New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore(deps): update dependency streamlit to v1.37.0 [security] #1412

Merged

NimJay merged 1 commit into GoogleCloudPlatform:main from renovate-bot:renovate/pypi-streamlit-vulnerability

Aug 15, 2024

Contributor

renovate-bot commented Aug 15, 2024

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
streamlit (source, changelog)	`==1.34.0` -> `==1.37.0`

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

CVE-2024-42474

1. Impacted Products

Streamilt Open Source versions before 1.37.0.

2. Introduction

Snowflake Streamlit open source addressed a security vulnerability via the static file sharing feature. The vulnerability was patched on Jul 25, 2024, as part of Streamlit open source version 1.37.0. The vulnerability only affects Windows.

3. Path Traversal Vulnerability

3.1 Description

On May 12, 2024, Streamlit was informed via our bug bounty program about a path traversal vulnerability in the open source library. We fixed and merged a patch remediating the vulnerability on Jul 25, 2024. The issue was determined to be in the moderate severity range with a maximum CVSSv3 base score of 5.9

3.2 Scenarios and attack vector(s)

Users of hosted Streamlit app(s) on Windows were vulnerable to a path traversal vulnerability when the static file sharing feature is enabled. An attacker could utilize the vulnerability to leak the password hash of the Windows user running Streamlit.

3.3 Resolution

The vulnerability has been fixed in all Streamlit versions released since Jul 25, 2024. We recommend all users upgrade to Version 1.37.0.

4. Contact

Please contact [email protected] if you have any questions regarding this advisory. If you discover a security vulnerability in one of our products or websites, please report the issue to HackerOne. For more information, please see our Vulnerability Disclosure Policy.

Release Notes

streamlit/streamlit (streamlit)

`v1.37.0`

What's Changed

New Features 🎉

Stacking options - st.bar_chart by @mayagbarnes in https://github.com/streamlit/streamlit/pull/8945
Support graphviz.sources.Source object for st.graphviz_chart by @sfc-gh-kbregula in https://github.com/streamlit/streamlit/pull/8993
Add support for material icons in markdown by @LukasMasuch in https://github.com/streamlit/streamlit/pull/8889
Fix lag when closing dialog by @raethlein in https://github.com/streamlit/streamlit/pull/9023
Stacking options - st.area_chart by @mayagbarnes in https://github.com/streamlit/streamlit/pull/8992
Add feedback widget by @raethlein in https://github.com/streamlit/streamlit/pull/8915
READ only headers and cookies by @kajarenc in https://github.com/streamlit/streamlit/pull/8976
De-experimentalize st.fragment by @vdonato in https://github.com/streamlit/streamlit/pull/9019
De-experimentalize st.dialog by @raethlein in https://github.com/streamlit/streamlit/pull/9020

Bug Fixes 🐛

Show fragment errors in fragment-path for main app runs by @raethlein in https://github.com/streamlit/streamlit/pull/8868
Fix st.rerun fragment thread reuse issue by @raethlein in https://github.com/streamlit/streamlit/pull/8798
Support non-unix style paths for MPA loading by @kmcgrady in https://github.com/streamlit/streamlit/pull/8988
Set theme hash properly on load if a custom theme is active to start by @kmcgrady in https://github.com/streamlit/streamlit/pull/8989
Don't remove session refs on fragment runs by @vdonato in https://github.com/streamlit/streamlit/pull/9010
Improvements to NumberInput formatting by @sfc-gh-nbellante in https://github.com/streamlit/streamlit/pull/9035
Hide all Particles upon printing by @sfc-gh-nbellante in https://github.com/streamlit/streamlit/pull/9053
Fix: MPA support of custom themes by @mayagbarnes in https://github.com/streamlit/streamlit/pull/8994
st.switch_page clears non-embed query params by @mayagbarnes in https://github.com/streamlit/streamlit/pull/9059
Fix secrets.toml Windows Path Bug by @sfc-gh-nbellante in https://github.com/streamlit/streamlit/pull/9061
Bugfix: Fixes two st.map width bugs by @sfc-gh-nbellante in https://github.com/streamlit/streamlit/pull/9070
Validate the path using Tornado before performing checks by @kmcgrady in https://github.com/streamlit/streamlit/pull/8990
Reset ctx.current_fragment_id to last ID instead of None by @vdonato in https://github.com/streamlit/streamlit/pull/9114

Other Changes

Update emojis used for validation by @LukasMasuch in https://github.com/streamlit/streamlit/pull/8923
Add support for numpy 2.x by @LukasMasuch in https://github.com/streamlit/streamlit/pull/8940
Remove a bunch of deprecated experimental features by @vdonato in https://github.com/streamlit/streamlit/pull/8943
Migrate custom icons from material outlined to rounded by @LukasMasuch in https://github.com/streamlit/streamlit/pull/8998
Remove old config options - part 1 by @mayagbarnes in https://github.com/streamlit/streamlit/pull/9005
Remove old config options - part 2 by @mayagbarnes in https://github.com/streamlit/streamlit/pull/9013
Remove deprecation.showPyplotGlobalUse config option by @LukasMasuch in https://github.com/streamlit/streamlit/pull/9018
Fix broken st.navigation docstring by @mahotd in https://github.com/streamlit/streamlit/pull/9027
Update the feedback widget design by @raethlein in https://github.com/streamlit/streamlit/pull/9094

