From 379381aa1f08b6905b0628ab30f613288e4d7f3b Mon Sep 17 00:00:00 2001
From: Ray Walker <ray@27b.io>
Date: Mon, 15 Jun 2026 17:59:20 +1000
Subject: [PATCH] fix(deps): bump pyo3 to 0.29 to clear RUSTSEC-2026-0176 and
 -0177

cargo-audit (Vulnerability Scan) and cargo-deny (License & Supply Chain) fail
on two pyo3 0.25.1 advisories published 2026-06-11, both patched in pyo3 0.29.0:

  RUSTSEC-2026-0176 - out-of-bounds read in PyList/PyTuple nth / nth_back
  RUSTSEC-2026-0177 - missing Sync bound on PyCFunction::new_closure closures

This is a baseline failure on main and every open PR; it is not caused by any
one change. Neither affected API is used by cachekit-rs (no new_closure, no
.nth/.nth_back on PyList/PyTuple), so the advisories are not reachable here, but
upgrading to the patched line is the clean fix rather than ignoring them.

pyo3 0.25 -> 0.29 needs one source change: Python::with_gil was renamed to
Python::attach (GIL / free-threaded terminology). numpy in [workspace.dependencies]
is unused by the rust crate, so no coordinated numpy bump is required.

Validated: cargo check clean; extension rebuilt against 0.29; 255 critical FFI
tests pass (encryption, serializers, backward-compat); rustfmt clean. Lock change
is pyo3-family only.
---
 Cargo.lock                  | 59 ++++++++++---------------------------
 Cargo.toml                  |  2 +-
 rust/src/python_bindings.rs |  3 +-
 3 files changed, 18 insertions(+), 46 deletions(-)

diff --git a/Cargo.lock b/Cargo.lock
index a2276ec..6863739 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -643,7 +643,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "39cab71617ae0d63f51a36d69f866391735b51691dbda63cf6f96d042b63efeb"
 dependencies = [
  "libc",
- "windows-sys 0.59.0",
+ "windows-sys 0.61.2",
 ]
 
 [[package]]
@@ -829,15 +829,6 @@ dependencies = [
  "hashbrown",
 ]
 
-[[package]]
-name = "indoc"
-version = "2.0.7"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "79cf5c93f93228cf8efb3ba362535fb11199ac548a09ce117c9b1adc3030d706"
-dependencies = [
- "rustversion",
-]
-
 [[package]]
 name = "inferno"
 version = "0.11.21"
@@ -873,7 +864,7 @@ checksum = "3640c1c38b8e4e43584d8df18be5fc6b0aa314ce6ebf51b53313d4306cca8e46"
 dependencies = [
  "hermit-abi",
  "libc",
- "windows-sys 0.59.0",
+ "windows-sys 0.61.2",
 ]
 
 [[package]]
@@ -970,15 +961,6 @@ dependencies = [
  "libc",
 ]
 
-[[package]]
-name = "memoffset"
-version = "0.9.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "488016bfae457b036d996092f6cb448677611ce4449e970ceaf42695203f218a"
-dependencies = [
- "autocfg",
-]
-
 [[package]]
 name = "miniz_oxide"
 version = "0.8.9"
@@ -1234,36 +1216,32 @@ dependencies = [
 
 [[package]]
 name = "pyo3"
-version = "0.25.1"
+version = "0.29.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "8970a78afe0628a3e3430376fc5fd76b6b45c4d43360ffd6cdd40bdde72b682a"
+checksum = "cd274650b21d4bfc26a0a47587962c1edb425f69287324355cd040c3ea66071c"
 dependencies = [
- "indoc",
  "libc",
- "memoffset",
  "once_cell",
  "portable-atomic",
  "pyo3-build-config",
  "pyo3-ffi",
  "pyo3-macros",
- "unindent",
 ]
 
 [[package]]
 name = "pyo3-build-config"
-version = "0.25.1"
+version = "0.29.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "458eb0c55e7ece017adeba38f2248ff3ac615e53660d7c71a238d7d2a01c7598"
+checksum = "c5e2a7d2f0d013342f295c048ad19237add5154a55b1c5a254c0ec93d4109078"
 dependencies = [
- "once_cell",
  "target-lexicon",
 ]
 
