chore(deps): update dependency joblib to v1 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
joblib	==0.15.1 -> ==1.2.0

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

CVE-2022-21797

The package joblib from 0 and before 1.2.0 is vulnerable to Arbitrary Code Execution via the pre_dispatch flag in Parallel() class due to the eval() statement.

---

Release Notes

joblib/joblib (joblib)

v1.2.0

Compare Source

• Fix a security issue where eval(pre_dispatch) could potentially run
  arbitrary code. Now only basic numerics are supporthttps:/joblib/joblib/pull/1327ull/1327

• Make sure that joblib works even when multiprocessing is not available,
  for instance with Pyodhttps:/joblib/joblib/pull/1256ull/1256

• Avoid unnecessary warnings when workers and main process delete
  the temporary memmap folder contents concurrenthttps:/joblib/joblib/pull/1263ull/1263

• Fix memory alignment bug for pickles containing numpy arrays.
  This is especially important when loading the pickle with
  mmap_mode != None as the resulting numpy.memmap object
  would not be able to correct the misalignment without performing
  a memory copy.
  This bug would cause invalid computation and segmentation faults
  with native code that would directly access the underlying data
  buffer of a numpy array, for instance C/C++/Cython code compiled
  with older GCC versions or some old OpenBLAS written in plathttps:/joblib/joblib/pull/1254thub.com/Make sure arrays are bytes aligned in joblib pickles joblib/joblib#1254

• Vendor cloudpickle 2.2.0 which adds support for PyPy 3.8+.

• Vendor loky 3.3.0 which fixes several bugs including:

  • robustly forcibly terminating worker processes in case of a crash
    https:/joblib/joblib/pull/1269ull/1269);

  • avoiding leaking worker processes in case of nested loky parallel
    calls;

  • reliability spawn the correct number of reusable workers.

v1.1.1

Compare Source

• Fix a security issue where eval(pre_dispatch) could potentially run
  arbitrary code. Now only basic numerics are supporthttps:/joblib/joblib/pull/1327ull/1327

v1.1.0

Compare Source

• Fix byte order inconsistency issue during deserialization using joblib.load
  in cross-endian environment: the numpy arrays are now always loaded to
  use the system byte order, independently of the byte order of the system
  that serialized https:/joblib/joblib/pull/1181joblib/pull/1181

• Fix joblib.Memory bug with the ignore parameter when the cached function
  is a decorated functihttps:/joblib/joblib/pull/1165ull/1165

• Fix joblib.Memory to properly handle caching for functions defined
  interactively in a IPython session or in Jupyter notebook cehttps:/joblib/joblib/pull/1214ull/1214

• Update vendored loky (from version 2.9 to 3.0) and cloudpickle (from
  version 1.6 to 2https:/joblib/joblib/pull/1218ull/1218

v1.0.1

Compare Source

• Add check_call_in_cache method to check cache without calling function.
  https:/joblib/joblib/pull/820/820

• dask: avoid redundant scattering of large arguments to make a more
  efficient use of the network resources and avoid crashing dask with
  "OSError: [Errno 55] No buffer space available"
  or "ConnectionResetError: [Errno 104] connection rehttps:/joblib/joblib/pull/1133b/joblib/pull/1133

v1.0.0

Compare Source

• Make joblib.hash and joblib.Memory caching system compatible with `numpy

  = 1.20.0. Also make it explicit in the documentation that users should now expect to have their joblib.Memorycache invalidated when eitherjoblibor a third party library involved in the cached values definition is upgraded. In particular, users updatingjoblibto a release that includes this fix will see their previous cache invalidated if they contained reference tonumpy` objects.https:/joblib/joblib/pull/1136ll/1136

• Remove deprecated check_pickle argument in delayed.
  https:/joblib/joblib/pull/903/903

v0.17.0

Compare Source

• Fix a spurious invalidation of Memory.cache'd functions called with
  Parallel under Jupyter or IPython.
  https:/joblib/joblib/pull/10931093

• Bump vendored loky to 2.9.0 and cloudpickle to 1.6.0. In particular
  this fixes a problem to add compat for Python 3.9.

v0.16.0

Compare Source

• Fix a problem in the constructors of Parallel backends classes that
  inherit from the AutoBatchingMixin that prevented the dask backend to
  properly batch short tashttps:/joblib/joblib/pull/1062ull/1062

• Fix a problem in the way the joblib dask backend batches calls that would
  badly interact with the dask callable pickling cache and lead to wrong
  results or https:/joblib/joblib/pull/1055ib/pull/1055

• Prevent a dask.distributed bug from surfacing in joblib's dask backend
  during nested Parallel calls (due to joblib's auto-scattering featuhttps:/joblib/joblib/pull/1061ull/1061

• Workaround for a race condition after Parallel calls with the dask backend
  that would cause low level warnings from asyncio coroutinhttps:/joblib/joblib/pull/1078ull/1078

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

---

Thanks for the PR!

Deployments, as required, will be available below:

• Frontend
• Backend

Please create PRs in draft mode. Mark as ready to enable:

• Analysis Workflow

After merge, new images are deployed in:

• Merge Workflow

[renovate]

Renovate Ignore Notification

Because you closed this PR without merging, Renovate will ignore this update. You will not get PRs for any future 1.x releases. But if you manually upgrade to 1.x then Renovate will re-enable minor and patch updates automatically.

If you accidentally closed this PR, or if you changed your mind: rename this PR to get a fresh replacement PR.