Update dependency distributed to v2026 [SECURITY]

[renovate]

Note: This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence
distributed	==2023.11.0 → ==2026.1.1

GitHub Vulnerability Alerts

CVE-2026-23528

Impact

When Jupyter Lab, jupyter-server-proxy and Dask distributed are all run together it is possible to craft a URL which will result in code being executed by Jupyter due to a cross-side-scripting (XSS) bug in the Dask dashboard.

It is possible for attackers to craft a phishing URL that assumes Jupyter Lab and Dask may be running on localhost and using default ports. If a user clicks on the malicious link it will open an error page in the Dask Dashboard via the Jupyter Lab proxy which will cause code to be executed by the default Jupyter Python kernel.

In order for a user to be impacted they must be running Jupyter Lab locally on the default port (with the jupyter-server-proxy) and a Dask distributed cluster on the default port. Then they would need to click the link which would execute the malicious code.

Patches

This has been fixed in the 2026.1.1 release. All users should upgrade to this version.

Mitigations

There are no known workarounds for this bug. The only complete solution is to upgrade to a newer release of Dask. However, there are a few things you could do to reduce your risk.

It is possible to avoid code execution via Jupyter by uninstalling the jupyter-server-proxy and accessing the Dask dashboard directly at it's URL. However, it is still possible for an attacker to craft a URL that executes JavaScript in the user's browser in the Dask dashboard. Which is still a moderate vulnerability. Therefore we recommend all users upgrade to the latest Dask release.

Another potential mitigation is to ensure both Jupyter and the Dask dashboard are running on non-standard ports. While this doesn't resolve the problem it reduces the chance of this being exploited. If an attacker knew which ports you were using they could still craft a malicious URL, but it would require a more targeted attack.

---

Release Notes

dask/distributed (distributed)

v2026.1.1

Compare Source

Changes

• No changes

See the Changelog for more information.

v2026.1.0

Compare Source

Changes

• Bump JamesIves/github-pages-deploy-action from 4.7.6 to 4.8.0 @​dependabot[bot] (#​9177)
• Clean up obsolete pins in CI @​crusaderky (#​9172)
• Fix incompatibility of pyparsing vs. packaging in mindeps CI @​crusaderky (#​9170)
• Bump mypy; fix mypy failure @​crusaderky (#​9171)
• Bump actions/upload-artifact from 5 to 6 @​dependabot[bot] (#​9166)
• Bump JamesIves/github-pages-deploy-action from 4.7.4 to 4.7.6 @​dependabot[bot] (#​9167)
• Bump actions/cache from 4 to 5 @​dependabot[bot] (#​9168)

See the Changelog for more information.

v2025.12.0

Compare Source

Changes

• Typing fixes @​jacobtomlinson (#​9159)
• Explicit setuptools-scm minimum version @​jacobtomlinson (#​9160)
• Enforce ruff rules (RUF) @​DimitriPapadopoulos (#​9153)
• Clean up MANIFEST.in @​DimitriPapadopoulos (#​9149)
• isort → ruff @​DimitriPapadopoulos (#​9152)
• Ruff supersedes absolufy-imports @​DimitriPapadopoulos (#​9154)
• Bump minimum supported toolz to 0.12.0 @​jrbourbeau (#​9151)
• flake8, bugbear, pyupgrade → ruff @​DimitriPapadopoulos (#​9147)
• Fix typos found by codespell @​DimitriPapadopoulos (#​9145)
• Clean up setuptools-specific configuration @​DimitriPapadopoulos (#​9150)
• PEP 639 compliance @​DimitriPapadopoulos (#​9146)
• Update black @​DimitriPapadopoulos (#​9148)
• Fix empty progress bar @​jacobtomlinson (#​9144)
• Bump JamesIves/github-pages-deploy-action from 4.7.3 to 4.7.4 @​dependabot[bot] (#​9139)
• Exclude broken tblib versions in CI @​jacobtomlinson (#​9141)

See the Changelog for more information.

