Update pybind11 requirement from >=2.10.0 to >=3.0.3#348
Update pybind11 requirement from >=2.10.0 to >=3.0.3#348dependabot[bot] wants to merge 1 commit intomainfrom
Conversation
Updates the requirements on [pybind11](https://github.com/pybind/pybind11) to permit the latest version. - [Release notes](https://github.com/pybind/pybind11/releases) - [Changelog](https://github.com/pybind/pybind11/blob/master/docs/changelog.md) - [Commits](pybind/pybind11@v2.10.0...v3.0.3) --- updated-dependencies: - dependency-name: pybind11 dependency-version: 3.0.3 dependency-type: direct:development ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
bot
added
Changed
🤖 Cursor Dependency AnalysisSupply-Chain Malware ReviewReviewing how Verdict: benign Checklist
Scanner vs interpretation: The warn status is driven by heuristic noise ( Actionable follow-up (non-malware): Independently validate build/API compatibility with pybind11 3.x (major bump); that is a correctness concern, not a supply-chain malware signal from this review. Compatibility AnalysisExploring the repository for pybind11 usage and build integration to produce a compatibility analysis. 1) Where
|
| Location | Role |
|---|---|
pyproject.toml ([build-system] requires) |
Build-time dependency so PEP 517 builds get headers/CMake helpers. |
src/CMakeLists.txt (lines ~220–247) |
find_package(pybind11 CONFIG), optional FetchContent checkout if the package is missing. |
src/python_bindings/fastvdf.cpp |
Only C++ binding TU: PYBIND11_MODULE, m.def(...), py::bytes, py::tuple, py::gil_scoped_release, py::make_tuple. |
There is no py::class_, py::enum_, iostream integration, smart holders, or custom type casters in project src/. Vendored headers under .upstream-dependency/ are for reference/scanning, not normal app code.
2) Overlap with 3.0.3 / changed internals
Release notes emphasize fixes in implicitly_convertible, pythonbuf / iostream, virtual inheritance / add_base, py::enum_ / def_property_static, smart-holder def_readwrite, py::dynamic_attr, etc.
fastvdf.cpp does not use those APIs—only free functions and primitive/pytypes. So there is little direct API surface overlap with the listed behavioral fixes.
3) Risks / unknowns
- Major 2 → 3: In general, consumers should rebuild the extension and run tests; this tree’s bindings are small, so compile break risk is low, but not zero until CI passes.
- CMake vs.
pyprojectdrift: Iffind_package(pybind11)fails, CMake FetchContent usesGIT_TAG v2.13.6(src/CMakeLists.txt), which is not aligned with a declared>=3.0.3build requirement. That path is a consistency and supportability risk (and matches the “maintainer drift” style hints in your scan artifacts). - Runtime: No evidence this module relies on the buggy subsystems above; remaining risk is generic (init/internals paths used by every module).
4) Recommendation
Merge-with-caveats: Merge after green CI on the PR branch; caveat: plan a small follow-up to bump FetchContent’s GIT_TAG to a 3.x tag (e.g. v3.0.3) so offline / no-pip fallbacks match the declared requirement, unless you explicitly intend 2.13.6 only for legacy environments (then document and reconsider the >=3.0.3 pin).
Malware Scan Summary
- Status: warn
- Warn only mode:
true - Changed upstream files scanned:
21 - Resolution strategy:
commit_list - Changed node/vendor paths:
0 - Changed lockfiles:
0 - Resolved refs: from=
n/ato=n/a - Unicode findings (post-allowlist):
0 - Confusable findings (post-allowlist):
0 - IOC findings (post-allowlist):
0 - Heuristic findings (post-allowlist):
12
Top findings
tests/test_with_catch/test_interpreter.cpp:117shell_process_spawn ::py::exec(R"(tests/test_with_catch/test_interpreter.cpp:167shell_process_spawn ::py::exec(R"(tests/test_with_catch/test_interpreter.cpp:375shell_process_spawn ::// When the interpreter is embedded, there is no execution frame, but py::exectests/test_with_catch/test_interpreter.cpp:377shell_process_spawn ::py::exec("var = dict(number=42)");include/pybind11/pybind11.h:1578shell_process_spawn ::/// Initialize an array of slots based on the supplied exec slot and options.docs/changelog.md:2058shell_process_spawn ::- py::exec, py::eval, and py::eval_file now add the builtinsdocs/changelog.md:2060shell_process_spawn ::matching exec and eval in pure Python.docs/changelog.md:2746shell_process_spawn ::- Added py::exec() as a shortcut for py::eval<py::eval_statements>().github/workflows/nightlies.yml:0workflow_path_touch ::path-touch.github/workflows/pip.yml:0workflow_path_touch ::path-touchpybind11:0ghost_version_or_missing_tag ::>=3.0.3pybind11:0maintainer_drift ::>=2.10.0->>=3.0.3
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit 0da4501. Configure here.
| @@ -1,5 +1,5 @@ | |||
| [build-system] | |||
| requires = ["setuptools>=42", "wheel", "setuptools_scm[toml]>=3.5.0", "pybind11>=2.10.0"] | |||
| requires = ["setuptools>=42", "wheel", "setuptools_scm[toml]>=3.5.0", "pybind11>=3.0.3"] | |||
There was a problem hiding this comment.
CMake fallback fetches outdated pybind11 v2.13.6 version
Medium Severity
The pyproject.toml build requirement now mandates pybind11>=3.0.3, but src/CMakeLists.txt line 244 has a FetchContent_Declare fallback pinned to GIT_TAG v2.13.6. If CMake can't find the pip-installed pybind11 (e.g., in certain CI or from-source builds), the fallback fetches a 2.x version that's incompatible with the 3.x minimum. This version mismatch can lead to build failures or subtle ABI incompatibilities since pybind11 3.0 is a major version with breaking changes.
Reviewed by Cursor Bugbot for commit 0da4501. Configure here.
Updates the requirements on pybind11 to permit the latest version.
Release notes
Sourced from pybind11's releases.
... (truncated)
Changelog
Sourced from pybind11's changelog.
... (truncated)
Commits
1b49908docs: add v3.0.3and v3.1.0changelog updates. (#6023)c066c76fix: add missing PYBIND11_ALWAYS_INLINE macro for v3.0.3 backports76efcb3Bump version from v3.0.2 → v3.0.30f41635chore(deps): bump pygments from 2.17.2 to 2.20.0 in /docs (#6024)54a4615chore(deps): bump requests from 2.32.4 to 2.33.0 in /docs (#6013)d12037cchore(deps): update pre-commit hooks (#6002)64eecc4chore(deps): bump the actions group with 3 updates (#6000)c0ea8fcFix heap-buffer-overflow inpythonbufwith undersized buffers (#6019)8d621d6fix: detect virtual inheritance in add_base to prevent pointer offset crash (...b6a616efix: strdup"self"arg indef_property_static, partially revert #6010 (gh...Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)Note
Low Risk
Low risk change limited to build-time dependency constraints, but may surface compile/ABI incompatibilities in downstream extension builds if the project relied on older pybind11 behavior.
Overview
Updates
pyproject.tomlbuild-system requirements to raise the minimumpybind11version from>=2.10.0to>=3.0.3, allowing builds to use the latest pybind11 release.Reviewed by Cursor Bugbot for commit 0da4501. Bugbot is set up for automated code reviews on this repo. Configure here.