chore(deps): update dependency tqdm to v4.66.3 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
tqdm (changelog)	==4.50.0 -> ==4.66.3

GitHub Vulnerability Alerts

CVE-2024-34062

Impact

Any optional non-boolean CLI arguments (e.g. --delim, --buf-size, --manpath) are passed through python's eval, allowing arbitrary code execution. Example:

python -m tqdm --manpath="\" + str(exec(\"import os\nos.system('echo hi && killall python3')\")) + \""

Patches

tqdm/tqdm@4e613f8 released in tqdm>=4.66.3

Workarounds

None

References

• https://github.com/tqdm/tqdm/releases/tag/v4.66.3

---

Release Notes

tqdm/tqdm (tqdm)

v4.66.3: tqdm v4.66.3 stable

Compare Source

• cli: eval safety (fixes CVE-2024-34062, GHSA-g7vv-2v7x-gj9p)

v4.66.2: tqdm v4.66.2 stable

Compare Source

• pandas: add DataFrame.progress_map (#​1549)
• notebook: fix HTML padding (#​1506)
• keras: fix resuming training when verbose>=2 (#​1508)
• fix format_num negative fractions missing leading zero (#​1548)
• fix Python 3.12 DeprecationWarning on import (#​1519)
• linting: use f-strings (#​1549)
• update tests (#​1549)
  • fix pandas warnings
  • fix asv (https://github.com/airspeed-velocity/asv/issues/1323)
  • fix macos notebook docstring indentation
• CI: bump actions (#​1549)

v4.66.1: tqdm v4.66.1 stable

Compare Source

• fix utils.envwrap types (#​1493 <- #​1491, #​1320 <- #​966, #​1319)
  • e.g. cloudwatch & kubernetes workaround: export TQDM_POSITION=-1
• drop mentions of unsupported Python versions

v4.66.0: tqdm v4.66.0 stable

Compare Source

• environment variables to override defaults (TQDM_*) (#​1491 <- #​1061, #​950 <- #​614, #​1318, #​619, #​612, #​370)
  • e.g. in CI jobs, export TQDM_MININTERVAL=5 to avoid log spam
  • add tests & docs for tqdm.utils.envwrap
• fix & update CLI completion
• fix & update API docs
• minor code tidy: replace os.path => pathlib.Path
• fix docs image hosting
• release with CI bot account again (https://github.com/cli/cli/issues/6680)

v4.65.2: tqdm v4.65.2 stable

Compare Source

• exclude examples from distributed wheel (#​1492)

v4.65.1: tqdm v4.65.1 stable

Compare Source

• migrate setup.{cfg,py} => pyproject.toml (#​1490)
  • fix asv benchmarks
  • update docs
• fix snap build (#​1490)
• fix & update tests (#​1490)
  • fix flaky notebook tests
  • bump pre-commit
  • bump workflow actions

v4.65.0: tqdm v4.65.0 stable

Compare Source

• add Python 3.11 and drop Python 3.6 support (#​1439, #​1419, #​502 <- #​720, #​620)
• misc code & docs tidy
• fix & update CI workflows & tests

v4.64.1: tqdm v4.64.1 stable

Compare Source

• support ipywidgets>=8 (#​1366, #​1361 <- #​1310, #​1359, #​1360, #​1364)
  • fix jupyter lab display
  • update notebook tests

v4.64.0: tqdm v4.64.0 stable

Compare Source

• add contrib.slack (#​1313)

v4.63.2: tqdm v4.63.2 stable

Compare Source

• rich: expose options kwargs (#​1282)
• autonotebook: re-enable VSCode (#​1309)
• misc docs typos (#​1301, #​1299)
• update dev dependencies (#​1311)

v4.63.1: tqdm v4.63.1 stable

Compare Source

• fix stderr/stdout missing flush() (#​1248 <- #​1177)
• misc speed improvements/optimisations

v4.63.0: tqdm v4.63.0 stable

Compare Source

• add __reversed__()
• add efficient __contains__()
• improve CLI startup time (replace pkg_resources => importlib)
• tqdm.autonotebook warning & std fallback on missing ipywidgets (#​1218 <- #​1082, #​1217)
• warn on positional CLI arguments
• misc build/test framework updates
  • enable py3.10 tests
  • add conda dependencies
  • update pre-commit hooks
  • fix pytest config (nbval, asyncio)
  • fix dependencies & tests
  • fix site deployment