v2025.11.0

Compare Source

Changes

• Replace versioneer with setuptools-scm @​jacobtomlinson (#​9137)
• Adapt worker and nanny to ipv6 @​csfldf (#​9133)
• Fix CI Multiple aliased keys in file /Users/runner/.condarc @​jacobtomlinson (#​9136)
• Remove pip pin for docs @​jrbourbeau (#​9132)
• Bump actions/upload-artifact from 4 to 5 @​dependabot[bot] (#​9130)
• Remove UCX configuration schema @​pentschev (#​9127)
• Add generic type support to Future and Client methods @​moi90 (#​9123)

See the Changelog for more information.

v2025.10.0

Compare Source

Changes

• Update docs theme and remove docs env pins @​jacobtomlinson (#​9125)
• Add worker name as prefix to ThreadPoolExecutor name @​maneesh29s (#​9120)
• Skip hanging SSH tests on Windows @​jacobtomlinson (#​9115)
• Fix uncaught error during CI startup debug info @​jacobtomlinson (#​9113)
• Prevent Task stream dashboard showing date @​guillaumeeb (#​9109)

See the Changelog for more information.

v2025.9.1

Compare Source

Changes

• Expose details in worker timeout exceptions @​nocnokneo (#​9092)
• pynvml -> nvidia-ml-py in CI @​jacobtomlinson (#​9111)

See the Changelog for more information.

v2025.9.0

Compare Source

Changes

• Bump actions/setup-python from 5 to 6 @​dependabot[bot] (#​9107)
• 🐛 Clean tuples dict keys from workers_info in /api/v1/retire_workers. @​fcourtial (#​8996)
• Remove protocol="ucx" support in favor of distributed-ucxx @​pentschev (#​9105)

See the Changelog for more information.

v2025.7.0

Compare Source

Changes

• Add config option for direct-to-workers @​jrbourbeau (#​9097)
• Ensure memray profiler runs on all workers @​jrbourbeau (#​9095)
• Update def to class typo in actors docs @​pfackeldey (#​9091)
• Bump conda-incubator/setup-miniconda from 3.1.1 to 3.2.0 @​dependabot[bot] (#​9090)
• Update persist in tests for async clients @​TomAugspurger (#​9089)
• Fix pyarrow FileInfo import @​jrbourbeau (#​9078)
• Make module name logic more resilient in \_always\_use\_pickle\_for @​jrbourbeau (#​9086)
• Temporarily pin pytest in CI to avoid coverage error @​jrbourbeau (#​9088)
• Remove s3fs from testing CI environment @​jrbourbeau (#​9087)
• Reuse Comm objects in Scheduler.broadcast @​TomAugspurger (#​9083)
• Fix test\_resubmit\_nondeterministic\_task\_different\_deps @​jrbourbeau (#​9085)

See the Changelog for more information.

v2025.5.1

Compare Source

Changes

• No changes

See the Changelog for more information.

v2025.5.0

Compare Source

Changes

• Use stable crick for py310 @​fjetter (#​9072)
• Remove internal dependencies mapping in update_graph @​fjetter (#​9036)
• [Regression] Allow Client.map to accept futures as args and kwargs @​fjetter (#​9071)
• Partially forgotten dependencies @​fjetter (#​9068)
• Replace filesystem-spec in CI environment with fsspec @​jrbourbeau (#​9069)
• Ensure actors set erred state properly in case of worker failure @​fjetter (#​9067)
• Refactor timeouts in start cluster @​fjetter (#​9062)
• Fix workers / threads / memory displayed in client repr @​jrbourbeau (#​9066)
• Pin pip for readthedocs @​fjetter (#​9063)
• Skip TLS functional tests test_nanny and test_retire_workers on linux @​fjetter (#​9061)
• Ensure client submit does not serialize unnecessarily @​fjetter (#​9057)

See the Changelog for more information.

v2025.4.1

Compare Source

Changes

• No changes

See the Changelog for more information.

