fix: update pyo3 to 0.29.0 and fix dependabot config#108
Conversation
- Bump pyo3 from 0.28.3 to 0.29.0 to address security advisory (affected: < 0.29.0) - Bump pyo3-async-runtimes from 0.28.0 to 0.29.0 to match pyo3 version - Fix dependabot.yml: set package-ecosystem to "cargo", fix typo "dayli" -> "weekly", point to workspace root "/" so Dependabot can resolve workspace members correctly Co-Authored-By: Claude Sonnet 4.6 <[email protected]>
|
Caution Review failedThe pull request is closed. ℹ️ Recent review info⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (2)
📝 WalkthroughWalkthroughThe Dependabot configuration is corrected to use the ChangesConfig and Dependency Updates
Estimated code review effort🎯 1 (Trivial) | ⏱️ ~2 minutes Poem
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request configures Dependabot to monitor Cargo dependencies on a weekly schedule and updates the pyo3 and pyo3-async-runtimes dependency versions in Cargo.toml. I have no feedback to provide.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
There was a problem hiding this comment.
Pull request overview
Updates Rust/Python binding dependencies to address a PyO3 security advisory and repairs the Dependabot config so it can generate Cargo workspace updates reliably.
Changes:
- Bump
pyo3to0.29.0and alignpyo3-async-runtimesto0.29.0incrates/bindings_pyo3. - Fix Dependabot config by setting
package-ecosystem: "cargo"and correcting the schedule interval typo.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
crates/bindings_pyo3/Cargo.toml |
Updates PyO3-related dependency versions to the patched release. |
.github/dependabot.yml |
Fixes invalid ecosystem configuration and schedule interval for Dependabot Cargo updates. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| - package-ecosystem: "cargo" | ||
| directory: "/" |
Summary
pyo3from0.28.3to0.29.0to address a security advisory (affected versions:< 0.29.0)pyo3-async-runtimesfrom0.28.0to0.29.0to stay in sync with pyo3.github/dependabot.yml: setspackage-ecosystem: "cargo"(was empty string), corrects typo"dayli"→"weekly", and points to the workspace root/so Dependabot can properly resolve workspace member cratesWhy this matters
The previous
dependabot.ymlwas a broken placeholder, causing Dependabot's security update job to target/crates/bindings_pyo3as a standalone directory. Since that crate uses workspace-inherited dependencies, Dependabot's parser failed with "No Cargo.toml!" because it couldn't resolve the workspace root. Pointing Dependabot to/fixes this.Test plan
🤖 Generated with Claude Code
Summary by CodeRabbit