 [[package]]
 name = "pyo3-ffi"
-version = "0.25.1"
+version = "0.29.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "7114fe5457c61b276ab77c5055f206295b812608083644a5c5b2640c3102565c"
+checksum = "ca85c467da1bbc8d866eea5deff9cf29ea5f7785054a17da36e65bda9c05845b"
 dependencies = [
  "libc",
  "pyo3-build-config",
@@ -1271,9 +1249,9 @@ dependencies = [
 
 [[package]]
 name = "pyo3-macros"
-version = "0.25.1"
+version = "0.29.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a8725c0a622b374d6cb051d11a0983786448f7785336139c3c94f5aa6bef7e50"
+checksum = "9ac53762fd065daa3194dd09337a38bd793a188100fd1a9304c4ab312d901771"
 dependencies = [
  "proc-macro2",
  "pyo3-macros-backend",
@@ -1283,13 +1261,12 @@ dependencies = [
 
 [[package]]
 name = "pyo3-macros-backend"
-version = "0.25.1"
+version = "0.29.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "4109984c22491085343c05b0dbc54ddc405c3cf7b4374fc533f5c3313a572ccc"
+checksum = "4ca3a1557399783172dc5bf39cfca835157732532cba56b71d2292161e53b362"
 dependencies = [
  "heck",
  "proc-macro2",
- "pyo3-build-config",
  "quote",
  "syn",
 ]
@@ -1506,7 +1483,7 @@ dependencies = [
  "errno",
  "libc",
  "linux-raw-sys 0.12.1",
- "windows-sys 0.59.0",
+ "windows-sys 0.61.2",
 ]
 
 [[package]]
@@ -1716,7 +1693,7 @@ dependencies = [
  "getrandom 0.3.4",
  "once_cell",
  "rustix 1.1.4",
- "windows-sys 0.59.0",
+ "windows-sys 0.61.2",
 ]
 
 [[package]]
@@ -1842,12 +1819,6 @@ version = "1.0.24"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "e6e4313cd5fcd3dad5cafa179702e2b244f760991f45397d14d4ebf38247da75"
 
-[[package]]
-name = "unindent"
-version = "0.2.4"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "7264e107f553ccae879d21fbea1d6724ac785e8c3bfc762137959b5802826ef3"
-
 [[package]]
 name = "universal-hash"
 version = "0.5.1"
@@ -2009,7 +1980,7 @@ version = "0.1.11"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "c2a7b1c03c876122aa43f3020e6c3c3ee5c05081c9a00739faf7503aeba10d22"
 dependencies = [
- "windows-sys 0.59.0",
+ "windows-sys 0.61.2",
 ]
 
 [[package]]
diff --git a/Cargo.toml b/Cargo.toml
index 87a618b..b17206d 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -4,7 +4,7 @@ members = ["rust"]
 exclude = ["rust/fuzz"]
 
 [workspace.dependencies]
-pyo3 = { version = "0.25", features = ["extension-module"] }
+pyo3 = { version = "0.29", features = ["extension-module"] }
 serde = { version = "1.0", features = ["derive"] }
 serde_json = "1.0"
 bincode = "1.3"
diff --git a/rust/src/python_bindings.rs b/rust/src/python_bindings.rs
index 674e857..f94ad76 100644
--- a/rust/src/python_bindings.rs
+++ b/rust/src/python_bindings.rs
@@ -187,7 +187,8 @@ impl PyZeroKnowledgeEncryptor {
             encryption_time_micros: metrics.encryption_time_micros,
             hardware_accelerated: metrics.hardware_accelerated,
         };
-        Python::with_gil(|py| Py::new(py, py_metrics))
+        // pyo3 0.29 renamed Python::with_gil -> Python::attach (GIL/free-threaded terminology).
+        Python::attach(|py| Py::new(py, py_metrics))
     }
 }