Skip to content

Release v2.67.0#10705

Merged
cvat-bot[bot] merged 16 commits into
masterfrom
release-2.67.0
Jun 2, 2026
Merged

Release v2.67.0#10705
cvat-bot[bot] merged 16 commits into
masterfrom
release-2.67.0

Conversation

@cvat-bot

@cvat-bot cvat-bot Bot commented Jun 2, 2026

Copy link
Copy Markdown
Contributor

Added

Fixed

Security

cvat-bot Bot and others added 16 commits May 26, 2026 20:40
@cvat-bot
Update develop after v2.66.0
52dc2fa
@azhavoro
Merge pull request #10671 from cvat-ai/dev-release-2.66.0
20740a0 
Update develop after v2.66.0
@Pr1ncee
Fix UserWarning
896f408
@Pr1ncee
Add changelog.d
b76af4c
@Pr1ncee
Merge pull request #10680 from cvat-ai/bugfix/fix-userwarning-in-numpy
049426d 
Fix UserWarning
@bsekachev
Enabled logging for code 0 in user initiated operations (#10681)
71c3adb
@dependabot @klakhov
Bump js-cookie from 3.0.5 to 3.0.7 (#10655)
1470871 
Bumps [js-cookie](https://github.com/js-cookie/js-cookie) from 3.0.5 to 3.0.7.

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Kirill Lakhov <kirill.lakhov@cvat.ai>
@bsekachev
Support throttling for annotations endpoints (#10684)
7782b27
@azhavoro
Fix memory growth during schema generation (#10679)
010d7fd 
- Upgraded drf-spectacular from 0.26.2 to 0.29.0.
- Fixed /api/schema RSS growth: local and canary testing showed the old
version caused near-linear RSS growth, while 0.29.0 reaches a small
plateau.
- Added explicit schema annotations for RequestViewSet path parameter
id.
  ```console
/home/django/cvat/apps/redis_handler/views.py: Warning [RequestViewSet]:
could not derive type of path parameter "id" because it is untyped and
obtaining queryset from the viewset failed. Consider adding a type to
the path (e.g. <int:id>) or annotating the parameter type with
@extend_schema. Defaulting to "string".
   ``` 
- Avoided schema-generation warnings for non-model RequestViewSet.
   ```console
/home/django/cvat/apps/redis_handler/views.py: Warning [RequestViewSet]:
Failed to obtain model through view's queryset due to raised exception.
Prevent this either by setting "queryset = Model.objects.none()" on the
view, checking for "getattr(self, "swagger_fake_view", False)" in
get_queryset() or by simply using @extend_schema. (Exception: 'NoneType'
object has no attribute 'model')
   ``` 
- Fixed events cache cleanup so clear_cache() removes the per-request
cache entry instead of only clearing its contents.

tested /api/schema/?lang=en&scheme=json with 250 requests.
Before upgrade: RSS grew from ~315 MB to ~930 MB.
After upgrade: RSS stabilized around ~345 MB.

### Checklist
<!-- Go over all the following points, and put an `x` in all the boxes
that apply.
If an item isn't applicable for some reason, then ~~explicitly
strikethrough~~ the whole
line. If you don't do that, GitHub will show incorrect progress for the
pull request.
If you're unsure about any of these, don't hesitate to ask. We're here
to help! -->
- [x] I submit my changes into the `develop` branch
- [x] I have created a changelog fragment <!-- see top comment in
CHANGELOG.md -->
- [ ] I have updated the documentation accordingly
- [ ] I have added tests to cover my changes
- [x] I have linked related issues (see [GitHub docs](

https://help.github.com/en/github/managing-your-work-on-github/linking-a-pull-request-to-an-issue#linking-a-pull-request-to-an-issue-using-a-keyword))

### License

- [x] I submit _my code changes_ under the same [MIT License](
https://github.com/cvat-ai/cvat/blob/develop/LICENSE) that covers the
project.
  Feel free to contact the maintainers if that's a concern.
@SpecLad
Fix incorrect test user creation in engine unit tests (#10687)
9ee7b91 
All users are added to the "user" group by default. So when
`self.assignee` and `self.annotator` are added to the "worker" group,
they become both users _and_ workers, which effectively gives them user
privileges. I'm fairly sure those users are only meant to have worker
privileges.