v2025.4.0

Compare Source

Changes

• Improve error when submitting work from a closed client @​jrbourbeau (#​9049)
• Return a default value if address resolution fails @​penguinpee (#​9051)
• Avoid deepcopy when submitting graph @​fjetter (#​8633)
• Dynamically scale heartbeat and scheduler_info intervals @​fjetter (#​9046)
• Speed up process startup time by avoiding importing packages on version check @​fjetter (#​9048)
• Reduce size of scheduler_info @​fjetter (#​9045)
• Cache WorkerState host property @​fjetter (#​9044)
• clear ci env cache @​fjetter (#​9047)
• Remove deprecated PubSub @​fjetter (#​9039)
• Perform explicit culling step only if LLG is submitted @​fjetter (#​9040)
• Do not fully materialize global annotations by type @​fjetter (#​9035)
• Allow nested worker_client calls @​gsakkis (#​9038)
• Bump CI cache number @​fjetter (#​9037)
• Scheduler type annotations @​fjetter (#​9030)
• Reduce dask.order overhead by removing stripped_dep computation @​fjetter (#​9031)
• Use Expr instead of HLG @​fjetter (#​9008)

See the Changelog for more information.

v2025.3.0

Compare Source

Changes

• Fix badges in readme @​fjetter (#​9029)
• Properly forward cancellation reason @​fjetter (#​9028)
• Bokeh 3.7 compatibility @​fjetter (#​9026)
• Ensure FileInfo can be serialized @​fjetter (#​9025)
• Add ipykernel to skipped modules in code sampling @​mrocklin (#​9022)
• SpecCluster: add option to *not* shut down the scheduler when the cluster is closed @​nocnokneo (#​9021)
• Fix CI by using client.persist(collection) instead of collection.persist() @​hendrikmakait (#​9020)
• Add redirect from prefix root to status @​icykip (#​9015)
• Bump JamesIves/github-pages-deploy-action from 4.7.2 to 4.7.3 @​dependabot[bot] (#​9018)
• Fix CI: Remove bytes keys from tests @​jacobtomlinson (#​9017)

See the Changelog for more information.

v2025.2.0

Compare Source

Changes

• Remove traceback from sizeof failure warning @​jacobtomlinson (#​9006)
• Hotfix: Ignore negative occupancy @​hendrikmakait (#​9012)
• Remove expensive tokenization for key uniqueness check @​phofl (#​9009)
• Fix CI for changes in from_map @​phofl (#​9011)
• Avoid handling stale long-running messages on scheduler @​hendrikmakait (#​8991)
• Bump test_ucx::test_stress timeout @​TomAugspurger (#​9002)
• Poll in test_rmm_metrics test @​TomAugspurger (#​9004)
• Cache occupancy in WorkStealing.balance() @​hendrikmakait (#​9005)
• Homogeneous balancing by accounting for in-flight requests @​hendrikmakait (#​9003)
• Consistent estimation of task duration between stealing, adaptive and occupancy calculation @​hendrikmakait (#​9000)
• Increase default work-stealing interval by 10x @​hendrikmakait (#​8997)
• Remove Occupancy plot from status dashboard @​hendrikmakait (#​8995)
• Bump conda-incubator/setup-miniconda from 3.1.0 to 3.1.1 @​dependabot[bot] (#​8990)

See the Changelog for more information.

v2025.1.0

Compare Source

Changes

• Fix windows ci to avoid os.getuid @​phofl (#​8989)
• Use IO task marker in scheduling @​jrbourbeau (#​8950)
• Skip unwritable test if root @​TomAugspurger (#​8987)
• Enable UploadDirectory plugin to upload to scheduler @​hendrikmakait (#​8986)
• Handle SSLError in TCP comm @​jacobtomlinson (#​8983)
• pynvml compatibility @​TomAugspurger (#​8981)
• Handle Client(..., security=False) @​jacobtomlinson (#​8980)
• Removed big-endian sparse tests @​TomAugspurger (#​8982)
• Set usedforsecurity=False for md5 call in utils.color_of @​relativistic (#​8979)
• Remove subgraph callable @​fjetter (#​8956)
• Remove dependency on dedicated dask-expr repo @​hendrikmakait (#​8978)
• Skip big-endian floats in test_serialize_scipy_sparse if using scipy>=1.15.0 @​hendrikmakait (#​8977)
• Run dask with a matching interpreter @​cjwatson (#​8975)
• Remove unused "type: ignore" comment @​cjwatson (#​8976)
• Clean up tests after legacy DataFrame removal @​phofl (#​8972)
• Pin jupyter-events to avoid incompatibility with jupyter-server @​phofl (#​8971)
• Remove legacy DataFrame implementation @​phofl (#​8968)

