Bump pyo3 from 0.25.1 to 0.28.2

[dependabot]

Bumps pyo3 from 0.25.1 to 0.28.2.

Release notes

Sourced from pyo3's releases.

PyO3 0.28.2

This patch release contains a soundness fix for subclassing native types such as PyList with the abi3 feature enabled when targeting a minimum version of Python 3.12 or higher. (Support for doing such subclassing was newly added in PyO3 0.28.0.)

PyO3 0.28.0 and 0.28.1 will be yanked.

This release also contains a correction to the FFI definition PyType_GetTypeDataSize and incorrectly-generated __qualname__ on #[pyclass] enum variant types when using #[pyo3(name = "...")] option to rename the enum and/or variant.

Thank you to the following contributors for the improvements:

@​davidhewitt @​Icxolu @​ngoldbaum

PyO3 0.28.1

This patch contains a number of minor compile-time fixes for PyO3 0.28.0.

Thank you to the following contributors for the improvements:

@​davidhewitt @​funsafemath @​ngoldbaum @​rara64 @​tdyas

PyO3 0.28.0

This release contains many improvements across PyO3's feature set:

• Proper support for __init__ methods for #[pyclass] types
• Support for #[deleter]s to complement the existing #[getter] and #[setter] attributes when implementing class "properties".
• Support for subclassing many Python types with the abi3 feature (requires Python 3.12+).
• A new #[pyclass(new = "from_fields")] option to automatically define the constructor from the class fields.
• Many corrections to FFI definitions (including removal of many private CPython methods)
• Many improvements to the experimental-inspect feature's functionality.

The minimum supported Rust version has been increased to Rust 1.83.

This release also switches #[pymodule] to use PEP 489 multi-phase initialization internally. This should have no immediate functional impact other than preparing PyO3 to support newer technologies such as Python subinterpreters.

There are also many other incremental improvements, bug fixes and smaller features; full detail can be found in the CHANGELOG.

Please consult the migration guide for help upgrading.

Thank you to everyone who contributed code, documentation, design ideas, bug reports, and feedback. The following contributors' commits are included in this release:

@​ABorgna @​ahlinc @​alex @​altendky @​bazaah @​bschoenmaeckers @​chirizxc

... (truncated)

Changelog

Sourced from pyo3's changelog.

[0.28.2] - 2026-02-18

Fixed

• Fix complex enum __qualname__ not using python name #5815
• Fix FFI definition PyType_GetTypeDataSize (was incorrectly named PyObject_GetTypeDataSize). #5819
• Fix memory corruption when subclassing native types with abi3 feature on Python 3.12+ (newly enabled in PyO3 0.28.0). #5823

[0.28.1] - 2026-02-14

Fixed

• Fix *args / **kwargs support in experimental-async feature (regressed in 0.28.0). #5771
• Fix clippy::declare_interior_mutable_const warning inside #[pyclass] generated code on enums. #5772
• Fix ambiguous_associated_items compilation error when deriving FromPyObject or using #[pyclass(from_py_object)] macro on enums with Error variant. #5784
• Fix __qualname__ for complex #[pyclass] enum variants to include the enum name. #5796
• Fix missing std::sync::atomic::Ordering import for targets without atomic64. #5808

[0.28.0] - 2026-02-01

Packaging

• Bump MSRV to Rust 1.83. #5531
• Bump minimum supported quote version to 1.0.37. #5531
• Bump supported GraalPy version to 25.0. #5542
• Drop memoffset dependency. #5545
• Support for free-threaded Python is now opt-out rather than opt-in. #5564
• Bump target-lexicon dependency to 0.13.3. #5571
• Drop indoc and unindent dependencies. #5608

Added

• Add __init__ support in #[pymethods]. #4951
• Expose PySuper on PyPy, GraalPy and ABI3 #4951
• Add PyString::from_fmt and py_format! macro. #5199
• Add #[pyclass(new = "from_fields")] option. #5421
• Add pyo3::buffer::PyUntypedBuffer, a type-erased form of PyBuffer<T>. #5458
• Add PyBytes::new_with_writer #5517
• Add PyClass::NAME. #5579
• Add pyo3_build_config::add_libpython_rpath_link_args. #5624
• Add PyBackedStr::clone_ref and PyBackedBytes::clone_ref methods. #5654
• Add PyCapsule::new_with_pointer and PyCapsule::new_with_pointer_and_destructor for creating capsules with raw pointers. #5689
• Add #[deleter] attribute to implement property deleters in #[methods]. #5699
• Add IntoPyObject and FromPyObject implementations for uuid::NonNilUuid. #5707
• Add PyBackedStr::as_str and PyBackedStr::as_py_str methods. #5723
• Add support for subclassing native types (PyDict, exceptions, ...) when building for abi3 on Python 3.12+. #5733
• Add support for subclassing PyList when building for Python 3.12+. #5734
• FFI definitions:
  • Add FFI definitions PyEval_GetFrameBuiltins, PyEval_GetFrameGlobals and PyEval_GetFrameLocals on Python 3.13 and up. #5590
  • Add FFI definitions PyObject_New, PyObject_NewVar, PyObject_GC_Resize, PyObject_GC_New, and PyObject_GC_NewVar. #5591

... (truncated)

Commits

• 2b392c8 release: 0.28.2
• 7e44c1d fix complex enum __qualname__ not using python name (#5815)
• 75abd86 fix memory corruption when subclassing variable-size types (e.g. abi3 + 3.1...
• b62c7a2 Fix typo in PyType_GetTypeDataSize bindings (#5819)
• 45f49ff release: 0.28.1
• 56c34d6 Document Py_GIL_DISABLED in pyo3-build-config docs (#5810)
• 92bc9ef Avoid unused variable warning with a debug Python build (#5811)
• ca5df1a ci: re-enable list_get_item_unchecked benchmark on free-threaded build (#5812)
• 413d9b5 Fix missing std::sync::atomic::Ordering import for targets without atomic64...
• 1c764cd docs: improve messaging around #[pyclass(from_py_object)] change (#5798)
• Additional commits viewable in compare view

You can trigger a rebase of this PR by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

---

Note

^{Cursor Bugbot is generating a summary for commit 193191e. Configure here.}

Note
Automatic rebases have been disabled on this pull request as it has been open for over 30 days.

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	cargo/​pyo3@​0.25.1 ⏵ 0.28.2

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		License policy violation: cargo target-lexicon License: Apache-2.0 WITH LLVM-exception - the applicable license policy does not allow this license exception (target-lexicon-0.13.5/LICENSE) From: ? → cargo/pyo3@0.28.2 → cargo/pyo3-build-config@0.24.1 → cargo/target-lexicon@0.13.5 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore cargo/target-lexicon@0.13.5. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

[cursor]

Missing gil_used annotation for unsendable pyclass

Medium Severity

Bumping pyo3 to 0.28 changes the default #[pymodule] behavior: modules now advertise free-threaded Python support (gil_used = false) by default. The chialisp module uses #[pyclass(unsendable)] on PythonRunStep, which is explicitly not thread-safe. Without adding #[pymodule(gil_used = true)] to the module declaration, the module incorrectly advertises free-threading compatibility to the Python runtime, which can cause runtime panics on free-threaded Python 3.13+ builds when PythonRunStep is accessed concurrently.