v8.3.226: - ultralytics 8.3.226 ♻️ Replace eval() with ast.literal_eval() for security (#​22597)

Compare Source

🌟 Summary

Security-first release that replaces unsafe eval() with safe parsing across the codebase, alongside quality-of-life upgrades: custom Albumentations in Python API, simplified NCNN export via PNNX, multi-GPU training stability fixes, and improved installer/logging and docs. 🔒⚙️

📊 Key Changes

• Security & Parsing (priority)

  • Replaced all eval() usage with ast.literal_eval() for safe, deterministic parsing in config, loaders, image size checks, and Triton utils. 🔐
  • Notable spots:
    • cfg.smart_value() now uses ast.literal_eval()
    • Webcam source strings like "0" parsed as int safely
    • imgsz strings like "[640, 640]" parsed securely
    • Triton model metadata parsed via ast.literal_eval()

• Data Augmentation

  • Python API now supports custom Albumentations transforms via a new augmentations parameter in model.train(...). 🎨
  • Docs updated with examples and advanced usage guidance.

• Export/Deployment

  • NCNN export now uses the Python PNNX package directly (no external binary download, no implicit ONNX export). 🧩
  • Logs include PNNX version; simpler, more reliable NCNN pipeline.

• Training & Stability

  • Fixed DDP crash when running with val=False by ensuring final_epoch is always defined; added CUDA test coverage. 🧪
  • Analytics charts now apply safe Matplotlib settings by default for consistent plotting across environments.

• Installation & Tooling

  • Improved check_requirements() logs and error handling, especially with the uv package manager (stderr merged into stdout; better fallback behavior). 📦
  • CI link checks: increased retry delay for fewer flaky failures. 🔗

• Docs & UX

  • Added a Colab badge and ready-to-run notebook link for training YOLO11 on KITTI. 🚀
  • Broad link hygiene: standardized YouTube, Coral/Google, PyTorch, TorchVision, W&B, and Sony Aitrios URLs; readability and minor code sample fixes across guides.
  • Small UI and example fixes in interactive tracking and docs JS.

🎯 Purpose & Impact

• Safer by default

  • Eliminates arbitrary code execution risks from eval(), making config and input parsing safer and more predictable. 🛡️
  • Potential minor behavior change: non-literal inputs that previously “worked” with eval() will now remain strings or raise handled errors—more deterministic and secure.

• Better training experience

  • Custom Albumentations in Python lets you tune augmentations precisely for your domain without touching CLI/YAML. Great for medical, aerial, and industrial use cases. 🧪
  • DDP fix prevents rare crashes in multi-GPU runs when disabling validation, improving robustness for fast iteration.

• Smoother export and deployment

  • NCNN via PNNX Python API simplifies the toolchain—no external binary management, fewer moving parts, and clearer logs. 📦➡️📱

• More reliable tooling and docs

  • Clearer install logs (pip/uv), fewer flaky CI link failures, and a new KITTI Colab quickstart make onboarding and troubleshooting easier. 📘⚡

Example: Using custom Albumentations in Python API

import albumentations as A
from ultralytics import YOLO

model = YOLO("yolo11n.pt")
custom_transforms = [
    A.Blur(blur_limit=7, p=0.5),
    A.CLAHE(clip_limit=4.0, p=0.5),
]
model.train(data="coco8.yaml", epochs=100, imgsz=640, augmentations=custom_transforms)

Helpful links:

• Learn custom Albumentations usage in the updated guide: YOLO Data Augmentation
• NCNN export overview using PNNX: NCNN Export Guide
• Train YOLO11 on KITTI in one click: KITTI Colab Notebook

What's Changed

• feat: 🚀 Add initial support for custom Albumentations transforms in data augmentation for python api by @​onuralpszr in #​21952
• Use PNNX Python interface for NCNN conversion by @​Y-T-G in #​22347
• fix: 🐞 Add plt_settings import for Analytics class for prevent CI break in matplotlib backend by @​onuralpszr in #​22590
• Add KITTI notebook in docs by @​RizwanMunawar in #​22592
• Change retry delay from 900 to 1800 seconds on links.yml by @​glenn-jocher in #​22604
• Python 3.9 Python code in Markdown target by @​glenn-jocher in #​22605
• Fix undefined final_epoch for DDP training when val=False by @​Y-T-G in #​22607
• Python and URL/301 refactor by @​glenn-jocher in #​22618
• Fix check_requirements() missing output when using uv package manager by @​glenn-jocher in #​22623
• ultralytics 8.3.226 ♻️ Replace eval() with ast.literal_eval() for security by @​onuralpszr in #​22597

Full Changelog: ultralytics/ultralytics@v8.3.225...v8.3.226