Skip to content

chore(deps): update dependency clearml to v2 [security]#130

Open
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/pypi-clearml-vulnerability
Open

chore(deps): update dependency clearml to v2 [security]#130
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/pypi-clearml-vulnerability

Conversation

@renovate

@renovate renovate Bot commented Jun 5, 2026

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Change Age Confidence
clearml ==1.18.0==2.0.2 age confidence

clearml is vulnerable to Path Traversal through its safe_extract function

CVE-2025-8917 / GHSA-579p-qf78-fqm2

More information

Details

A vulnerability in clearml versions before 2.0.2 allows for path traversal due to improper handling of symbolic and hard links in the safe_extract function. This flaw can lead to arbitrary file writes outside the intended directory, potentially resulting in remote code execution if critical files are overwritten.

Severity

  • CVSS Score: 5.8 / 10 (Medium)
  • Vector String: CVSS:3.0/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


Release Notes

clearml/clearml (clearml)

v2.0.2: PyPI v2.0.2 - ClearML

Compare Source

New Features and Bug Fixes
  • Add py.typed to support PEP 561 type checking (#​1411, thanks @​AH-Merii!)
  • Handle unsafe links inside safe_extract()
  • Update task models list when reloading a model
  • Add static routes support

v2.0.1: PyPI v2.0.1 - ClearML

Compare Source

New Features and Bug Fixes
  • Move CONTRIBUTING.md to root directory (#​1414, thanks @​AH-Merii!)
  • Add a stage field to pipeline steps
  • Fix access to default output destination when project can't be loaded, add warning message but do not fail
  • Fix project not accessible or unavailable causes task startup to fail, add warning
  • Warn when calling Task.force_requirements_env_freeze() / Task.force_store_standalone_script() after Task.init() (#​1425)

v2.0.0: PyPI v2.0.0 - ClearML

Compare Source

New Features
  • Clean up exception handeling in cleanup_service.py (#​1387, thanks @​PixelWelt!)
  • Add support for clearml-task command line options --force-no-requirements, --skip-repo-detection and --skip-python-env-install
  • Allow calling the same pipeline step multiple times with inputs that originate from tasks/controller
  • Add Task.upload_artifact() argument sort_keys to allow disabling sorting yaml/json keys when uploading artifacts
  • Add python annotations to all methods
  • Update pyjwt constraint version
Bug Fixes
  • Fix local file uploads without scheme (#​1326, thanks @​d-vignesh!)
  • Fix argument order mismatch in PipelineController (#​1407, thanks @​rashboldb!)
  • Fix _logger property might be None in Session (#​1412, thanks @​AH-Merii!)
  • Fix unhandled None value in project IDs when listing all datasets (#​1413, thanks @​AH-Merii!)
  • Fix typo in config exception string (#​1418, thanks @​AH-Merii!)
  • Fix experiments are created twice during HPO (#​644)
  • Fix clearml-task-run HPO breaks up (#​1151)
  • Fix oversized event reports cause subsequent events to be lost (#​1316)
  • Fix downloading datasets with multiple parents might not work (#​1398)
  • Fix GPU reporting fails to detect GPU when the NVIDIA_VISIBLE_DEVICES env var contains a directory reference
  • Fix verify configuration option for S3 storage (boto3) is not used when testing buckets
  • Fix PipelineDecorator.component() ignores *args and crashes with **kwargs
  • Fix Pipelines ran via clearml-task do not appear in the UI
  • Fix task log URL print for API v2.31 should show "/tasks/{}/output/log"
  • Fix tqdm upload/download reporting, remove warning
  • Fix pipeline from CLI with no args fails
  • Fix pillow constraint for Python<=3.7
  • Fix requests constraint for Python < 3.8

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot force-pushed the renovate/pypi-clearml-vulnerability branch 5 times, most recently from 3723902 to dc58fca Compare June 11, 2026 15:00
@renovate renovate Bot force-pushed the renovate/pypi-clearml-vulnerability branch 6 times, most recently from c042677 to ccfc5ec Compare June 22, 2026 08:23
@renovate renovate Bot force-pushed the renovate/pypi-clearml-vulnerability branch 8 times, most recently from 6c224e5 to 6d5bcba Compare July 8, 2026 15:27
@renovate renovate Bot force-pushed the renovate/pypi-clearml-vulnerability branch 5 times, most recently from 4478676 to 881672c Compare July 14, 2026 08:33
@renovate renovate Bot force-pushed the renovate/pypi-clearml-vulnerability branch from 881672c to 4d9835f Compare July 14, 2026 09:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants