Update dependency joblib to v1.2.0 [SECURITY] - autoclosed

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
joblib (source)	==1.1.0 -> ==1.2.0

GitHub Vulnerability Alerts

CVE-2022-21797

The package joblib from 0 and before 1.2.0 is vulnerable to Arbitrary Code Execution via the pre_dispatch flag in Parallel() class due to the eval() statement.

---

Release Notes

joblib/joblib

v1.2.0

Compare Source

• Fix a security issue where eval(pre_dispatch) could potentially run
  arbitrary code. Now only basic numerics are supporthttps://github.com/joblib/joblib/pull/1327ull/1327

• Make sure that joblib works even when multiprocessing is not available,
  for instance with Pyodhttps://github.com/joblib/joblib/pull/1256ull/1256

• Avoid unnecessary warnings when workers and main process delete
  the temporary memmap folder contents concurrenthttps://github.com/joblib/joblib/pull/1263ull/1263

• Fix memory alignment bug for pickles containing numpy arrays.
  This is especially important when loading the pickle with
  mmap_mode != None as the resulting numpy.memmap object
  would not be able to correct the misalignment without performing
  a memory copy.
  This bug would cause invalid computation and segmentation faults
  with native code that would directly access the underlying data
  buffer of a numpy array, for instance C/C++/Cython code compiled
  with older GCC versions or some old OpenBLAS written in plathttps://github.com/joblib/joblib/pull/1254thub.com/Make sure arrays are bytes aligned in joblib pickles joblib/joblib#1254

• Vendor cloudpickle 2.2.0 which adds support for PyPy 3.8+.

• Vendor loky 3.3.0 which fixes several bugs including:

  • robustly forcibly terminating worker processes in case of a crash
    https://github.com/joblib/joblib/pull/1269ull/1269);

  • avoiding leaking worker processes in case of nested loky parallel
    calls;

  • reliability spawn the correct number of reusable workers.

v1.1.1

Compare Source

• Fix a security issue where eval(pre_dispatch) could potentially run
  arbitrary code. Now only basic numerics are supporthttps://github.com/joblib/joblib/pull/1327ull/1327

---

Configuration

📅 Schedule: Branch creation - "" in timezone America/New_York, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, click this checkbox.

---

This PR has been generated by Mend Renovate. View repository job log here.

[codecov]

Codecov Report

Base: 84.02% // Head: 84.02% // No change to project coverage 👍

Coverage data is based on head (6e35a0d) compared to base (e927925).
Patch has no changes to coverable lines.

Additional details and impacted files

@@           Coverage Diff           @@
##             main     #995   +/-   ##
=======================================
  Coverage   84.02%   84.02%           
=======================================
  Files           9        9           
  Lines         889      889           
=======================================
  Hits          747      747           
  Misses        142      142           

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

☔ View full report at Codecov.
📢 Do you have feedback about the report comment? Let us know in this issue.