Update dependency streamlit to v1.37.0 [SECURITY]

[renovate]

Coming soon: The Renovate bot (GitHub App) will be renamed to Mend. PRs from Renovate will soon appear from 'Mend'. Learn more here.

This PR contains the following updates:

Package	Change	Age	Confidence
streamlit (source, changelog)	==1.2.0 -> ==1.37.0

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

CVE-2022-35918

Impact

Users hosting Streamlit app(s) that use custom components are vulnerable to a directory traversal attack that could leak data from their web server file-system such as: server logs, world readable files, and potentially other sensitive information.

An attacker can craft a malicious URL with file paths and the streamlit server would process that URL and return the contents of that file.

Patches

On July 27th at 2:20PM PST we rolled out a patch in release 1.11.1. This patch ensures that any file operations are restricted only to the custom component directory and cannot traverse outside of that. We strongly recommend users upgrade to v1.11.1 as soon as possible. We have notified the Streamlit community and popular hosting providers about this issue so they can patch quickly. As a precautionary measure, we are also upgrading all users on Streamlit Cloud wherever possible. We continue to check other occurrences of this vulnerability and monitor potential exploits wherever we can.

Finally, as a general security practice, we recommend users review custom components for any malicious code before using them in their apps. Following security best practices such as running web servers with low privileges, firewalls, etc. for hosting your apps, helps in mitigating the severity of such exploits.

Workarounds

None.

References

• https://docs.google.com/document/d/e/2PACX-1vRzF9K6gwv9KnQz---1pt0SdHMVt-CHuKMmdTH1uct7xPcK7vToP4FvYdI84aO6rGfCmrBSaViri0Nd/pub

For more information

If you have any questions or comments about this advisory:

• Email us at security@streamlit.io

GHSA-8qw9-gf7w-42x5

Impact

The initial vulnerability identified in Streamlit apps using custom components, allowing for directory traversal attacks, was addressed in version 1.11.1. However, a minor issue persisted, which could still potentially expose certain files on the server file-system under specific conditions.

Patches

We released an update in version 1.30.0 to further tighten security measures. Users are strongly advised to update to version 1.30.0 immediately for optimal security.

Workarounds

No additional workarounds are necessary once the update to version 1.30.0 is applied.

For more information

If you have any questions or comments about this advisory:

• Email us at security@streamlit.io

CVE-2024-42474

1. Impacted Products

Streamilt Open Source versions before 1.37.0.

2. Introduction

Snowflake Streamlit open source addressed a security vulnerability via the static file sharing feature. The vulnerability was patched on Jul 25, 2024, as part of Streamlit open source version 1.37.0. The vulnerability only affects Windows.

3. Path Traversal Vulnerability

3.1 Description

On May 12, 2024, Streamlit was informed via our bug bounty program about a path traversal vulnerability in the open source library. We fixed and merged a patch remediating the vulnerability on Jul 25, 2024. The issue was determined to be in the moderate severity range with a maximum CVSSv3 base score of 5.9

3.2 Scenarios and attack vector(s)

Users of hosted Streamlit app(s) on Windows were vulnerable to a path traversal vulnerability when the static file sharing feature is enabled. An attacker could utilize the vulnerability to leak the password hash of the Windows user running Streamlit.

3.3 Resolution

The vulnerability has been fixed in all Streamlit versions released since Jul 25, 2024. We recommend all users upgrade to Version 1.37.0.

4. Contact

Please contact security@snowflake.com if you have any questions regarding this advisory. If you discover a security vulnerability in one of our products or websites, please report the issue to HackerOne. For more information, please see our Vulnerability Disclosure Policy.

