fix(deps): resolve Dependabot security alerts (pyo3, js-yaml)

[louistrue]

Closes the 4 open Dependabot alerts on the default branch.

pyo3 0.22 → 0.29 (rust/python)

Clears three advisories against the PyO3 binding crate:

• High — out-of-bounds read in nth / nth_back for PyList / PyTuple iterators (alert feat: Complete rework of measure tool with drag UX and snapping #80)
• Medium — missing Sync bound on PyCFunction::new_closure closures (alert fix: update header text in ViewportContainer #81)
• Low — buffer overflow in PyString::from_object (alert Fix IFC 5 geometry placement coordinate issue #79)

Migrated the 111-line binding to the 0.29 API:

• PyDict::new_bound / PyBytes::new_bound → PyDict::new / PyBytes::new
• Python::allow_threads → Python::detach
• return Py<PyAny> (the PyObject alias was dropped from the prelude) via into_any().unbind()

rust/python is excluded from the workspace and ships via its own python-wheels.yml (maturin, abi3-py39), which this PR's path filter will exercise across all platform targets.

Verified locally: release build links cleanly as an extension-module and the abi3 wheel imports + dispatches both geometry_data_json and geometry_data_buffers on CPython 3.9.

js-yaml — drop the last vulnerable 3.14.2 (alert #77)

CVE-2026-53550 (quadratic-complexity merge-key DoS) covers all js-yaml <= 4.1.1. The 4.x line was already pinned to ^4.2.0; the only remaining vulnerable copy was js-yaml@3.14.2, pulled transitively by:

@changesets/cli → @manypkg/get-packages@1.1.3 → read-yaml-file@1.1.0 → js-yaml@3.14.2

read-yaml-file@1.1.0 calls yaml.safeLoad, removed in js-yaml 4.x — so a blanket js-yaml@3 → 4 override would break changesets. Instead this overrides read-yaml-file → ^2.1.0, which uses yaml.load (js-yaml 4.x) while keeping the exact CommonJS default + .sync surface @manypkg/get-packages consumes. read-yaml-file and js-yaml@3 each had a single consumer, so this removes js-yaml@3.14.2 from the tree entirely.

Verified locally: read-yaml-file@2.1.0 + js-yaml@4.2.0 parses the repo's own pnpm-workspace.yaml via both the default promise fn and .sync; merge keys still parse. pnpm install --frozen-lockfile is consistent.

Summary by CodeRabbit

• Chores

  • Upgraded Python bindings dependency from version 0.22 to 0.29 to enhance compatibility with newer Python versions and improve platform support.
  • Added package dependency override configuration for stronger dependency management control.

• Refactor

  • Optimized geometry data buffer and JSON export processing routines to improve execution performance and reduce processing overhead during data serialization.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
ifc-lite	Ready	Preview, Comment	Jun 23, 2026 9:45am

2 Skipped Deployments

Project	Deployment	Actions	Updated (UTC)
ifc-lite-dev	Ignored	Preview	Jun 23, 2026 9:45am
ifc-lite-viewer-embed	Ignored		Jun 23, 2026 9:45am

[coderabbitai]

📝 Walkthrough

Walkthrough

Upgrades the PyO3 dependency from version 0.22 to 0.29 in rust/python/Cargo.toml and migrates the Python binding functions in rust/python/src/lib.rs to the updated API. Also adds a pnpm.overrides entry for read-yaml-file at ^2.1.0 in the root package.json.

Changes

PyO3 0.29 upgrade and binding API migration

Layer / File(s)	Summary
PyO3 version bump and API migration rust/python/Cargo.toml, rust/python/src/lib.rs	pyo3 is upgraded from 0.22 to 0.29. geometry_data_buffers switches from py.allow_threads to py.detach, replaces *_bound constructors (PyDict::new_bound, PyBytes::new_bound) with PyDict::new and PyBytes::new, changes its return type from PyObject to Py<PyAny>, and returns via out.into_any().unbind(). geometry_data_json similarly switches to py.detach.

pnpm read-yaml-file override

Layer / File(s)	Summary
pnpm override for read-yaml-file package.json	Adds read-yaml-file: ^2.1.0 to the pnpm.overrides section alongside the existing js-yaml@4 entry.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• LTplus-AG/ifc-lite#1316: Introduced the native Python binding module with geometry_data_buffers and geometry_data_json functions that this PR directly migrates to the PyO3 0.29 API.

Poem

🐇 A hop through Rust, a PyO3 bound,
From allow_threads to detach I found,
No more _bound to slow me down,
Py<PyAny> wears the crown!
And YAML reads with a fresh override ~
This bunny codes with rustaceous pride! 🦀

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main objective: resolving Dependabot security alerts by upgrading pyo3 and js-yaml dependencies.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/dependabot-security

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@rust/python/Cargo.toml`:
- Line 20: In the pyo3 dependency declaration in Cargo.toml, remove the
deprecated "extension-module" feature from the features array while keeping
"abi3-py39". The extension-module feature is no longer needed and should be
replaced with modern build backends like maturin (version 1.9.4 or higher) or
setuptools-rust (version 1.12 or higher) for building the extension module
instead.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: b58b62a7-f1b9-4b5e-a01c-44fdde179445

📥 Commits

Reviewing files that changed from the base of the PR and between ca9f9ee and 29fa0b1.

⛔ Files ignored due to path filters (2)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml
• rust/python/Cargo.lock is excluded by !**/*.lock

📒 Files selected for processing (3)

• package.json
• rust/python/Cargo.toml
• rust/python/src/lib.rs