Skip to content

metaflow

v2.19.31 Security

This release includes 1 security fix for security teams reviewing exposed deployments.

Published 3d Model Serving & MLOps
✓ No known CVEs patched
Read the diff → Tool health → What is this tool? →
This release patches 1 known CVE

Topics

agents ai aws azure cost-optimization datascience
+13 more
distributed-training gcp generative-ai high-performance-computing kubernetes llm llmops machine-learning ml-infrastructure ml-platform mlops model-management python

Affected surfaces

deps

ReleasePort's take

Moderate signal
editorial:auto 2d

Use yaml.safe_load in chevron to prevent arbitrary code execution from YAML parsing.

Why it matters: Severity 90 security risk: misuse of yaml.load enables arbitrary code execution; switch immediately to safe_load.

Summary

AI summary

Updates deps-dev, fix, and deps across a mixed release.

Changes in this release

Security Critical

Use yaml.safe_load instead of yaml.load in chevron to prevent arbitrary code execution.

Use yaml.safe_load instead of yaml.load in chevron to prevent arbitrary code execution.

Source: llm_adapter@2026-06-01

Confidence: high
Feature Low

Add IPython autocomplete for Metaflow and MetaflowData classes.

Add IPython autocomplete for Metaflow and MetaflowData classes.

Source: llm_adapter@2026-06-01

Confidence: high
Dependency Low

Bump uuid and cypress dependencies in /metaflow/plugins/cards/ui.

Bump uuid and cypress dependencies in /metaflow/plugins/cards/ui.

Source: llm_adapter@2026-06-01

Confidence: high
Bugfix Medium

Avoid redundant metadata fetch in task log accessors to improve performance.

Avoid redundant metadata fetch in task log accessors to improve performance.

Source: llm_adapter@2026-06-01

Confidence: high
Bugfix Medium

Prevent duplicate DAGTask names when using foreach with split‑switch flows.

Prevent duplicate DAGTask names when using foreach with split‑switch flows.

Source: llm_adapter@2026-06-01

Confidence: high
Bugfix Low

Remove duplicate --use-latest pytest option in spin conftest.

Remove duplicate --use-latest pytest option in spin conftest.

Source: granite4.1:30b@2026-06-01-audit

Confidence: low
Full changelog

What's Changed

  • build(deps-dev): bump postcss from 8.5.6 to 8.5.12 in /metaflow/plugins/cards/ui by @dependabot[bot] in https://github.com/Netflix/metaflow/pull/3153
  • build(deps-dev): bump tmp from 0.2.5 to 0.2.7 in /metaflow/plugins/cards/ui by @dependabot[bot] in https://github.com/Netflix/metaflow/pull/3213
  • build(deps): bump uuid and cypress in /metaflow/plugins/cards/ui by @dependabot[bot] in https://github.com/Netflix/metaflow/pull/3207
  • Fix a typo in the R autopilot tutorial README by @rrioh in https://github.com/Netflix/metaflow/pull/3218
  • fix: remove duplicate --use-latest pytest option in spin conftest by @odncode in https://github.com/Netflix/metaflow/pull/3205
  • security(chevron): use yaml.safe_load instead of yaml.load with configurable loader by @dfgvaetyj3456356-hash in https://github.com/Netflix/metaflow/pull/3216
  • fix(client): avoid redundant metadata fetch in task log accessors by @ynachiket in https://github.com/Netflix/metaflow/pull/3214
  • Test: Added CondaFlowDecorator unit tests by @agsaru in https://github.com/Netflix/metaflow/pull/3193
  • Expose Argo only-json workflow template on DeployedFlow by @talsperre in https://github.com/Netflix/metaflow/pull/3220
  • feat: added IPython autocomplete for Metaflow and MetaflowData classes by @a-coder4 in https://github.com/Netflix/metaflow/pull/3071
  • fix: prevent duplicate DAGTask names in foreach + split-switch flows by @odncode in https://github.com/Netflix/metaflow/pull/3204
  • Bump version to 2.19.31 by @talsperre in https://github.com/Netflix/metaflow/pull/3226

New Contributors

  • @rrioh made their first contribution in https://github.com/Netflix/metaflow/pull/3218
  • @odncode made their first contribution in https://github.com/Netflix/metaflow/pull/3205
  • @dfgvaetyj3456356-hash made their first contribution in https://github.com/Netflix/metaflow/pull/3216
  • @ynachiket made their first contribution in https://github.com/Netflix/metaflow/pull/3214
  • @a-coder4 made their first contribution in https://github.com/Netflix/metaflow/pull/3071

Full Changelog: https://github.com/Netflix/metaflow/compare/2.19.30...2.19.31

Security Fixes

  • security(chevron): use yaml.safe_load instead of yaml.load with configurable loader
View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track metaflow

Get notified when new releases ship.

Sign up free

About metaflow

Build, Manage and Deploy AI/ML Systems

All releases →

Related context

Beta — feedback welcome: [email protected]