See the Changelog for more information.

v2024.12.1

Compare Source

Changes

• Bump conda-incubator/setup-miniconda from 3.0.3 to 3.1.0 @​dependabot (#​8922)
• Pick random dashboard port in tests @​hendrikmakait (#​8965)
• Fix formatting for NoValidWorkerException message @​hendrikmakait (#​8967)
• Don't track TaskState instances unless validating @​hendrikmakait (#​8963)
• Support pynvml>=11.5 in WSL @​rjzamora (#​8962)
• Bump JamesIves/github-pages-deploy-action from 4.6.9 to 4.7.2 @​dependabot (#​8960)

See the Changelog for more information.

v2024.12.0

Compare Source

Changes

• Fix test_jupyter.py::test_shutsdown_cleanly @​hendrikmakait (#​8954)
• Install tornado from conda-forge in Python 3.13 CI @​jrbourbeau (#​8951)
• Restore retire workers API @​fjetter (#​8939)
• Properly convert finalize dependencies to references @​hendrikmakait (#​8949)
• Add support for Python 3.13 @​phofl (#​8904)
• Block fusion for barrier tasks @​phofl (#​8944)
• Remove infra/mentions of GPU CI @​charlesbluca (#​8946)
• Temporarily disable gpuCI update CI job @​jrbourbeau (#​8945)
• Remove recursion in task spec @​fjetter (#​8920)
• Less verbose log messages for remove and register worker @​fjetter (#​8938)
• Do not log full worker info in retire_workers @​fjetter (#​8935)

See the Changelog for more information.

v2024.11.2

Compare Source

Changes

• Bump JamesIves/github-pages-deploy-action from 4.6.8 to 4.6.9 @​dependabot (#​8931)
• Remove alias resolving to fix queuing @​phofl (#​8933)

See the Changelog for more information.

v2024.11.1

Compare Source

Changes

• Skip collecting coverage for CLI tests @​fjetter (#​8930)

See the Changelog for more information.

v2024.11.0

Compare Source

Changes

• Remove redundant methods in P2PBarrierTask @​fjetter (#​8924)
• fix skipif condition for test_tell_workers_when_peers_have_left @​fjetter (#​8929)
• Ensure ConnectionPool closes even if network stack swallows cancellation @​fjetter (#​8928)
• Fix flaky test_server_comms_mark_active_handlers @​fjetter (#​8927)
• Make assumption in P2P's barrier mechanism explicit @​hendrikmakait (#​8926)
• Adjust timeouts in jupyter cli test @​fjetter (#​8925)
• Add stimulus_id to SchedulerPlugin.update_graph hook @​hendrikmakait (#​8923)
• Reduce P2P transfer task overhead @​hendrikmakait (#​8912)
• Disable profiler on python 3.11 @​fjetter (#​8916)
• Fix test_restarting_does_not_deadlock @​fjetter (#​8849)
• Adjust popen timeouts for testing @​fjetter (#​8848)
• Add retry to shuffle broadcast @​fjetter (#​8900)
• Fix test_shuffle_with_array_conversion @​fjetter (#​8909)
• Refactor some tests @​fjetter (#​8908)
• Reflect graduation of dask-expr from dask-contrib to dask @​hendrikmakait (#​8911)
• Skip test_tell_workers_when_peers_have_left on py3.10 @​fjetter (#​8910)
• Internal cleanup of P2P code @​hendrikmakait (#​8907)
• Use Task class instead of tuple @​fjetter (#​8797)
• Increase connect timeout for test_tell_workers_when_peers_have_left @​fjetter (#​8906)
• Remove dispatching in TaskCollection @​fjetter (#​8903)
• Deduplicate scheduler requests in P2P @​hendrikmakait (#​8899)
• Add configurations for rootish taskgroup threshold @​phofl (#​8898)

See the Changelog for more information.