v4.62.3: tqdm v4.62.3 stable

Compare Source

• fix minor typo (#​1246)
• minor example fix (#​1246)
• misc tidying & refactoring
• misc build/dev framework updates
  • update dependencies
  • update linters
  • update docs deployment branches
• misc test/ci updates
  • test forks
  • tidy OS & Python version tests
  • bump primary python version 3.7 => 3.8
  • beta py3.10 testing
  • fix py2.7 tests
  • better timeout handling

v4.62.2: tqdm v4.62.2 stable

Compare Source

• fix notebook memory leak (#​1216)
• fix contrib.concurrent with generators (#​1233 <- #​1231)

v4.62.1: tqdm v4.62.1 stable

Compare Source

• contrib.logging: inherit existing handler output stream (#​1191)
• fix PermissionError by using weakref in DisableOnWriteError (#​1207)
• fix contrib.telegram creation rate limit handling (#​1223, #​1221 <- #​1220, #​1076)
• tests: fix py27 keras dependencies (#​1222)
• misc tidy: use relative imports (#​1222)
• minor documentation updates (#​1222)

v4.62.0: tqdm v4.62.0 stable

Compare Source

• asyncio.gather API consistency with stdlib (#​1212)
• fix shutdown exception (#​1209 <- #​1198)
• misc build framework updates (#​1209)
• add GH Sponsors & merch links

v4.61.2: tqdm v4.61.2 stable

Compare Source

• install colorama on Windows (#​1139, #​454)
• add telegram support for leave=False (#​1189)
• support pandas==1.3.0 (#​1199)
• fix keras potential AttributeError (#​1184 <- #​1183)
• fix py3.10 asyncio tests (#​1176)
• flush stdout/err before first render (#​1177)
• misc minor build & test framework updates (#​1180)

v4.61.1: tqdm v4.61.1 stable

Compare Source

• fix utils._screen_shape_linux() sometimes raising ValueError (#​1174)
• minor build/CI framework updates (#​1175)
• minor documentation updates
  • fix typo (#​1178)
  • link to merch! 🧢 👕

v4.61.0: tqdm v4.61.0 stable

Compare Source

• keras support for initial_epoch (#​1150 <- #​1138)
• misc documentation updates
  • update & shorten URLs (#​1163)
  • fix typos (#​1162)
• fix & update tests (#​1163)
• minor framework updates (#​1163)

v4.60.0: tqdm v4.60.0 stable

Compare Source

• add contrib.logging helpers for redirecting to tqdm.write() (#​1155 <- #​786)
• support delay in notebook (#​1142)
• fix contrib.tmap, tzip not using tqdm_class (#​1148)
• add notebook tests (#​1143)
• updates & misc minor fixes for documentation

v4.59.0: tqdm v4.59.0 stable

Compare Source

• add tqdm.dask.TqdmCallback (#​1079, #​279 <- #​278)
• add asyncio.gather() (#​1136)
• add basic support for length_hint (#​1068)
• add & update tests
• misc documentation updates (#​1132)
  • update contributing guide
  • update URLs
  • bash completion: add missing --delay
• misc code tidy
  • add [notebook] extra (#​1135)

v4.58.0: tqdm v4.58.0 stable

Compare Source

• add start delay in seconds (#​836 <- #​1069, #​704)
• add tests
• misc code tidy (#​1130)
• misc documentation updates

v4.57.0: tqdm v4.57.0 stable

Compare Source

• add line buffering for DummyTqdmFile (#​960)
• fix & update demo notebook (#​1127)
• fix py3 urllib examples (#​1127)
• suppress deprecated pandas warnings (#​824, #​1094)
• misc framework updates
• misc tests updates
• misc code tidy

v4.56.2: tqdm v4.56.2 stable

Compare Source

• fix attribute errors when disabled (#​1126)
  • reset() (#​1125)
  • unpause()
• add tests

v4.56.1: tqdm v4.56.1 stable

Compare Source

• fix repr() & format_dict when disabled (#​1113 <- #​624)
• rename __repr__() => __str__()
• minor documentation updates (#​1113)
  • fix Binder demo notebook (#​1119)
  • remove explicit Dockerfile
  • move some images to external repo
• add & update tests

