Bump pyo3 from 0.27.1 to 0.28.2

[dependabot]

Bumps pyo3 from 0.27.1 to 0.28.2.

Release notes

Sourced from pyo3's releases.

PyO3 0.28.2

This patch release contains a soundness fix for subclassing native types such as PyList with the abi3 feature enabled when targeting a minimum version of Python 3.12 or higher. (Support for doing such subclassing was newly added in PyO3 0.28.0.)

PyO3 0.28.0 and 0.28.1 will be yanked.

This release also contains a correction to the FFI definition PyType_GetTypeDataSize and incorrectly-generated __qualname__ on #[pyclass] enum variant types when using #[pyo3(name = "...")] option to rename the enum and/or variant.

Thank you to the following contributors for the improvements:

@​davidhewitt @​Icxolu @​ngoldbaum

PyO3 0.28.1

This patch contains a number of minor compile-time fixes for PyO3 0.28.0.

Thank you to the following contributors for the improvements:

@​davidhewitt @​funsafemath @​ngoldbaum @​rara64 @​tdyas

PyO3 0.28.0

This release contains many improvements across PyO3's feature set:

• Proper support for __init__ methods for #[pyclass] types
• Support for #[deleter]s to complement the existing #[getter] and #[setter] attributes when implementing class "properties".
• Support for subclassing many Python types with the abi3 feature (requires Python 3.12+).
• A new #[pyclass(new = "from_fields")] option to automatically define the constructor from the class fields.
• Many corrections to FFI definitions (including removal of many private CPython methods)
• Many improvements to the experimental-inspect feature's functionality.

The minimum supported Rust version has been increased to Rust 1.83.

This release also switches #[pymodule] to use PEP 489 multi-phase initialization internally. This should have no immediate functional impact other than preparing PyO3 to support newer technologies such as Python subinterpreters.

There are also many other incremental improvements, bug fixes and smaller features; full detail can be found in the CHANGELOG.

Please consult the migration guide for help upgrading.

Thank you to everyone who contributed code, documentation, design ideas, bug reports, and feedback. The following contributors' commits are included in this release:

@​ABorgna @​ahlinc @​alex @​altendky @​bazaah @​bschoenmaeckers @​chirizxc

... (truncated)

Changelog

Sourced from pyo3's changelog.

[0.28.2] - 2026-02-18

Fixed

• Fix complex enum __qualname__ not using python name #5815
• Fix FFI definition PyType_GetTypeDataSize (was incorrectly named PyObject_GetTypeDataSize). #5819
• Fix memory corruption when subclassing native types with abi3 feature on Python 3.12+ (newly enabled in PyO3 0.28.0). #5823

[0.28.1] - 2026-02-14

Fixed

• Fix *args / **kwargs support in experimental-async feature (regressed in 0.28.0). #5771
• Fix clippy::declare_interior_mutable_const warning inside #[pyclass] generated code on enums. #5772
• Fix ambiguous_associated_items compilation error when deriving FromPyObject or using #[pyclass(from_py_object)] macro on enums with Error variant. #5784
• Fix __qualname__ for complex #[pyclass] enum variants to include the enum name. #5796
• Fix missing std::sync::atomic::Ordering import for targets without atomic64. #5808

[0.28.0] - 2026-02-01

Packaging

• Bump MSRV to Rust 1.83. #5531
• Bump minimum supported quote version to 1.0.37. #5531
• Bump supported GraalPy version to 25.0. #5542
• Drop memoffset dependency. #5545
• Support for free-threaded Python is now opt-out rather than opt-in. #5564
• Bump target-lexicon dependency to 0.13.3. #5571
• Drop indoc and unindent dependencies. #5608

Added

• Add __init__ support in #[pymethods]. #4951
• Expose PySuper on PyPy, GraalPy and ABI3 #4951
• Add PyString::from_fmt and py_format! macro. #5199
• Add #[pyclass(new = "from_fields")] option. #5421
• Add pyo3::buffer::PyUntypedBuffer, a type-erased form of PyBuffer<T>. #5458
• Add PyBytes::new_with_writer #5517
• Add PyClass::NAME. #5579
• Add pyo3_build_config::add_libpython_rpath_link_args. #5624
• Add PyBackedStr::clone_ref and PyBackedBytes::clone_ref methods. #5654
• Add PyCapsule::new_with_pointer and PyCapsule::new_with_pointer_and_destructor for creating capsules with raw pointers. #5689
• Add #[deleter] attribute to implement property deleters in #[methods]. #5699
• Add IntoPyObject and FromPyObject implementations for uuid::NonNilUuid. #5707
• Add PyBackedStr::as_str and PyBackedStr::as_py_str methods. #5723
• Add support for subclassing native types (PyDict, exceptions, ...) when building for abi3 on Python 3.12+. #5733
• Add support for subclassing PyList when building for Python 3.12+. #5734
• FFI definitions:
  • Add FFI definitions PyEval_GetFrameBuiltins, PyEval_GetFrameGlobals and PyEval_GetFrameLocals on Python 3.13 and up. #5590
  • Add FFI definitions PyObject_New, PyObject_NewVar, PyObject_GC_Resize, PyObject_GC_New, and PyObject_GC_NewVar. #5591

... (truncated)

Commits

• 2b392c8 release: 0.28.2
• 7e44c1d fix complex enum __qualname__ not using python name (#5815)
• 75abd86 fix memory corruption when subclassing variable-size types (e.g. abi3 + 3.1...
• b62c7a2 Fix typo in PyType_GetTypeDataSize bindings (#5819)
• 45f49ff release: 0.28.1
• 56c34d6 Document Py_GIL_DISABLED in pyo3-build-config docs (#5810)
• 92bc9ef Avoid unused variable warning with a debug Python build (#5811)
• ca5df1a ci: re-enable list_get_item_unchecked benchmark on free-threaded build (#5812)
• 413d9b5 Fix missing std::sync::atomic::Ordering import for targets without atomic64...
• 1c764cd docs: improve messaging around #[pyclass(from_py_object)] change (#5798)
• Additional commits viewable in compare view

---

Note

Medium Risk
Upgrades the Rust↔Python FFI/macro dependency (pyo3) across the workspace, which can affect build compatibility and generated Python bindings behavior. Lockfile changes also alter transitive dependencies, so CI/build matrix (incl. MSRV) may shift.

Overview
Updates the workspace dependency on pyo3 from 0.27.1 to 0.28.2.

Refreshes Cargo.lock to the resolved pyo3 0.28.3 ecosystem (pyo3-* crates) and drops now-unneeded transitive crates (memoffset, unindent), along with a small target-lexicon bump.

^{Written by Cursor Bugbot for commit bbc2b57. This will update automatically on new commits. Configure here.}

Note
Automatic rebases have been disabled on this pull request as it has been open for over 30 days.

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	cargo/​pyo3@​0.27.1 ⏵ 0.28.3

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		License policy violation: cargo target-lexicon License: Apache-2.0 WITH LLVM-exception - the applicable license policy does not allow this license exception (target-lexicon-0.13.5/LICENSE) From: ? → cargo/pyo3@0.28.3 → cargo/target-lexicon@0.13.5 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore cargo/target-lexicon@0.13.5. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report