This release is a relatively large release with improvements across many areas of PyO3's API.
Build and packaging changes
This release brings full support for Python 3.15 beta. We encourage downstream projects to begin testing and distributing Python 3.15 beta wheels so that the ecosystem can prepare for the 3.15 final release later in the year.
Alongside Python 3.15 support comes support for its new "abi3t" stable ABI which supports both free-threaded and gil-enabled Python builds. For projects distributing stable ABI wheels, we recommend distributing (for each OS/architecture) an abi3 wheel built for your minimum supported Python version, a 3.14t version-specific wheel for the, and an abi3t wheel to support Python 3.15 (and future versions).
Support for Python 3.7 has been dropped. Support for Python 3.13t, the first experimental free-threaded release of CPython, has also been dropped. 3.14t (and soon 3.15t) is more stable, performant, and the starting point for CPython's own declaration of "support" for the free-threaded build.
The PyO3 build process (via the pyo3-build-config crate) has been adjusted to reduce the cost of rebuilds when environment used to detect the Python interpreter changes; pyo3-build-config and pyo3-macros will no longer be rebuilt in such cases (although pyo3-ffi and crates downstream of it still will be rebuilt). As a consequence the pyo3_build_config APIs now require crates to have a direct dependency on pyo3 or pyo3-ffi. We hope to continue to reduce rebuild frequency and cost in a future PyO3 release.
Security updates
With the recent boom in AI-assisted security scanning, PyO3 has inevitably had several correctness issues exposed by AI-assisted scanning.
In particular, PyO3 0.29 fixes two security vulnerabilities we will be releasing to the RustSec Advisory Database imminently:
- Missing
Syncbound onPyCFunction::new_closureclosures - Possible out of bounds read in
BoundTupleIterator::nth_backandBoundListIterator::nth_back
Any code using the above APIs is advised to update as soon as possible.
This release also contains several other minor breaking changes to close soundness holes uncovered by AI-assisted scanning. Our assessment as maintainers was that, excluding the two vulnerability cases listed above, these correctness issues would likely have crashed immediately upon user testing rather than leading to attacker-exploitable pathways. We nevertheless wanted to see them closed without the usual deprecation cycle. These cases are noted in the migration guide.
Other major themes in this release
New in this release is a CLI in pyo3-introspection to generate type stubs along with the experimental-inspect feature. Downstream, maturin has also gained support to generate type stubs using the feature. The feature is reaching a point where substantial amount of type stubs can be generated automatically. We would like to encourage users to begin using this feature and helping us find what functionality is missing, with a hope we can declare its API stable given sufficient feedback.
A substantial amount of effort has been invested in pyo3-ffi as part of the process of extending it with 3.15's new APIs. There have been many missing APIs from older Python versions added. There have also been a number of fixes to incorrect definitions (these are breaking changes, but also necessary for correctness); we hope there will be far fewer such cases in the future due to more comprehensive checking added to PyO3's CI. Finally, many private CPython APIs (those with _Py underscore-named prefix) have been removed from pyo3-ffi's public API.
In closing
There are also many other incremental improvements, bug fixes and smaller features; full detail can be found in the CHANGELOG.
Please consult the migration guide for help upgrading.
Thank you to everyone who contributed code, documentation, design ideas, bug reports, and feedback. The following contributors' commits are included in this release:
@Alc-Alc
@alex
@anuraaga
@BD103
@bschoenmaeckers
@Cheukting
@chirizxc
@ChristopherRabotin
@clin1234
@codeguru42
@davidhewitt
@dependabot[bot]
@Embers-of-the-Fire
@funsafemath
@Harikeshav-R
@hoodmane
@Icxolu
@IntrepidT
@jelmer
@luxedo
@MatthieuDartiailh
@maurosilber
@mejrs
@messense
@ngoldbaum
@Person-93
@quyentonndbs
@rara64
@staticintlucas
@tbates-redarc
@tdyas
@Tpt
@winstxnhdw