v4.56.0: tqdm v4.56.0 stable

Compare Source

• add tqdm.tk (#​1006)
• add tqdm.rich
• minor formatting improvements for tqdm.gui
• fix display() inheritance/override
• add tests
• add documentation

v4.55.2: tqdm v4.55.2 stable

Compare Source

• update tests (#​1108)
  • make pre-commit pytest quicker
  • switch pre-commit from make to python
  • add and update (auto) formatters & CI (#​1108, #​1093)
• update contributing guidelines (#​1108)
  • fix formatting
  • test dependencies (#​1109)
• update .gitignore
• fix (auto & manual) formatting
• fix minor detected bugs
• misc build/CI framework upgrades

v4.55.1: tqdm v4.55.1 stable

Compare Source

• fix (Rolling|Expanding).progress_apply() on pandas==1.2.0 (#​1106)
• minor documentation updates

v4.55.0: tqdm v4.55.0 stable

Compare Source

• fix ASCII notebook export (#​937, #​1035, #​1098)
• fix notebook gui-mode extra spaces (#​433, #​479, #​550, #​935)
• better ETA for early iterations (#​1101)
• better ETA for wildly varying iteration rates (#​1102)
• update submodule inheritance
  • tqdm.gui
  • tqdm.notebook
  • tqdm.contrib.telegram
  • tqdm.contrib.discord
• documentation updates
• misc code optimisations
• add tests
• framework updates
  • build
  • CI & test
• misc code linting/formatting

v4.54.1: tqdm v4.54.1 stable

Compare Source

• drop py3.4 (no longer tested) (#​1091)
• misc CI updates (#​1091)
  • update snap build & deploy method
  • bot releases

v4.54.0: tqdm v4.54.0 stable

Compare Source

• get rid of get_new (#​1085 <- #​1084, #​509)
• minor CI framework optimisations

v4.53.0: tqdm v4.53.0 stable

Compare Source

• provide get_new() helper for mixed subclasses in nested mode (#​509)
• fix nested asyncio (#​1074)
  • document async break hazard
• add tests
• drop py2.6/3.2/3.3 and distutils (no longer tested)
  • drop py2.6 (#​502 <- #​620, #​127)
  • drop distutils in favour of setuptools/setup.cfg (#​723, #​721)
• CI framework overhaul
  • drop appveyor (Windows already tested by GHA)
  • skip devel PRs
  • automate linting comments on failure
• use setuptools_scm (#​722)
  • fix & update tests
  • fix & upgrade snap build
  • update CONTRIBUTING docs

v4.52.0: tqdm v4.52.0 stable

Compare Source

• allow delaying display() to a different notebook cell (#​1059 <- #​909, #​954)
  • add notebook argument display=True (use display=False with display(tqdm_object.container))
  • add keras.TqdmCallback support for initialiser arguments (use display=False with tqdm_callback_object.display()) (#​1059 <- #​1065)
  • add documentation
• add CI on windows (#​507)
• enable CI on OSX
• migrate CI Travis => GHA
  • add tests for MacOS & Windows
  • add tests for py3.9 (#​1073)
  • update documentation
• minify docker build
• update tests
• misc tidy

v4.51.0: tqdm v4.51.0 stable

Compare Source

• add {eta} datetime bar_format argument (#​1055 <- #​1051)
  • e.g. bar_format='{l_bar}{bar}| {n_fmt}/{total_fmt} [{rate_fmt} ETA:{eta:%y-%m-%d %H:%M}{postfix}]'
• fix py3 CLI --update & --update_to
• replace nosetests with pytest (#​1052, #​1045)
• add & update tests

v4.50.2: tqdm v4.50.2 stable

Compare Source

• fixed platform.system() causing fork() warnings (#​691)
• fixed contrib.concurrent.process_map pickling error with threading.RLock (#​920)
• updated documentation & examples
• updated CI framework
• updated tests
• misc code tidy

v4.50.1: tqdm v4.50.1 stable

Compare Source

• fix multiprocessing lock creation leak (#​982, #​936, #​759)
  • fixes #​617 which introduced this bug (v4.29.0, released 2019-01-06, undiagnosed until now) where multiple threads could concurrently create and append process locks to a global list, then try to release them without first acquiring 👿
• major test overhaul: fix, update, and speed up
• misc CI framework updates
• code linting
• minor documentation tidy

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.