chore(deps): update dependency tqdm to v4.66.3 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
tqdm (changelog)	==4.65.0 → ==4.66.3

---

tqdm CLI arguments injection attack

CVE-2024-34062 / GHSA-g7vv-2v7x-gj9p

More information

Details

Impact

Any optional non-boolean CLI arguments (e.g. --delim, --buf-size, --manpath) are passed through python's eval, allowing arbitrary code execution. Example:

python -m tqdm --manpath="\" + str(exec(\"import os\nos.system('echo hi && killall python3')\")) + \""

Patches

tqdm/tqdm@4e613f8 released in tqdm>=4.66.3

Workarounds

None

References

• https://github.com/tqdm/tqdm/releases/tag/v4.66.3

Severity

• CVSS Score: 3.9 / 10 (Low)
• Vector String: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N

References

• https://github.com/tqdm/tqdm/security/advisories/GHSA-g7vv-2v7x-gj9p
• https://nvd.nist.gov/vuln/detail/CVE-2024-34062
• https://github.com/tqdm/tqdm/commit/4e613f84ed2ae029559f539464df83fa91feb316
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PA3GIGHPWAHCTT4UF57LTPZGWHAX3GW6
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QRECVQCCESHBS3UJOWNXQUIX725TKNY6
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VA337CYUS4SLRFV2P6MX6MZ2LKFURKJC
• https://github.com/advisories/GHSA-g7vv-2v7x-gj9p

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

tqdm/tqdm (tqdm)

v4.66.3: tqdm v4.66.3 stable

Compare Source

• cli: eval safety (fixes CVE-2024-34062, GHSA-g7vv-2v7x-gj9p)

v4.66.2: tqdm v4.66.2 stable

Compare Source

• pandas: add DataFrame.progress_map (#​1549)
• notebook: fix HTML padding (#​1506)
• keras: fix resuming training when verbose>=2 (#​1508)
• fix format_num negative fractions missing leading zero (#​1548)
• fix Python 3.12 DeprecationWarning on import (#​1519)
• linting: use f-strings (#​1549)
• update tests (#​1549)
  • fix pandas warnings
  • fix asv (airspeed-velocity/asv#1323)
  • fix macos notebook docstring indentation
• CI: bump actions (#​1549)

v4.66.1: tqdm v4.66.1 stable

Compare Source

• fix utils.envwrap types (#​1493 <- #​1491, #​1320 <- #​966, #​1319)
  • e.g. cloudwatch & kubernetes workaround: export TQDM_POSITION=-1
• drop mentions of unsupported Python versions

v4.66.0: tqdm v4.66.0 stable

Compare Source

• environment variables to override defaults (TQDM_*) (#​1491 <- #​1061, #​950 <- #​614, #​1318, #​619, #​612, #​370)
  • e.g. in CI jobs, export TQDM_MININTERVAL=5 to avoid log spam
  • add tests & docs for tqdm.utils.envwrap
• fix & update CLI completion
• fix & update API docs
• minor code tidy: replace os.path => pathlib.Path
• fix docs image hosting
• release with CI bot account again (cli/cli#6680)

v4.65.2: tqdm v4.65.2 stable

Compare Source

• exclude examples from distributed wheel (#​1492)

v4.65.1: tqdm v4.65.1 stable

Compare Source

• migrate setup.{cfg,py} => pyproject.toml (#​1490)
  • fix asv benchmarks
  • update docs
• fix snap build (#​1490)
• fix & update tests (#​1490)
  • fix flaky notebook tests
  • bump pre-commit
  • bump workflow actions

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.