---

Release Notes

streamlit/streamlit (streamlit)

v1.37.0

Compare Source

What's Changed

New Features 🎉

• Stacking options - st.bar_chart by @​mayagbarnes in #​8945
• Support graphviz.sources.Source object for st.graphviz_chart by @​sfc-gh-kbregula in #​8993
• Add support for material icons in markdown by @​LukasMasuch in #​8889
• Fix lag when closing dialog by @​raethlein in #​9023
• Stacking options - st.area_chart by @​mayagbarnes in #​8992
• Add feedback widget by @​raethlein in #​8915
• READ only headers and cookies by @​kajarenc in #​8976
• De-experimentalize st.fragment by @​vdonato in #​9019
• De-experimentalize st.dialog by @​raethlein in #​9020

Bug Fixes 🐛

• Show fragment errors in fragment-path for main app runs by @​raethlein in #​8868
• Fix st.rerun fragment thread reuse issue by @​raethlein in #​8798
• Support non-unix style paths for MPA loading by @​kmcgrady in #​8988
• Set theme hash properly on load if a custom theme is active to start by @​kmcgrady in #​8989
• Don't remove session refs on fragment runs by @​vdonato in #​9010
• Improvements to NumberInput formatting by @​sfc-gh-nbellante in #​9035
• Hide all Particles upon printing by @​sfc-gh-nbellante in #​9053
• Fix: MPA support of custom themes by @​mayagbarnes in #​8994
• st.switch_page clears non-embed query params by @​mayagbarnes in #​9059
• Fix secrets.toml Windows Path Bug by @​sfc-gh-nbellante in #​9061
• Bugfix: Fixes two st.map width bugs by @​sfc-gh-nbellante in #​9070
• Validate the path using Tornado before performing checks by @​kmcgrady in #​8990
• Reset ctx.current_fragment_id to last ID instead of None by @​vdonato in #​9114

Other Changes

• Update emojis used for validation by @​LukasMasuch in #​8923
• Add support for numpy 2.x by @​LukasMasuch in #​8940
• Remove a bunch of deprecated experimental features by @​vdonato in #​8943
• Migrate custom icons from material outlined to rounded by @​LukasMasuch in #​8998
• Remove old config options - part 1 by @​mayagbarnes in #​9005
• Remove old config options - part 2 by @​mayagbarnes in #​9013
• Remove deprecation.showPyplotGlobalUse config option by @​LukasMasuch in #​9018
• Fix broken st.navigation docstring by @​mahotd in #​9027
• Update the feedback widget design by @​raethlein in #​9094

New Contributors

• @​Dev-iL made their first contribution in #​8947
• @​quant12345 made their first contribution in #​8968
• @​mahotd made their first contribution in #​9027

Full Changelog: streamlit/streamlit@1.36.0...1.37.0

v1.36.0

Compare Source

What's Changed

Breaking Changes 🛠

• Remove legacy caching logic by @​LukasMasuch in #​8737
• Deprecate the experimental_allow_widgets caching parameter by @​LukasMasuch in #​8817

New Features 🎉

• Allow passing on_change_callback for CustomComponents by @​raethlein in #​8633
• Use raw number for number column overlay and copy by @​LukasMasuch in #​8708
• Introduce st.navigation and st.Page by @​kmcgrady in #​8744
• Make st.write call st.json to display Streamlit secrets object by @​snehankekre in #​8659
• Streamlit Charts: Customizable Axis Labels by @​mayagbarnes in #​8846
• Add vertical alignment parameter to st.columns by @​LukasMasuch in #​8568
• Add icon parameter to st.expander by @​snehankekre in #​8716
• Use the default widget height for non-stacked checkbox & toggle widgets by @​LukasMasuch in #​8835
• Horizontal st.bar_chart by @​mayagbarnes in #​8877

Bug Fixes 🐛

• Remove non-existent kwargs in ast.Call() call by @​JelleZijlstra in #​8711
• Don't instantiate the LocalSourcesWatcher if file watching is disabled by @​vdonato in #​8741
• Make the session state writes disallowed message more generic by @​LukasMasuch in #​8720
• Ensure SessionInfo is set before performing an action by @​kmcgrady in #​8779
• Unify the minimum height of most element by @​LukasMasuch in #​8797
• Don't allow writing widgets outside the fragment by @​raethlein in #​8756
• Fix element replay regression for plotly charts by @​LukasMasuch in #​8770
• Improve exception text when selectbox index larger than options by @​LukasMasuch in #​8775
• Prevent images in markdown to go beyond the container width by @​LukasMasuch in #​8794
• Ensure current page script hash and active script hash is correct at script start by @​kmcgrady in #​8830
• Revert "Handle Altair resolve_scale (#​8497)" by @​kmcgrady in #​8845
• Update custom-components import paths and tests by @​raethlein in #​8666
• Raise exception if st.Page is given an invalid path by @​vdonato in #​8878

