fix(deps): bump pyo3 to 0.29 to clear RUSTSEC-2026-0176 and -0177

[27Bslash6]

Problem

The Vulnerability Scan (cargo audit) and License & Supply Chain (cargo deny) checks fail — and Security Fast Success (a required check) rolls them up — on two pyo3 0.25.1 advisories published 2026-06-11, both patched in pyo3 0.29.0:

• RUSTSEC-2026-0176 — out-of-bounds read in PyList/PyTuple nth/nth_back
• RUSTSEC-2026-0177 — missing Sync bound on PyCFunction::new_closure closures

This is a baseline failure on main and every open PR (e.g. #182), not caused by any individual change — the advisories simply landed in the RustSec DB.

Fix

Bump pyo3 0.25 → 0.29 (the patched line). Neither affected API is used by cachekit-rs (verified: no new_closure, no .nth/.nth_back on PyList/PyTuple), so the advisories aren't reachable here — but upgrading is the clean fix rather than suppressing them.

• One source change: Python::with_gil → Python::attach (the 0.29 GIL/free-threaded rename).
• numpy in [workspace.dependencies] is unused by the rust crate, so no coordinated numpy bump is needed; lock change is pyo3-family only.

Validation

• cargo check -p cachekit-rs clean; cargo fmt --check clean.
• Extension rebuilt against pyo3 0.29; 255 critical FFI tests pass (encryption integration/wrapper, serializers, backward-compat).
• pyo3 0.29.0 ≥ both advisories' patched version → cargo audit + cargo deny advisories clear.

Note

Unblocks all open cachekit-py PRs. Branches already open (e.g. #182) will go green once they pick up this Cargo.lock (merge main / rebase after this lands).

Summary by CodeRabbit

Release Notes

• Chores

  • Updated Python bindings dependency from version 0.25 to 0.29, improving stability, performance and compatibility with current Python runtime environments.

• Refactor

  • Modernised encryption metrics retrieval to utilise latest Python integration best practices.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 16f38d0a-1bb5-4928-b4f1-d26976c08893

📥 Commits

Reviewing files that changed from the base of the PR and between 4cb00df and 379381a.

⛔ Files ignored due to path filters (1)

• Cargo.lock is excluded by !**/*.lock

📒 Files selected for processing (2)

• Cargo.toml
• rust/src/python_bindings.rs

---

Walkthrough

The pyo3 workspace dependency is bumped from version 0.25 to 0.29 in Cargo.toml. The corresponding breaking API change is applied in rust/src/python_bindings.rs, replacing Python::with_gil(...) with Python::attach(...) when constructing the PyOperationMetrics return value in PyZeroKnowledgeEncryptor::get_last_metrics.

Changes

PyO3 0.29 upgrade and API migration

Layer / File(s)	Summary
Dependency bump and with_gil → attach migration Cargo.toml, rust/src/python_bindings.rs	pyo3 workspace dependency updated from 0.25 to 0.29; Python::with_gil(...) replaced with Python::attach(...) in the encryption bindings to align with the new pyo3 API.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and concisely identifies the main change: bumping pyo3 to version 0.29 to resolve specific security advisories (RUSTSEC-2026-0176 and -0177).
Description check	✅ Passed	The description comprehensively covers the problem (two pyo3 advisories), the fix (version bump and one API change), and validation results, though the Type of Change and most checkboxes are not explicitly checked.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch security/pyo3-rustsec-2026-0176-0177

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}