chore(deps): update dependency joblib to v1 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
joblib	==0.16.0 -> ==1.2.0

GitHub Vulnerability Alerts

CVE-2022-21797

The package joblib from 0 and before 1.2.0 is vulnerable to Arbitrary Code Execution via the pre_dispatch flag in Parallel() class due to the eval() statement.

---

Release Notes

joblib/joblib (joblib)

v1.2.0

Compare Source

• Fix a security issue where eval(pre_dispatch) could potentially run
  arbitrary code. Now only basic numerics are supported.
  #​1327

• Make sure that joblib works even when multiprocessing is not available,
  for instance with Pyodide
  #​1256

• Avoid unnecessary warnings when workers and main process delete
  the temporary memmap folder contents concurrently.
  #​1263

• Fix memory alignment bug for pickles containing numpy arrays.
  This is especially important when loading the pickle with
  mmap_mode != None as the resulting numpy.memmap object
  would not be able to correct the misalignment without performing
  a memory copy.
  This bug would cause invalid computation and segmentation faults
  with native code that would directly access the underlying data
  buffer of a numpy array, for instance C/C++/Cython code compiled
  with older GCC versions or some old OpenBLAS written in platform
  specific assembly.
  #​1254

• Vendor cloudpickle 2.2.0 which adds support for PyPy 3.8+.

• Vendor loky 3.3.0 which fixes several bugs including:

  • robustly forcibly terminating worker processes in case of a crash
    (#​1269);

  • avoiding leaking worker processes in case of nested loky parallel
    calls;

  • reliability spawn the correct number of reusable workers.

v1.1.1

Compare Source

• Fix a security issue where eval(pre_dispatch) could potentially run
  arbitrary code. Now only basic numerics are supported.
  #​1327

v1.1.0

Compare Source

• Fix byte order inconsistency issue during deserialization using joblib.load
  in cross-endian environment: the numpy arrays are now always loaded to
  use the system byte order, independently of the byte order of the system
  that serialized the pickle.
  #​1181

• Fix joblib.Memory bug with the ignore parameter when the cached function
  is a decorated function.
  #​1165

• Fix joblib.Memory to properly handle caching for functions defined
  interactively in a IPython session or in Jupyter notebook cell.
  #​1214

• Update vendored loky (from version 2.9 to 3.0) and cloudpickle (from
  version 1.6 to 2.0)
  #​1218

v1.0.1

Compare Source

• Add check_call_in_cache method to check cache without calling function.
  #​820

• dask: avoid redundant scattering of large arguments to make a more
  efficient use of the network resources and avoid crashing dask with
  "OSError: [Errno 55] No buffer space available"
  or "ConnectionResetError: [Errno 104] connection reset by peer".
  #​1133

v1.0.0

Compare Source

• Make joblib.hash and joblib.Memory caching system compatible with `numpy

  = 1.20.0. Also make it explicit in the documentation that users should now expect to have their joblib.Memorycache invalidated when eitherjoblibor a third party library involved in the cached values definition is upgraded. In particular, users updatingjoblibto a release that includes this fix will see their previous cache invalidated if they contained reference tonumpy` objects.
  #​1136

• Remove deprecated check_pickle argument in delayed.
  #​903

v0.17.0

Compare Source

• Fix a spurious invalidation of Memory.cache'd functions called with
  Parallel under Jupyter or IPython.
  #​1093

• Bump vendored loky to 2.9.0 and cloudpickle to 1.6.0. In particular
  this fixes a problem to add compat for Python 3.9.

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.