v2024.10.0

Compare Source

Changes

• Make P2P more configurable @​hendrikmakait (#​8469)
• Fit Dashboard worker table to page width @​jacobtomlinson (#​8897)
• Raise helpful error when using the wrong plugin base classes @​jacobtomlinson (#​8893)
• Fix doc build @​phofl (#​8892)
• Fix url escaping on exceptions dashboard for non-string keys @​phofl (#​8891)
• Explicitly list setuptools as a build dependency in conda recipe @​charlesbluca (#​8890)
• Avoid spurious error log in Adaptive @​hendrikmakait (#​8887)
• Add meaningful error for out of disk exception during write @​hendrikmakait (#​8886)
• Bump JamesIves/github-pages-deploy-action from 4.6.4 to 4.6.8 @​dependabot (#​8880)
• Switch from mambaforge to miniforge in CI @​jrbourbeau (#​8881)

See the Changelog for more information.

v2024.9.1

Compare Source

Changes

• Don't stop Adaptive on error @​hendrikmakait (#​8871)
• Update gpuCI RAPIDS_VER to 24.12 @​github-actions (#​8879)
• Don't consider scheduler idle while executing Scheduler.update_graph @​hendrikmakait (#​8877)
• Bump jacobtomlinson/gha-anaconda-package-version from 0.1.3 to 0.1.4 @​dependabot (#​8878)
• Support P2P rechunking datetime arrays @​jrbourbeau (#​8875)

See the Changelog for more information.

v2024.9.0

Compare Source

Changes

• Homogeneously schedule P2P's unpack tasks @​hendrikmakait (#​8873)
• Work/fix firewall for localhost @​maldag (#​8868)
• Bump bokeh minimum version to 3.1.0 @​jrbourbeau (#​8861)
• Use new tokenize module @​jrbourbeau (#​8858)
• Point to user code with idempotent plugin warning @​jrbourbeau (#​8856)
• Fix test nanny timeout @​fjetter (#​8847)
• Bump JamesIves/github-pages-deploy-action from 4.5.0 to 4.6.4 @​dependabot (#​8853)
• Speed up Client.map by computing token only once for func and kwargs @​fjetter (#​8855)
• Update precommit @​fjetter (#​8852)

See the Changelog for more information.

v2024.8.2

Compare Source

Changes

• Avoid capturing code of xdist @​fjetter (#​8846)
• Reduce memory footprint of culling P2P rechunking @​hendrikmakait (#​8845)
• Add tests for choosing default rechunking method @​hendrikmakait (#​8843)
• Increase visibility of GPU CI updates @​charlesbluca (#​8841)
• Bump test_pause_while_idle timeout @​fjetter (#​8844)
• Concatenate small input chunks before P2P rechunking @​hendrikmakait (#​8832)
• Remove dump cluster from gen_cluster @​fjetter (#​8823)
• Bump numpy>=1.24 and pyarrow>=14.0.1 minimum versions @​jrbourbeau (#​8837)
• Fix PipInstall plugin on Worker @​hendrikmakait (#​8839)
• Remove more Python 3.10 compatibility code @​jrbourbeau (#​8824)
• Use task-based rechunking to prechunk along partial boundaries @​hendrikmakait (#​8831)
• Ensure client_desires_keys does not corrupt Scheduler state @​fjetter (#​8827)
• Bump minimum cloudpickle to 3 @​jrbourbeau (#​8836)

See the Changelog for more information.

v2024.8.1

Compare Source

Changes

• Reduce frequency of unmanaged memory use warning @​phofl (#​8834)
• Update gpuCI RAPIDS_VER to 24.10 @​github-actions (#​8786)
• Avoid RuntimeError: dictionary changed size during iteration in Server._shift_counters() @​hendrikmakait (#​8828)
• Improve concurrent close for scheduler @​hendrikmakait (#​8829)
• MINOR: Extract truncation logic out of partial concatenation in P2P rechunking @​hendrikmakait (#​8826)
• Avoid excessive attribute access overhead for remove_from_task_prefix_count @​fjetter (#​8821)
• Avoid key validation if validation is disabled @​fjetter (#​8822)
• Log worker\_client event @​jrbourbeau (#​8819)
• Drop support for Python 3.9 @​phofl (#​8793)