Other Changes

• Explicitly export experimental_dialog by @​raethlein in #​8728
• Remove default value for title of dialog_decorator by @​raethlein in #​8729
• Docstrings for 1.35.0 (and type consistency for charts) by @​sfc-gh-dmatthews in #​8740
• Migrate streamlit hello to MPAv2 by @​kmcgrady in #​8806
• Fix use_container_width docstring when default is True by @​LukasMasuch in #​8809
• Allow protobuf v5 as dependency by @​LukasMasuch in #​8627
• Fix: Remove title appending · Streamlit by @​mayagbarnes in #​8900

New Contributors

• @​JelleZijlstra made their first contribution in #​8711

Full Changelog: streamlit/streamlit@1.35.0...1.36.0

v1.35.0

Compare Source

What's Changed

New Features 🎉

• Add support for selections to st.plotly_chart by @​willhuang1997 in #​8191
• feat: support set mysql connection query from secrets.toml by @​LucianLiu6 in #​8581
• Feature: st.logo by @​mayagbarnes in #​8554
• Material icon for st.page_link by @​kajarenc in #​8593
• Add dataframe row and column selections by @​LukasMasuch in #​8411
• Add support for selections to st.altair_chart & st.vega_lite_chart by @​willhuang1997 in #​8302

Bug Fixes 🐛

• Fix standalone custom-component execution by @​raethlein in #​8620
• Clear stale elements when st.rerun() is used by @​vdonato in #​8599
• Focus chat input after the submit button is pressed by @​kmcgrady in #​8637
• fix: #​8500 bypass StrEnum 'index' to make position-indexable by @​97k in #​8622
• Update scroll-margin-top by @​raethlein in #​8641
• Fix cell error when data editor gets reconstructed by @​LukasMasuch in #​8640
• Ensure that column config is cloned by @​LukasMasuch in #​8677
• Add fallback method for CSV download by @​LukasMasuch in #​8452

Other Changes

• Bump mheap/github-action-required-labels from 5.4.0 to 5.4.1 by @​dependabot in #​8582
• Remove fullscreen button for st.table by @​LukasMasuch in #​8621
• Improve typing for query params .update and .from_dict by @​Asaurus1 in #​8614
• Improve anchor button visualization for titles and headings by @​raethlein in #​8587
• Allow protobuf v5 by @​mark-thm in #​8624
• Stabilize the vega-lite spec for altair-based charts by @​LukasMasuch in #​8628
• Update address output in headless mode by @​raethlein in #​8647
• Revert "Allow protobuf v5" by @​raethlein in #​8701

New Contributors

• @​LucianLiu6 made their first contribution in #​8581
• @​mark-thm made their first contribution in #​8624
• @​97k made their first contribution in #​8622

Full Changelog: streamlit/streamlit@1.34.0...1.35.0

v1.34.0

Compare Source

What's Changed

New Features 🎉

• Add st.experimental_dialog by @​raethlein in #​8040
• from_dict for query params by @​Asaurus1 in #​8470
• Improve period type support in st.dataframe and st.data_editor by @​LukasMasuch in #​7987
• Add ability to clear cache for specific function arguments by passing args to <cached_func>.clear() by @​OscarSaharoy in #​8297
• Add support for autoplaying st.audio and st.video media by @​snehankekre in #​8481
• Support background colors for text by @​snehankekre in #​8435
• Non-emoji icons by @​kajarenc in #​8307
• Add support for Modin and Snowpark Pandas by @​LukasMasuch in #​8506
• Enable the usage of the pydeck-carto package with st.pydeck_chart by @​vdonato in #​8422

