvements, bug fixes and smaller features; full detail can be found in the CHANGELOG.

Please consult the migration guide for help upgrading.

Thank you to everyone who contributed code, documentation, design ideas, bug reports, and feedback. The following contributors' commits are included in this release:

@​Alc-Alc @​alex @​anuraaga @​BD103 @​bschoenmaeckers @​Cheukting @​chirizxc @​ChristopherRabotin @​clin1234 @​codeguru42 @​davidhewitt

... (truncated)

Changelog

Sourced from pyo3's changelog.

[0.29.0] - 2026-06-11

Packaging

• Support the new PEP 803 abi3t ABI with new abi3t and abi3t-py315 features. #5807
• pyo3-macros-backend no longer depends on pyo3-build-config. #5809
• Drop support for Python 3.13t (3.14t and above continue to be supported; CPython declared free-threading supported starting with Python 3.14). #5865
• Drop support for Python 3.7. #5912
• Extend range of supported versions of hashbrown optional dependency to include version 0.17. #5973
• Support Python 3.15.0b1. #6014
• pyo3-ffi is now no_std. #6022

Added

• Add PyErr::set_traceback to set the traceback of an exception object. #5349
• Add PyUnicodeDecodeError::new_err_from_utf8 to create a PyErr from a str::Utf8Error. #5668
• experimental-inspect: implement INPUT_TYPE and OUTPUT_TYPE on optional third-party crate conversions. #5770
• experimental-inspect: include doc comments in generated stubs. #5782
• Add pyo3_build_config::PythonAbi, pyo3_build_config::PythonAbiKind, pyo3_build_config::PythonAbiBuilder, pyo3_build_config::InterpreterConfig::target_abi, and pyo3_build_config::InterpreterConfigBuilder::target_abi. #5807
• Add Borrowed::get as an equivalent to Bound::get and Py::get. #5849
• Add PyFrame::new, PyTraceBack::new, and PyFrameMethods::line_number. #5857
• Add PyUntypedBuffer::obj to retrieve the Python object owning the buffer. #5870
• Add PyCapsule::new_with_value and PyCapsule::new_with_value_and_destructor. #5881
• Add PyErr::set_context and PyErr::context. #5887
• Add a small CLI to pyo3-introspection to generate stubs. #5904
• Add Python::version_str. #5921
• Add TryFrom<&Bound<T>> for PyRef<T>, PyRefMut<T>, PyClassGuard<T> and PyClassGuardMut<T>. #5922
• Add From<&Bound<T>> for Bound<T> and Py<T> #5922
• Add PyDictMethods::set_default and PyDictMethods::set_default_ref to allow atomically setting default values in a PyDict. #5955
• add PyFrameMethods::outer|code|var|builtins|globals|locals. #5967
• Add From conversions for PyErr from std::time::TryFromFloatSecsError, std::time::SystemTimeError, std::path::StripPrefixError, std::env::JoinPathsError, std::char::ParseCharError, and std::char::CharTryFromError. #6001
• Add pyo3_build_config::InterpreterConfigBuilder. #6034
• Add PyCapsule::import_pointer #6066
• Add PyClassGuardMapMut. #6073
• Expose PyListMethods::get_item_unchecked, PyTupleMethods::get_item_unchecked, and PyTupleMethods::get_borrowed_item_unchecked on abi3. #6075
• Add PyClassGuardMapSuper. #6104
• Add PyClassGuard and PyClassGuardMut to pyo3::prelude. #6112
• Add Debug impls for PyClassGuard and PyClassGuardMut. #6112
• Enable extending PyDateTime, PyDate, PyTime, PyDelta and PyTzInfo on abi3 with python 3.12+. #6115
• Expose PyFunction available on abi3. #6117
• FFI definitions:
  • Added FFI definitions PyUnstable_Object_IsUniquelyReferenced, PyUnstable_Object_IsUniquelyReferencedTemporary, PyUnstable_EnableTryIncref, and PyUnstable_TryIncref. #5828
  • Add FFI definitions ffi::PyErr_GetHandledException and ffi::PyErr_SetHandledException. #5887
  • Add FFI definition Py_HASH_SIPHASH13. #5891
  • Add FFI definition PyStructSequence_UnnamedField constant on Python 3.9 and up (or 3.11 with abi3 features). #5892
  • Add FFI definitions PyUnstable_InterpreterFrame_GetCode, PyUnstable_InterpreterFrame_GetLasti, PyUnstable_InterpreterFrame_GetLine, and PyUnstable_ExecutableKinds. #5932
  • Add FFI definitions PyMarshal_WriteLongToFile, PyMarshal_WriteObjectToFile, PyMarshal_ReadLongFromFile, PyMarshal_ReadShortFromFile, PyMarshal_ReadObjectFromFile, and PyMarshal_ReadLastObjectFromFile. #5934
  • Add FFI definitions PyObject_GetAIter, PyAIter_Check, PyMapping_HasKeyWithError, PyMapping_HasKeyStringWithError, PyMapping_GetOptionalItem, PyMapping_GetOptionalItemString, PySequence_ITEM, PySequence_Fast_GET_SIZE, PySequence_Fast_GET_ITEM, and PySequence_Fast_ITEMS. #5942
  • Add FFI definition compat::PyObject_HasAttrWithError. #5944
  • Add FFI definitions PyDict_SetDefault, PyDict_SetDefaultRef, PyDict_ContainsString, PyDict_Pop, PyDict_PopString, PyDict_ClearWatcher, PyDict_Watch, PyDict_Unwatch, and PyFrozenDict_New. #5947