See the Changelog for more information.

v2024.8.0

Compare Source

Changes

• Run graph normalisation after dask order @​phofl (#​8818)
• Update large graph size warning to remove scatter recommendation @​phofl (#​8815)
• Fail tasks exceeding no-workers-timeout @​hendrikmakait (#​8806)
• Fix exception handling for NannyPlugin.setup and NannyPlugin.teardown @​hendrikmakait (#​8811)
• Fix exception handling for WorkerPlugin.setup and WorkerPlugin.teardown @​hendrikmakait (#​8810)
• Fix typo in transitions event logging @​alex-rakowski (#​8812)
• Fix if-else for send_recv_from_rpc @​phofl (#​8809)
• Ensure that adaptive only stops once @​hendrikmakait (#​8807)
• Reduce noise from GC-related logging @​hendrikmakait (#​8804)
• Remove unused delete_interval and synchronize_worker_interval from Scheduler @​hendrikmakait (#​8801)
• Change log level for Compute Failed log message @​phofl (#​8802)
• Add Prometheus metric for time spent on GC @​hendrikmakait (#​8803)
• Add Prometheus metrics for dask_scheduler_workers_{added|removed}_total @​hendrikmakait (#​8798)
• Add log event for worker-ttl-timeout @​hendrikmakait (#​8800)
• Add Prometheus metrics for dask_scheduler_client_connections_{added|removed}_total @​hendrikmakait (#​8799)
• Fix restarting workers with PackageInstall plugin @​hendrikmakait (#​8794)
• Make stealing more robust @​hendrikmakait (#​8788)
• leave a warning about future instantiation @​fjetter (#​8782)

See the Changelog for more information.

v2024.7.1

Compare Source

Changes

• Ensure Locks always register with scheduler @​fjetter (#​8781)
• Temporarily pin setuptools \< 71 @​jrbourbeau (#​8785)
• Restore len() on TaskPrefix @​hendrikmakait (#​8783)
• Avoid false positives for p2p-failed log event @​hendrikmakait (#​8777)
• Expose paused and retired workers separately in prometheus @​phofl (#​8613)
• Creating transitions-failures log event @​alex-rakowski (#​8776)
• Implement HLG layer for P2P rechunking @​hendrikmakait (#​8751)
• Ensure Lock will not lock up in case of worker failures @​fjetter (#​8770)
• Add another test for a possible deadlock scenario caused by #​8703 @​hendrikmakait (#​8769)
• Raise an error if compute on persisted collection with released futures @​fjetter (#​8764)
• Re-raise P2PConsistencyError from failed P2P tasks. @​hendrikmakait (#​8748)
• Robuster faster tests memory sampler @​fjetter (#​8758)
• fix scheduler_bokeh::test_shuffling @​fjetter (#​8766)
• increase timeouts for pubsub::test_client_worker @​fjetter (#​8765)
• Factor out async taskgroup @​fjetter (#​8756)
• Don't sort keys lexicographically in worker table @​fjetter (#​8753)
• Use functools.cache instead of functools.lru_cache for url_escape & _expects_comm @​jonded94 (#​8762)
• Robuster deeply nested structures @​fjetter (#​8730)
• Adding HLG to MAP @​alex-rakowski (#​8740)
• Add close worker button to worker info page @​jrbourbeau (#​8742)

See the Changelog for more information.

v2024.7.0

Compare Source

Changes

• Fix assert\_eq import from cudf @​jrbourbeau (#​8747)
• Log traceback upon task error @​hendrikmakait (#​8746)
• Update system monitor when polling Prometheus metrics @​hendrikmakait (#​8745)
• Bump pandas to 2.0 in mindeps build @​jrbourbeau (#​8743)
• Refactor event logging functionality into broker @​hendrikmakait (#​8731)
• Drop support for pandas 1.X @​hendrikmakait (#​8741)
• Remove is_python_shutting_down @​hendrikmakait (#​8492)
• Fix test_task_state_instance_are_garbage_collected @​hendrikmakait (#​8735)
• Fix flake in test_deadline caused by floating-point inaccuracy @​hendrikmakait ([#&Submitting Python function which sleeps too long always fails #820

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.