Skip to content

Update dependency joblib to v1.5.0 [SECURITY]#1919

Merged
renovate[bot] merged 1 commit into
masterfrom
renovate/pypi-joblib-vulnerability
May 22, 2026
Merged

Update dependency joblib to v1.5.0 [SECURITY]#1919
renovate[bot] merged 1 commit into
masterfrom
renovate/pypi-joblib-vulnerability

Conversation

@renovate
Copy link
Copy Markdown
Contributor

@renovate renovate Bot commented May 21, 2026

This PR contains the following updates:

Package Update Change OpenSSF
joblib minor ==1.4.2==1.5.0 OpenSSF Scorecard

CVE-2024-34997 / PYSEC-2024-277

More information

Details

joblib v1.4.2 was discovered to contain a deserialization vulnerability via the component joblib.numpy_pickle::NumpyArrayWrapper().read_array(). NOTE: this is disputed by the supplier because NumpyArrayWrapper is only used during caching of trusted content.

Severity

  • CVSS Score: 7.5 / 10 (High)
  • Vector String: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

References

This data is provided by OSV and the PyPI Advisory Database (CC-BY 4.0).

Release Notes

joblib/joblib (joblib)

v1.5.0

Compare Source

Memory:


- Enforce ``age_limit`` is a positive timedelta for ``Memory.reduce_size``,
  to avoid silently ignoring it.
  https://github.com/joblib/joblib/pull/1613

- Remove deprecated ``bytes_limit`` argument for ``Memory``, which should
  be passed directly to ``Memory.reduce_size``.
  https://github.com/joblib/joblib/pull/1569

- Extend functionality of the ``check_call_in_cache`` method to now also
  check against cache validity. Before, it would only check for a given call
  if it is in cache memory.
  https://github.com/joblib/joblib/pull/1584

- The ``Memory`` object now automatically creates a ``.gitignore`` file in its
  cache directory, instructing git to ignore the entire folder.
  https://github.com/joblib/joblib/pull/1674

Parallel:

  • Fixed a bug that caused the timeout parameter in joblib.Parallel to be
    ineffective when used along with return_as='generator_unordered'.
    #​1586

  • Pretty printing of Parallel execution progress when the number of tasks is
    known. #​1608

  • Make it possible to pass extra arguments to the LokyBackend and
    MultiprocessingBackend, enabling the use of initializer.
    #​1525

  • Refactor and document the custom parallel backend API.
    #​1667

Maintenance:


- Drop support for Python 3.8.
  https://github.com/joblib/joblib/pull/1669

- Support for Python 3.13 free-threaded has been added.
  https://github.com/joblib/joblib/pull/1589

- Drop support for PyPy.
  https://github.com/joblib/joblib/pull/1670

- Fixed an issue affecting ``joblib.load`` calls with non-null ``mmap_mode``
  parameter when loading compressed python objects. It wrongly attempted to load
  with ``np.memmap`` anyway, resulting in python exceptions or corrupted data.
  The result now properly use in-memory ``np.array`` arrays, in accordance with
  the warnings that are emitted in this case.
  https://github.com/joblib/joblib/pull/1681

- Fix a regression in 1.3 and 1.4 that caused large big endian arrays to trigger
  a serialization error. https://github.com/joblib/joblib/issues/1545

- Added a ``ensure_native_byte_order`` parameter to ``joblib.load``. When
  ``True`` and ``mmap_mode`` is ``None``, loaded arrays are automatically coerced
  to a byte order that matches the endianness of the host system. This behavior
  has been the default since ``joblib==1.3``, and can now be disabled if the
  parameter is set to ``False`` instead. Note that setting it to ``True`` will
  raise an error if ``mmap_mode`` is not null. The default value ``'auto'`` is
  equivalent to always setting ``True`` if ``mmap_mode`` is ``None``, else always
  ``False``.  https://github.com/joblib/joblib/pull/1561

- Fix support for python 3.14 in ``hashing``, with the addition of
  an extra argument in ``Pickler._batch_setitems``.
  https://github.com/joblib/joblib/pull/1688

- Fix tests on platforms with only one CPU core.
  https://github.com/joblib/joblib/pull/1682

- Bump vendored cloudpickle to ``3.1.1`` to support Python 3.14 (dev) and
  various other fixes.

- Bump vendored loky to ``3.5.3`` to support recent Python versions without
  raising the warning on calls to `os.fork` and fix various sources of crashes
  and deadlocks.

- Use ``pickle`` protocol 5 for pickling ``numpy`` arrays with object type.
  https://github.com/joblib/joblib/pull/1682

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • ""
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot temporarily deployed to Vespa Cloud CD May 21, 2026 17:17 Inactive
@renovate renovate Bot force-pushed the renovate/pypi-joblib-vulnerability branch from 3804def to ad2c1b2 Compare May 22, 2026 09:20
@renovate renovate Bot temporarily deployed to Vespa Cloud CD May 22, 2026 09:21 Inactive
@renovate renovate Bot force-pushed the renovate/pypi-joblib-vulnerability branch from ad2c1b2 to 9582330 Compare May 22, 2026 10:18
@renovate renovate Bot temporarily deployed to Vespa Cloud CD May 22, 2026 10:19 Inactive
@renovate renovate Bot force-pushed the renovate/pypi-joblib-vulnerability branch from 9582330 to 9b3f773 Compare May 22, 2026 11:18
@renovate renovate Bot temporarily deployed to Vespa Cloud CD May 22, 2026 11:19 Inactive
@renovate renovate Bot merged commit f3d3c77 into master May 22, 2026
9 checks passed
@renovate renovate Bot deleted the renovate/pypi-joblib-vulnerability branch May 22, 2026 12:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@github-actions github-actions[bot] github-actions[bot] approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants