Upgrade pyO3 to 0.29.0 (#8462)

This lets us get over the security advisory

Signed-off-by: Robert Kruszewski <github@robertk.io>

Author: robert3005

Cargo.lock

@@ -209,10 +209,10 @@ proc-macro2 = "1.0.95"
 prost = "0.14"
 prost-build = "0.14"
 prost-types = "0.14"
-pyo3 = { version = "0.28.0" }
-pyo3-bytes = "0.6"
+pyo3 = { version = "0.29.0" }
+pyo3-bytes = "0.7"
 pyo3-log = "0.13.0"
-pyo3-object_store = "0.9.0"
+pyo3-object_store = "0.11.0"
 quote = "1.0.44"
 rand = "0.10.1"
 rand_distr = "0.6"

Cargo.toml

@@ -16,15 +16,7 @@ ignore = [
     # Paste is no longer maintained because its essentially "finished".
     "RUSTSEC-2024-0436",
     # proc-macro-error-2 is unmaintained, only used by the `test_with` test dependency
-    "RUSTSEC-2026-0173",
-    # Out-of-bounds read in `nth`/`nth_back` on pyo3 list/tuple iterators, fixed only in pyo3
-    # 0.29.0. We cannot bump until pyo3-bytes, pyo3-log, and pyo3-object_store support 0.29 (all
-    # pin pyo3 to <0.29, and pyo3-ffi `links = "python"` forbids two pyo3 versions in the graph).
-    # Not exploitable here: `vortex-python` never calls `nth`/`nth_back` on these iterators.
-    "RUSTSEC-2026-0176",
-    # Another issue that will be fixed once we can bump pyo3 to 0.29.
-    # PyCFunction::new_closure is missing a `Sync` bound.
-    "RUSTSEC-2026-0177"
+    "RUSTSEC-2026-0173"
 ]
 
 [licenses]

deny.toml

@@ -194,7 +194,7 @@ impl PyDType {
     #[classmethod]
     #[pyo3(signature = (arrow_dtype, *, non_nullable = false))]
     fn from_arrow<'py>(
-        cls: &'py Bound<'py, PyType>,
+        cls: &Bound<'py, PyType>,
         #[pyo3(from_py_with = import_arrow_dtype)] arrow_dtype: DataType,
         non_nullable: bool,
     ) -> PyResult<Bound<'py, PyDType>> {