build(deps-dev): update dependency tqdm to v4.66.3 [security] - autoclosed

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
tqdm (changelog)	==4.62.0 -> ==4.66.3

GitHub Vulnerability Alerts

CVE-2024-34062

Impact

Any optional non-boolean CLI arguments (e.g. --delim, --buf-size, --manpath) are passed through python's eval, allowing arbitrary code execution. Example:

python -m tqdm --manpath="\" + str(exec(\"import os\nos.system('echo hi && killall python3')\")) + \""

Patches

tqdm/tqdm@4e613f8 released in tqdm>=4.66.3

Workarounds

None

References

• https://github.com/tqdm/tqdm/releases/tag/v4.66.3

---

Release Notes

tqdm/tqdm (tqdm)

v4.66.3: tqdm v4.66.3 stable

Compare Source

• cli: eval safety (fixes CVE-2024-34062, GHSA-g7vv-2v7x-gj9p)

v4.66.2: tqdm v4.66.2 stable

Compare Source

• pandas: add DataFrame.progress_map (#​1549)
• notebook: fix HTML padding (#​1506)
• keras: fix resuming training when verbose>=2 (#​1508)
• fix format_num negative fractions missing leading zero (#​1548)
• fix Python 3.12 DeprecationWarning on import (#​1519)
• linting: use f-strings (#​1549)
• update tests (#​1549)
  • fix pandas warnings
  • fix asv (https://github.com/airspeed-velocity/asv/issues/1323)
  • fix macos notebook docstring indentation
• CI: bump actions (#​1549)

v4.66.1: tqdm v4.66.1 stable

Compare Source

• fix utils.envwrap types (#​1493 <- #​1491, #​1320 <- #​966, #​1319)
  • e.g. cloudwatch & kubernetes workaround: export TQDM_POSITION=-1
• drop mentions of unsupported Python versions

v4.66.0: tqdm v4.66.0 stable

Compare Source

• environment variables to override defaults (TQDM_*) (#​1491 <- #​1061, #​950 <- #​614, #​1318, #​619, #​612, #​370)
  • e.g. in CI jobs, export TQDM_MININTERVAL=5 to avoid log spam
  • add tests & docs for tqdm.utils.envwrap
• fix & update CLI completion
• fix & update API docs
• minor code tidy: replace os.path => pathlib.Path
• fix docs image hosting
• release with CI bot account again (https://github.com/cli/cli/issues/6680)

v4.65.2: tqdm v4.65.2 stable

Compare Source

• exclude examples from distributed wheel (#​1492)

v4.65.1: tqdm v4.65.1 stable

Compare Source

• migrate setup.{cfg,py} => pyproject.toml (#​1490)
  • fix asv benchmarks
  • update docs
• fix snap build (#​1490)
• fix & update tests (#​1490)
  • fix flaky notebook tests
  • bump pre-commit
  • bump workflow actions

v4.65.0: tqdm v4.65.0 stable

Compare Source

• add Python 3.11 and drop Python 3.6 support (#​1439, #​1419, #​502 <- #​720, #​620)
• misc code & docs tidy
• fix & update CI workflows & tests

v4.64.1: tqdm v4.64.1 stable

Compare Source

• support ipywidgets>=8 (#​1366, #​1361 <- #​1310, #​1359, #​1360, #​1364)
  • fix jupyter lab display
  • update notebook tests

v4.64.0: tqdm v4.64.0 stable

Compare Source

• add contrib.slack (#​1313)

v4.63.2: tqdm v4.63.2 stable

Compare Source

• rich: expose options kwargs (#​1282)
• autonotebook: re-enable VSCode (#​1309)
• misc docs typos (#​1301, #​1299)
• update dev dependencies (#​1311)

v4.63.1: tqdm v4.63.1 stable

Compare Source

• fix stderr/stdout missing flush() (#​1248 <- #​1177)
• misc speed improvements/optimisations

v4.63.0: tqdm v4.63.0 stable

Compare Source

• add __reversed__()
• add efficient __contains__()
• improve CLI startup time (replace pkg_resources => importlib)
• tqdm.autonotebook warning & std fallback on missing ipywidgets (#​1218 <- #​1082, #​1217)
• warn on positional CLI arguments
• misc build/test framework updates
  • enable py3.10 tests
  • add conda dependencies
  • update pre-commit hooks
  • fix pytest config (nbval, asyncio)
  • fix dependencies & tests
  • fix site deployment

v4.62.3: tqdm v4.62.3 stable

Compare Source

• fix minor typo (#​1246)
• minor example fix (#​1246)
• misc tidying & refactoring
• misc build/dev framework updates
  • update dependencies
  • update linters
  • update docs deployment branches
• misc test/ci updates
  • test forks
  • tidy OS & Python version tests
  • bump primary python version 3.7 => 3.8
  • beta py3.10 testing
  • fix py2.7 tests
  • better timeout handling

v4.62.2: tqdm v4.62.2 stable

Compare Source

• fix notebook memory leak (#​1216)
• fix contrib.concurrent with generators (#​1233 <- #​1231)

v4.62.1: tqdm v4.62.1 stable

Compare Source

• contrib.logging: inherit existing handler output stream (#​1191)
• fix PermissionError by using weakref in DisableOnWriteError (#​1207)
• fix contrib.telegram creation rate limit handling (#​1223, #​1221 <- #​1220, #​1076)
• tests: fix py27 keras dependencies (#​1222)
• misc tidy: use relative imports (#​1222)
• minor documentation updates (#​1222)

---

Configuration

📅 Schedule: Branch creation - "" in timezone Africa/Lusaka, Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.