... (truncated)

Commits

• 0f90242 release: 0.29.0 (#6107)
• cd128ed doc: mention abi3t, python3t.dll, and abi3t_compat folder in FAQ (#6124)
• 7e2ef18 Avoid type checks in methods where CPython already guarantees the received ty...
• f930199 docs: additional detail in migration guide for 0.29 (#6123)
• 91ab0d1 Enable Windows abi3t tests (#6106)
• fe0fdd5 add PyLong* API (3.14+) (#6016)
• f41b1df Hang when reattaching after detach during shutdown (#6085)
• 5ae66a8 Fix double import on RustPython (#6122)
• ad4a510 PyFunction: enable some extra tests with abi3 (#6118)
• c79ac0e ci: Add test for minimum supported debug build of Python (#5852)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

---

Note

Medium Risk
PyO3 minor upgrades can break extension builds or runtime behavior; 0.29 also drops some Python versions and includes breaking API changes, though this repo only changes the version pin.

Overview
Bumps the workspace PyO3 dependency from 0.28.2 to 0.29.0 in Cargo.toml and refreshes Cargo.lock for the pyo3 crate family (pyo3-build-config, pyo3-ffi, pyo3-macros, pyo3-macros-backend). There are no Rust source changes in this PR.

This affects the wheel package (clvm_rs), which links PyO3 with abi3-py310 and extension-module. Upstream 0.29 includes security fixes, Python 3.15/abi3t support, dropped Python 3.7 (and 3.13t), and possible API/soundness breaking changes per the migration guide—worth confirming the Python extension still builds and tests pass on your supported Python versions.

^{Reviewed by Cursor Bugbot for commit cb35a90. Bugbot is set up for automated code reviews on this repo. Configure here.}

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	cargo/​pyo3@​0.28.2 ⏵ 0.29.0	+2

View full report

[coveralls-official]

Coverage Report for CI Build 27438887934

Coverage remained the same at 88.002%

Details

• Coverage remained the same as the base build.
• Patch coverage: No coverable lines changed in this PR.
• No coverage regressions found.

Uncovered Changes

No uncovered changes found.

Coverage Regressions

No coverage regressions found.

---

Coverage Stats

Relevant Lines:	9368
Covered Lines:	8244
Line Coverage:	88.0%
Coverage Strength:	21863653.18 hits per line

---

💛 - Coveralls