Bug Fixes 🐛

• Offset dates in vega if no timezone information is attached. by @​kmcgrady in #​8278
• Fix issues with fragments writing to containers and the sidebar by @​vdonato in #​8408
• Produce python error for slider min=max by @​AnOctopus in #​8413
• Make check for component ready dynamic by @​kmcgrady in #​8434
• Update Auto Theme after print dialog if necessary by @​kmcgrady in #​8469
• Reset widget state on page change by @​AnOctopus in #​8425
• Switch back to using undeprecated pillow constant by @​vdonato in #​8492
• Fix double script/callback run when replacing a file by @​vdonato in #​8493
• Handle Altair vconcat with use_container_width by @​kmcgrady in #​8498
• Fix empty state for st.status by @​LukasMasuch in #​8369
• Fix st.multiselect usage with empty sets or tuples by @​LukasMasuch in #​8471
• Handle Altair resolve_scale by @​kmcgrady in #​8497
• Adjust default date for st.date_input if today's date is out of bounds by @​vdonato in #​8519
• Handle setting session state keys to None for supported widgets by @​vdonato in #​8529
• Fix empty generator usage with st.write_stream by @​LukasMasuch in #​8560

Other Changes

• Update modal styles by @​raethlein in #​8274
• Move toasts to top right and make them prettier by @​sfc-gh-tteixeira in #​8433
• Fix escaping in docstrings by @​vdonato in #​8510
• Fix blank space print by @​raethlein in #​8502
• Remove snowflake extras python restriction by @​LukasMasuch in #​8538

New Contributors

• @​Lundez made their first contribution in #​8520
• @​OscarSaharoy made their first contribution in #​8297

Full Changelog: streamlit/streamlit@1.33.0...1.34.0

v1.33.0

Compare Source

What's Changed

Breaking Changes 🛠

• Require explicit suggestion of unsafe_allow_html in st.write by @​kmcgrady in #​8238

New Features 🎉

• explicit update() method for query_params by @​Asaurus1 in #​8205
• Add AreaChartColumn to column config by @​LukasMasuch in #​8237
• Associate label with input to make label click focus input by @​filiptammergard in #​8155
• Media elements improvements by @​kajarenc in #​8203
• Page switching in AppTest by @​AnOctopus in #​8280
• Add ability to use timedelta and stings to start_time and end_time. by @​kajarenc in #​8348
• st.experimental_fragment decorator by @​vdonato in #​8343
• Feature: st.html by @​mayagbarnes in #​8366

Bug Fixes 🐛

• AppTest format_func by @​AnOctopus in #​8189
• Url decode link column display values if regex is used by @​LukasMasuch in #​8258
• Fix infinite loop when rerun and triggered widgets are used together in AppTest by @​AnOctopus in #​8264
• Use the button width as minimum for st.popover container by @​LukasMasuch in #​8266
• Revert "Expire session storage cache on an async timer (#​8083)" by @​kmcgrady in #​8281
• Allow custom themes to override embed options query parameter by @​kmcgrady in #​8021
• Fix issue with not correctly waiting for connections by @​LukasMasuch in #​8294
• Fix initial iframe height for custom component by @​kmcgrady in #​8290
• Fullscreen Button Overflow Horizontally by @​kmcgrady in #​8279
• Fix white components backgrounds when OS is using dark theme by @​LukasMasuch in #​8242
• Add simple fix to update container status after llm complete by @​KedoKudo in #​8311
• Simplify toast message truncation to use character limit directly by @​snehankekre in #​8337
• resolve path when registering watcher for module paths by @​zyxue in #​8372
• Readd mistakenly removed line and add explanatory comment by @​vdonato in #​8392

Other Changes

• Allow packaging 24.x by @​LukasMasuch in #​8338

New Contributors

• @​filiptammergard made their first contribution in #​8155
• @​KedoKudo made their first contribution in #​8311
• @​zyxue made their first contribution in #​8372

Full Changelog: streamlit/streamlit@1.32.2...1.33.0

v1.32.2

Compare Source

Full Changelog: streamlit/streamlit@1.32.1...1.32.2

v1.32.1

Compare Source

Full Changelog: streamlit/streamlit@1.32.0...1.32.1

v1.32.0

Compare Source

What's Changed

New Features 🎉

• Support markdown links inst.radio options by @​LukasMasuch in #​8028
• Improve error handling in st.write_stream by @​LukasMasuch in #​8036
• Add support for PIL images in st.write by @​LukasMasuch in #​8039
• add: Supprt for HTTP method to /healthz endpoint by @​rahulmistri1997 in #​8145
• Add support for AzureOpenAI chat stream by @​LukasMasuch in #​8107
• Add st.popover layout container by @​LukasMasuch in #​7908
• AppTest from_function args by @​AnOctopus in #​8183
• Subtitles changes for st.video by @​kajarenc in #​8057
• Expander and Status AppTest wrappers by @​AnOctopus in #​8187

