Merge consensus jobs #1
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<!-- Raise an issue to propose your change (https://github.com/cvat-ai/cvat/issues). It helps to avoid duplication of efforts from multiple independent contributors. Discuss your ideas with maintainers to be sure that changes will be approved and merged. Read the [Contribution guide](https://docs.cvat.ai/docs/contributing/). --> <!-- Provide a general summary of your changes in the Title above --> ### Motivation and context <!-- Why is this change required? What problem does it solve? If it fixes an open issue, please link to the issue here. Describe your changes in detail, add screenshots. --> Skeletons are not supported in this format ### How has this been tested? <!-- Please describe in detail how you tested your changes. Include details of your testing environment, and the tests you ran to see how your change affects other areas of the code, etc. --> ### Checklist <!-- Go over all the following points, and put an `x` in all the boxes that apply. If an item isn't applicable for some reason, then ~~explicitly strikethrough~~ the whole line. If you don't do that, GitHub will show incorrect progress for the pull request. If you're unsure about any of these, don't hesitate to ask. We're here to help! --> - [ ] I submit my changes into the `develop` branch - [ ] I have created a changelog fragment <!-- see top comment in CHANGELOG.md --> - [ ] I have updated the documentation accordingly - [ ] I have added tests to cover my changes - [ ] I have linked related issues (see [GitHub docs]( https://help.github.com/en/github/managing-your-work-on-github/linking-a-pull-request-to-an-issue#linking-a-pull-request-to-an-issue-using-a-keyword)) - [ ] I have increased versions of npm packages if it is necessary ([cvat-canvas](https://github.com/cvat-ai/cvat/tree/develop/cvat-canvas#versioning), [cvat-core](https://github.com/cvat-ai/cvat/tree/develop/cvat-core#versioning), [cvat-data](https://github.com/cvat-ai/cvat/tree/develop/cvat-data#versioning) and [cvat-ui](https://github.com/cvat-ai/cvat/tree/develop/cvat-ui#versioning)) ### License - [ ] I submit _my code changes_ under the same [MIT License]( https://github.com/cvat-ai/cvat/blob/develop/LICENSE) that covers the project. Feel free to contact the maintainers if that's a concern. <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit - **Documentation** - Updated the `Datumaro 1.0` format to support `Tags` instead of `Tracks`. - Expanded documentation to include support for additional annotation types like Polylines, Masks, Points, Cuboids, and Tags in both export and import operations. <!-- end of auto-generated comment: release notes by coderabbit.ai -->
<!-- Raise an issue to propose your change (https://github.com/cvat-ai/cvat/issues). It helps to avoid duplication of efforts from multiple independent contributors. Discuss your ideas with maintainers to be sure that changes will be approved and merged. Read the [Contribution guide](https://docs.cvat.ai/docs/contributing/). --> <!-- Provide a general summary of your changes in the Title above --> ### Motivation and context Resolved cvat-ai#7909 Resolved cvat-ai#7850 ### How has this been tested? <!-- Please describe in detail how you tested your changes. Include details of your testing environment, and the tests you ran to see how your change affects other areas of the code, etc. --> ### Checklist <!-- Go over all the following points, and put an `x` in all the boxes that apply. If an item isn't applicable for some reason, then ~~explicitly strikethrough~~ the whole line. If you don't do that, GitHub will show incorrect progress for the pull request. If you're unsure about any of these, don't hesitate to ask. We're here to help! --> - [x] I submit my changes into the `develop` branch - [x] I have created a changelog fragment <!-- see top comment in CHANGELOG.md --> - [ ] I have updated the documentation accordingly - [ ] I have added tests to cover my changes - [ ] I have linked related issues (see [GitHub docs]( https://help.github.com/en/github/managing-your-work-on-github/linking-a-pull-request-to-an-issue#linking-a-pull-request-to-an-issue-using-a-keyword)) - [x] I have increased versions of npm packages if it is necessary ([cvat-canvas](https://github.com/cvat-ai/cvat/tree/develop/cvat-canvas#versioning), [cvat-core](https://github.com/cvat-ai/cvat/tree/develop/cvat-core#versioning), [cvat-data](https://github.com/cvat-ai/cvat/tree/develop/cvat-data#versioning) and [cvat-ui](https://github.com/cvat-ai/cvat/tree/develop/cvat-ui#versioning)) ### License - [x] I submit _my code changes_ under the same [MIT License]( https://github.com/cvat-ai/cvat/blob/develop/LICENSE) that covers the project. Feel free to contact the maintainers if that's a concern. <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit - **Bug Fixes** - Addressed a significant memory leak issue by ensuring `ImageBitmap` objects are properly closed after use. - Updated various components to handle cleanup and termination of workers and instances correctly, preventing potential resource leaks. - **Version Updates** - Updated `cvat-canvas` to version 2.20.3. - Updated `cvat-core` to version 15.0.6. - Updated `cvat-data` to version 2.1.0. <!-- end of auto-generated comment: release notes by coderabbit.ai -->
Update develop after v2.14.2
Fix connection error issue in case of istio usage: https://istio.io/v1.0/docs/setup/kubernetes/spec-requirements/#:~:text=Named%20ports%3A%20Service%20ports%20must,but%20name%3A%20http2foo%20is%20not.
