Bump openexr from 3.3.3 to 3.3.8

[dependabot]

Bumps openexr from 3.3.3 to 3.3.8.

Release notes

Sourced from openexr's releases.

v3.3.8

Patch release that prevents an integer overflow when using the CompositeDeepScanLine API to combine multiple deep parts.

v3.3.7

Patch release that fixes an incorrect size check in istream_nonparallel_read that could lead to a buffer overflow on invalid input data.

v3.3.6

Patch release that addresses several bugs, primarily involving properly rejecting corrupt input data.

Specifically:

• Buffer overflow in PyOpenEXR_old's channels() and channel() in legacy python, reported by Joshua Rogers (GitHub: MegaManSec).
• Use after free in PyObject_StealAttrString in legacy python, reported by Joshua Rogers (GitHub: MegaManSec).
• Use of Uninitialized Memory in openexr, reported by Aldo Ristori (GitHub: Kaldreic).
• Heap-based Buffer Overflow Remote Code Execution Vulnerability, reported by Trend Micro Zero Day Initiative.

Full changelog: v3.3.5..v3.3.6

v3.3.5

Patch release with a couple bug/performance fixes:

• 🐛 Fix for DeepScanlineInputFile read memory leak
• 🚀 OpenEXRCore Deep pixel unpacking optimisation

v3.3.4

Patch release with several bug/build/performance fixes:

• 🐛 Fix a crash with deep scanline input
• 🐛 Fix a bug when reading a file with missing tiles
• 🐛 Fix a crash in exrmetrics
• 🛠️ Fix a problem with /EHsc and /MP flags that broke CUDA compilation
• 🛠️ Fix a build failure on MinGW
• 🚀 Enable vectorisation for ZIP reconstruct stage on Windows

Changelog

Sourced from openexr's changelog.

Version 3.3.8 (March 1, 2026)

Patch release that prevents an integer overflow when using the CompositeDeepScanLine API to combine multiple deep parts.

Merged Pull Requests:

• 2256 Report an error if a deep pixel as more than UINT_MAX samples

Version 3.3.7 (February 19, 2026)

Patch release that fixes an incorrect size check in istream_nonparallel_read that could lead to a buffer overflow on invalid input data.

Merged Pull Requests:

• 2244 Fix incorrect size check in istream_nonparallel_read

Version 3.3.6 (November 4, 2025)

Patch release that addresses several bugs, primarily involving properly rejecting corrupt input data.

Specifically:

• Buffer overflow in PyOpenEXR_old's channels() and channel() in legacy python, reported by Joshua Rogers (GitHub: MegaManSec).
• Use after free in PyObject_StealAttrString in legacy python, reported by Joshua Rogers (GitHub: MegaManSec).
• Use of Uninitialized Memory in openexr, reported by Aldo Ristori (GitHub: Kaldreic).
• Heap-based Buffer Overflow Remote Code Execution Vulnerability, reported by Trend Micro Zero Day Initiative.

Other fixes:

• Only populate CMAKE_DEBUG_POSTFIX with _d if it is undefined, which makes it possible to set CMAKE_DEBUG_POSTFIX="".

Merged Pull Requests:

• 2168 Fix improper use of Py_DECREF in legacy python module
• 2166 Only define CMAKE_DEBUG_POSTFIX if it is not already defined
• 2164 check storage_mode when computing chunk sizes
• 2163

... (truncated)

Commits

• 3fad448 bump to version v3.3.8
• 4d62f44 Add notes for v3.3.8
• 41b4c3e Report an error if a deep pixel as more than UINT_MAX samples (#2256)
• d2b41c8 switch bazel from macos-13 to macos-15
• 6e02acb switch python-wheels from macos-13 to macos-15-intel
• a0c1590 switch CI from macos-13 to macos-15-intel
• c2d21c6 bump tag version in install manifests
• 4b13b44 bump version for v3.3.7
• aed14f8 Add notes for v3.3.7
• d2be382 Fix incorrect size check in istream_nonparallel_read (#2244)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.