Advisories for Pypi/Tqdm package

Any optional non-boolean CLI arguments (e.g. –delim, –buf-size, –manpath) are passed through python's eval, allowing arbitrary code execution. Example: python -m tqdm –manpath="" + str(exec("import os\nos.system('echo hi && killall python3')")) + ""

The tqdm._version module in tqdm versions 4.4.1 and 4.10 allows local users to execute arbitrary code via a crafted repo with a malicious git log in the current working directory.