Skip to content

Security patch v0.13.4

Compare
Choose a tag to compare
@Wauplin Wauplin released this 06 Apr 15:05
· 717 commits to main since this release

Security patch to fix a vulnerability in huggingface_hub. In some cases, downloading a file with hf_hub_download or snapshot_download could lead to overwriting any file on a Windows machine. With this fix, only files in the cache directory (or a user-defined directory) can be updated/overwritten.

  • Malicious repo can overwrite any file on disk #429 @Wauplin

Full Changelog: v0.13.3...v0.13.4