…vat-ai#8004) Remove several fields that haven't been used for one reason or another: * `labels` and `attributes` have been replaced by `labels_v2`. Keeping them around nearly triples the response length. * `framework` hasn't been used by the UI since cvat-ai#5635, and IMO was never useful to begin with. There are no decisions that the UI can take based on this field, so it's essentially just a freeform text field, and we already have a freeform text field - `description`. (Which... the UI doesn't display either. But it could!) Remove the `framework` field from the function descriptions as well, since it has no other purpose. * `state` has, as far I could determine, never been used by the UI. I could see a field like this potentially being useful (e.g. the UI could still display a function, but prevent it from being used if it's unavailable), but since none of that is implemented right now, I see no reason to have this field in the API.
…sh current editing first (cvat-ai#8019)
Updated number of members <!-- Raise an issue to propose your change (https://github.com/cvat-ai/cvat/issues). It helps to avoid duplication of efforts from multiple independent contributors. Discuss your ideas with maintainers to be sure that changes will be approved and merged. Read the [Contribution guide](https://docs.cvat.ai/docs/contributing/). --> <!-- Provide a general summary of your changes in the Title above --> ### Motivation and context <!-- Why is this change required? What problem does it solve? If it fixes an open issue, please link to the issue here. Describe your changes in detail, add screenshots. --> ### How has this been tested? <!-- Please describe in detail how you tested your changes. Include details of your testing environment, and the tests you ran to see how your change affects other areas of the code, etc. --> ### Checklist <!-- Go over all the following points, and put an `x` in all the boxes that apply. If an item isn't applicable for some reason, then ~~explicitly strikethrough~~ the whole line. If you don't do that, GitHub will show incorrect progress for the pull request. If you're unsure about any of these, don't hesitate to ask. We're here to help! --> - [ ] I submit my changes into the `develop` branch - [ ] I have created a changelog fragment <!-- see top comment in CHANGELOG.md --> - [ ] I have updated the documentation accordingly - [ ] I have added tests to cover my changes - [ ] I have linked related issues (see [GitHub docs]( https://help.github.com/en/github/managing-your-work-on-github/linking-a-pull-request-to-an-issue#linking-a-pull-request-to-an-issue-using-a-keyword)) - [ ] I have increased versions of npm packages if it is necessary ([cvat-canvas](https://github.com/cvat-ai/cvat/tree/develop/cvat-canvas#versioning), [cvat-core](https://github.com/cvat-ai/cvat/tree/develop/cvat-core#versioning), [cvat-data](https://github.com/cvat-ai/cvat/tree/develop/cvat-data#versioning) and [cvat-ui](https://github.com/cvat-ai/cvat/tree/develop/cvat-ui#versioning)) ### License - [ ] I submit _my code changes_ under the same [MIT License]( https://github.com/cvat-ai/cvat/blob/develop/LICENSE) that covers the project. Feel free to contact the maintainers if that's a concern. <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit - **Documentation** - Updated details for the Solo and Team plans on CVAT.ai: - Solo Plan: Adjusted the number of members allowed from "up to 3 members" to "up to 2 members". - Team Plan: Adjusted the number of members required to pay for from "4 seats (3 annotators + 1 organization owner)" to "3 seats (2 annotators + 1 organization owner)". <!-- end of auto-generated comment: release notes by coderabbit.ai -->
S3 storages support user-specified endpoint URLs, and Azure storages support user-specified connection strings (which can contain endpoint URLs), so they are susceptible to SSRF. Make S3 and Azure requests go through smokescreen to fix this. AFAIK, there is no way to configure a custom URL for Google Cloud storages, so those aren't vulnerable. Co-authored-by: Nikita Manovich <nikita@cvat.ai>
* Mitigate a CSRF vulnerability in export and backup-related endpoints While Django has built-in CSRF protection (which we use), it does not cover GET requests, and AFAICS, there is no way to force it to do that. Unfortunately, the many endpoints that initiate dataset exports and backups do accept GET requests _and_ initiate side effects, making them susceptible. The proper fix for this issue would be to redesign those endpoints to use POST requests, but a) that's more complicated, and b) we should still keep the old endpoints for backwards compatibility. So apply a less proper fix, which is to disable session authentication for the affected endpoints. It's a bit complex, because in some cases (particularly when `action=download`) we _need_ session authentication to work, because the UI redirects the user to such endpoints. In addition, modify the handling logic for these endpoints in order to ensure that when `action=download`, no side effects are triggered. Previously, `action=download` would still queue an RQ job if none existed. Even after this, `action=download` will still have two small side effects: * An existing RQ job will be deleted if its results are out of date. I don't think this is a problem, because such a job cannot be used anyway. * A completed RQ job will be deleted too. This is a problematic design, but I don't think an attacker can achieve anything by exploiting this. If an attacker maliciously redirects the user to an `action=download` URL, then they'll just download the export/backup as usual. Some tests were making export requests incorrectly, so fix them. * Add test for the CSRF workaround
Update develop after v2.14.3
I'd like the "kind" field in the API to identify the function's "signature", or the types of values it receives as input and produces as output. Classifiers have the same signature as detectors, so `classifier` is a redundant value. Besides improving semantic purity, removing this redundant value simplifies the UI code. The only meaningful difference between how the UI handles classifiers, as compared to detectors, is that it shows the word "classifier" in the model modal, which can be helpful. But we can achieve the same thing by examining the function's `return_type` field. This lets us give a special label to segmentation functions, as well. "classifier" can't actually be returned by `/api/lambda/functions`, but it _can_ be returned by the RoboFlow/Hugging Face function API in CVAT Enterprise. So we'll need a small compatibility shim to transform this value to "detector" until I fix that API to stop returning it too.
…ich calls /agreegate/ endpoint
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Same as cvat-ai#8042 just shows the changes which aren't in cvat-ai#7974