This week in R (2024-05-03)

Happy Friday everyone! May the 4th be (almost) with you, here's some news from the world of R this week:

• DangeR?: researchers at Hidden Layer have found a potential vulnerability in R < 4.4.0, which allows arbitrary code execution when an RDS file is loaded. The exploit involves returning a promise using the headers of the file. The vulnerability is claimed to have been fixed in the latest version of R.
• The RDS-ponse: the response to the vulnerability mentioned above has been mixed, with many of the opinion that it isn't a vulnerability at all and/or hasn't been resolved in the latest version of R as it is still possible to execute malicious code when an RDS file is read in. The general consensus is that you should always be very wary when reading in RDS files from an unknown source. Bob Rudis has started working on an 'rdaradar' tool for sanity checking unknown R data files - see the README of that project for an explanation of why it might not be considered a vulnerability, and how these types of files can still be used in malicious attacks.
• They have consequences: Rami Krispin has released a new LinkedIn learning course for setting up automation with Github Actions using both R and Python. It looks to be a great starting point for anyone wanting to automate some tedious or troublesome tasks!
• Tidy update: the {tidymodels} team have published a Q1 2024 roundup post, highlighting all the changes to their packages in the first few months of 2024. The article also highlights some of the key changes and new package versions.
• Fun fact: did you know Florian Rupprecht has a Github site for tracking incoming CRAN packages? You can use it to see packages which have been submitted to CRAN and where they are in the approval process.

New package versions:

• {nanonext} 1.0.0: Charlie Gao has - with contributions from Joe Cheng - released the first major version of this exciting package, which includes integration with {later}.
• {webR} 0.3.3: improvements to version identification and bug fixes.

I post updates like this every week so if you're interested feel free to follow. Comment below if there's something interesting you found out this week too!