Fix this by replacing `groups.add` with `groups.set`. Also, remove
redundant additions of the `user` and `admin` groups.

This makes a few tests fail, but I think the tests are wrong here, so
fix them. Workers have no need to access the mounted share contents,
because they can't create tasks.
@dependabot @klakhov
Bump axios from 1.15.0 to 1.15.2 (#10564)
576fcc6 
Bumps [axios](https://github.com/axios/axios) from 1.15.0 to 1.15.2.

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Kirill Lakhov <kirill.lakhov@cvat.ai>
@zhiltsov-max
Add server opt-in for client-side preview placeholders (#10611)
65adf24
@zhiltsov-max
Fix preview error in tasks in projects with unfinished data processing (
e369f3a 
#10692)
@azhavoro
Update python dependencies (#10663)
3f5d653 
Updated:
- nltk to 3.9.4
- pyarrow to 24.0.0
- urllib3 to 2.7.0

Golang build image to 1.26.3

### License

- [x] I submit _my code changes_ under the same [MIT License](
https://github.com/cvat-ai/cvat/blob/develop/LICENSE) that covers the
project.
  Feel free to contact the maintainers if that's a concern.
@SpecLad
Merge commit from fork
44d717a 
When an asset is uploaded, we check the `Content-Type` supplied by the user,
but when we serve an asset, we do it with a `Content-Type` autodetected from
the filename. So it's trivial for an attacker to upload `evil.html` with a
`Content-Type` of `image/gif`, which CVAT will then serve with a
`Content-Type` of `text/html`. If a user is tricked into opening a link to
this asset, the HTML file can execute arbitrary code with that user's
privileges.

Fix it by verifying that the supplied `Content-Type` is the same as the
autodetected one. As a backup, also add a restrictive CSP when serving
assets (this should also neutralize any malicious assets created before this
patch is deployed).
@cvat-bot
Prepare release v2.67.0
cd94069
@codecov

codecov Bot commented Jun 2, 2026

Copy link
Copy Markdown

Codecov Report

❌ Patch coverage is 76.97368% with 35 lines in your changes missing coverage. Please review.

Files with missing lines Patch % Lines
cvat/apps/engine/views.py 65.71% 12 Missing ⚠️
cvat-core/src/server-proxy.ts 80.00% 8 Missing ⚠️
cvat/apps/engine/media_io/media_provider.py 53.84% 6 Missing ⚠️
cvat/apps/engine/media_io/audio_provider.py 50.00% 3 Missing ⚠️
cvat-core/src/ml-model.ts 0.00% 2 Missing ⚠️
cvat/apps/redis_handler/views.py 60.00% 2 Missing ⚠️
cvat/apps/engine/media_io/frame_provider.py 85.71% 1 Missing ⚠️
cvat/apps/iam/schema.py 85.71% 1 Missing ⚠️

📢 Thoughts on this report? Let us know!

@cvat-bot cvat-bot Bot merged commit e030d92 into master Jun 2, 2026
36 checks passed
@cvat-bot cvat-bot Bot deleted the release-2.67.0 branch June 2, 2026 10:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@azhavoro azhavoro Awaiting requested review from azhavoro azhavoro is a code owner

@zhiltsov-max zhiltsov-max Awaiting requested review from zhiltsov-max zhiltsov-max is a code owner

@bsekachev bsekachev Awaiting requested review from bsekachev bsekachev is a code owner

@SpecLad SpecLad Awaiting requested review from SpecLad SpecLad is a code owner

@nmanovic nmanovic Awaiting requested review from nmanovic nmanovic is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@azhavoro @Pr1ncee @bsekachev @SpecLad @zhiltsov-max