Bug Fixes 🐛

• Add support for converting st.query_params to string by @​LukasMasuch in #​8030
• Fix custom dataframe scrollbars in Chrome by @​LukasMasuch in #​8034
• Fix time_input menu colors in dark mode by @​LukasMasuch in #​8056
• Make shallow copies of options returned from ensure_indexable by @​vdonato in #​8064
• Fix memory leak in runtime coroutine loop by @​LukasMasuch in #​8068
• Prevent pandas keyerror when checking color column format in st.map by @​awhazell in #​8079
• Fix #​7954 by @​vdonato in #​8054
• Fix issue using a local path with st.image on windows. by @​LukasMasuch in #​8092
• Fix: st.page_link & st.switch_page handling / prefixed paths by @​mayagbarnes in #​8085
• Fix script runner stack overflow by @​AnOctopus in #​8100
• Normalize main script path in st.switch_page and st.page_link by @​kajarenc in #​8103
• Fix: st.page_link URL preview shows file path by @​mayagbarnes in #​8086
• Support multiple path characteristics for switch_page and page_link by @​kmcgrady in #​8127
• Fix chart exception where color-handling code expected DF index to start at 0 by @​sfc-gh-tteixeira in #​8158
• Fix: Alert element overflow by @​mayagbarnes in #​8194
• Fully clear App State on page change by @​kmcgrady in #​8208
• Make st.help more resilient with conditional members by @​kmcgrady in #​8228

Other Changes

• Expire session storage cache on an async timer by @​AnOctopus in #​8083
• Lazy-load emoji module to improve performance by @​LukasMasuch in #​8109
• Lazy-load pandas and pyarrow to improve performance by @​LukasMasuch in #​8125
• Miscellaneous docstring edits and argument names by @​sfc-gh-dmatthews in #​8118
• Deprecate the deprecation.showPyplotGlobalUse config option by @​LukasMasuch in #​8133
• Use env variable to configure matplotlib backend by @​LukasMasuch in #​8113
• Lazy-load numpy and pillow to improve performance by @​LukasMasuch in #​8134
• Show a warning when server port 3000 is used by @​LukasMasuch in #​8152
• Fixed typos in example documentation by @​t1emp0 in #​8162
• Increase time until timeout warning is shown for a custom component by @​raethlein in #​8179
• Update glide-data-grid to version 6.0.4 by @​LukasMasuch in #​7779

New Contributors

• @​awhazell made their first contribution in #​8079
• @​SidVer312 made their first contribution in #​8017
• @​rahulmistri1997 made their first contribution in #​8145
• @​t1emp0 made their first contribution in #​8162

Full Changelog: streamlit/streamlit@1.31.1...1.32.0

v1.31.1

Compare Source

Full Changelog: streamlit/streamlit@1.31.0...1.31.1

v1.31.0

Compare Source

What's Changed

New Features 🎉

• Allow inline usage of st.chat_input by @​LukasMasuch in #​7896
• Feature: st.page_link by @​mayagbarnes in #​7965
• Add st.write_stream command to handle generators or OpenAI output by @​LukasMasuch in #​7906

Bug Fixes 🐛

• Reuse style element for theme injection into custom components by @​Tom-Julux in #​7914
• Handle out of order blocks when parsing element tree by @​AnOctopus in #​7923
• Fix progress bar float input bug by @​notiona in #​7953
• Don't pass query parameters from parent page into iframes by @​eric-skydio in #​7951
• Fix period type support for Pandas 2.2.0 by @​LukasMasuch in #​7988
• Only ignore hiding required columns in dynamic mode by @​LukasMasuch in #​7996
• Disable watchdog suggestion for none or poll watcher type by @​LukasMasuch in #​8024

Other Changes

• Support latest importlib-metadata v7 by @​elgalu in #​7925
• Make Snowpark dependency truly optional for SnowflakeConnection by @​vdonato in #​7919

New Contributors

• @​Tom-Julux made their first contribution in #​7914
• @​elgalu made their first contribution in #​7925
• @​notiona made their first contribution in #​7953

Full Changelog: streamlit/streamlit@1.30.0...1.31.0

v1.30.0

Compare Source

What's Changed

New Features 🎉

• Add support for scroll container via the height parameter by @​LukasMasuch in #​7697
• Add display_text to LinkColumn by @​sfc-gh-bhay in #​7741
• st.query_params by @​willhuang1997 in #​7774
• Add Pandas styler support to LinkColumn by @​LukasMasuch in #​7784
• Config - MPA Sidebar Page Navigation by @​mayagbarnes in #​7852
• Feature - st.switch_page by @​mayagbarnes in #​7853

Bug Fixes 🐛

• Fix handling of ordinal columns for builtin-charts by @​LukasMasuch in #​7771
• Fix st.toggle background color by @​sfc-gh-jgarcia in #​7788
• Don't send command used to start streamlit to frontend by @​vdonato in #​7787
• Fix iframe background for dark color scheme by @​LukasMasuch in #​7821
• Prevent incompatible column config serialization by @​LukasMasuch in #​7887
• Prevent hiding required editable columns by @​LukasMasuch in #​7888
• Disable the ability to submit form if a submit button is disabled by @​willhuang1997 in #​7827
• Fix flickering effect when changing tabs by @​LukasMasuch in #​7904
• Fix shrunk icon size in st.expander by @​matiboux in #​7596
• Add check that individual elements are "python comparable" by @​kajarenc in #​7840
• Use commonpath rather than common prefix for more secure access by @​kmcgrady in #​7901
• Don't disable tab on stale flag by @​LukasMasuch in #​7905
• Fix embed params being dropped in page swaps by @​sfc-gh-wihuang in #​7918

Other Changes

• Fix parenthesis error messaging by @​willhuang1997 in #​7770
• Update SECURITY.md by @​sfc-gh-hpathak in #​7783
• Speed up plotly figures by 8x for users with "orjson" by @​eric-skydio in #​7860

New Contributors

• @​sfc-gh-bhay made their first contribution in #​7741
• @​sfc-gh-jkinkead made their first contribution in #​7843
• @​sfc-gh-jdaly made their first contribution in #​7842
• @​matiboux made their first contribution in #​7596

Full Changelog: streamlit/streamlit@1.29.0...1.30.0

v1.29.0

Compare Source

What's Changed

Breaking Changes 🛠

• Remove old app test api by @​AnOctopus in #​7657

New Features 🎉

• Add ability to add empty query params by @​willhuang1997 in #​7601
• Add Enum coercion to options elements, if input Enum classes "identical" but redefined on script run by @​Asaurus1 in #​7408
• Remove Recording Feature Menu Item when unsupported by @​kmcgrady in #​7604
• Improved AppTest/ElementTree formatting by @​AnOctopus in #​7658
• Add support for timedelta type to st.dataframe, st.data_editor and st.table. by @​LukasMasuch in #​7689
• Add border parameter to container and form by @​LukasMasuch in #​7455
• Use "loading skeletons" throughout Streamlit by @​sfc-gh-tteixeira in #​7598

Bug Fixes 🐛

• Make the outline for expanders appear on focus-visible and not focus by @​kmcgrady in #​7592
• Use NoReturn annotation for stop and rerun by @​kongzii in #​7422
• Fix SVG scaling on fullscreen mode for st.graphviz_chart by @​snehankekre in #​7398
• Fix top padding when embedding an app with a sidebar by @​sfc-gh-jgarcia in #​7630
• Fix app testing repr bug for st.container by @​AnOctopus in #​7644
• Ensure file_uploader doesn't trigger needless reruns by @​AnOctopus in #​7641
• Fix trigger value regression with st.rerun by @​AnOctopus in #​7643
• Fix: MPA Nav expand arrow by @​mayagbarnes i

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.