New Contributors

@Dev-iL made their first contribution in https://github.com/streamlit/streamlit/pull/8947
@quant12345 made their first contribution in https://github.com/streamlit/streamlit/pull/8968
@mahotd made their first contribution in https://github.com/streamlit/streamlit/pull/9027

Full Changelog: streamlit/streamlit@1.36.0...1.37.0

`v1.36.0`

What's Changed

Breaking Changes 🛠

Remove legacy caching logic by @LukasMasuch in https://github.com/streamlit/streamlit/pull/8737
Deprecate the experimental_allow_widgets caching parameter by @LukasMasuch in https://github.com/streamlit/streamlit/pull/8817

New Features 🎉

Allow passing on_change_callback for CustomComponents by @raethlein in https://github.com/streamlit/streamlit/pull/8633
Use raw number for number column overlay and copy by @LukasMasuch in https://github.com/streamlit/streamlit/pull/8708
Introduce st.navigation and st.Page by @kmcgrady in https://github.com/streamlit/streamlit/pull/8744
Make st.write call st.json to display Streamlit secrets object by @snehankekre in https://github.com/streamlit/streamlit/pull/8659
Streamlit Charts: Customizable Axis Labels by @mayagbarnes in https://github.com/streamlit/streamlit/pull/8846
Add vertical alignment parameter to st.columns by @LukasMasuch in https://github.com/streamlit/streamlit/pull/8568
Add icon parameter to st.expander by @snehankekre in https://github.com/streamlit/streamlit/pull/8716
Use the default widget height for non-stacked checkbox & toggle widgets by @LukasMasuch in https://github.com/streamlit/streamlit/pull/8835
Horizontal st.bar_chart by @mayagbarnes in https://github.com/streamlit/streamlit/pull/8877

Bug Fixes 🐛

Remove non-existent kwargs in ast.Call() call by @JelleZijlstra in https://github.com/streamlit/streamlit/pull/8711
Don't instantiate the LocalSourcesWatcher if file watching is disabled by @vdonato in https://github.com/streamlit/streamlit/pull/8741
Make the session state writes disallowed message more generic by @LukasMasuch in https://github.com/streamlit/streamlit/pull/8720
Ensure SessionInfo is set before performing an action by @kmcgrady in https://github.com/streamlit/streamlit/pull/8779
Unify the minimum height of most element by @LukasMasuch in https://github.com/streamlit/streamlit/pull/8797
Don't allow writing widgets outside the fragment by @raethlein in https://github.com/streamlit/streamlit/pull/8756
Fix element replay regression for plotly charts by @LukasMasuch in https://github.com/streamlit/streamlit/pull/8770
Improve exception text when selectbox index larger than options by @LukasMasuch in https://github.com/streamlit/streamlit/pull/8775
Prevent images in markdown to go beyond the container width by @LukasMasuch in https://github.com/streamlit/streamlit/pull/8794
Ensure current page script hash and active script hash is correct at script start by @kmcgrady in https://github.com/streamlit/streamlit/pull/8830
Revert "Handle Altair resolve_scale (#8497)" by @kmcgrady in https://github.com/streamlit/streamlit/pull/8845
Update custom-components import paths and tests by @raethlein in https://github.com/streamlit/streamlit/pull/8666
Raise exception if st.Page is given an invalid path by @vdonato in https://github.com/streamlit/streamlit/pull/8878

Other Changes

Explicitly export experimental_dialog by @raethlein in https://github.com/streamlit/streamlit/pull/8728
Remove default value for title of dialog_decorator by @raethlein in https://github.com/streamlit/streamlit/pull/8729
Docstrings for 1.35.0 (and type consistency for charts) by @sfc-gh-dmatthews in https://github.com/streamlit/streamlit/pull/8740
Migrate streamlit hello to MPAv2 by @kmcgrady in https://github.com/streamlit/streamlit/pull/8806
Fix use_container_width docstring when default is True by @LukasMasuch in https://github.com/streamlit/streamlit/pull/8809
Allow protobuf v5 as dependency by @LukasMasuch in https://github.com/streamlit/streamlit/pull/8627
Fix: Remove title appending · Streamlit by @mayagbarnes in https://github.com/streamlit/streamlit/pull/8900

New Contributors

@JelleZijlstra made their first contribution in https://github.com/streamlit/streamlit/pull/8711

Full Changelog: streamlit/streamlit@1.35.0...1.36.0

`v1.35.0`

What's Changed

New Features 🎉

Add support for selections to st.plotly_chart by @willhuang1997 in https://github.com/streamlit/streamlit/pull/8191
feat: support set mysql connection query from secrets.toml by @LucianLiu6 in https://github.com/streamlit/streamlit/pull/8581
Feature: st.logo by @mayagbarnes in https://github.com/streamlit/streamlit/pull/8554
Material icon for st.page_link by @kajarenc in https://github.com/streamlit/streamlit/pull/8593
Add dataframe row and column selections by @LukasMasuch in https://github.com/streamlit/streamlit/pull/8411
Add support for selections to st.altair_chart & st.vega_lite_chart by @willhuang1997 in https://github.com/streamlit/streamlit/pull/8302

Bug Fixes 🐛

Fix standalone custom-component execution by @raethlein in https://github.com/streamlit/streamlit/pull/8620
Clear stale elements when st.rerun() is used by @vdonato in https://github.com/streamlit/streamlit/pull/8599
Focus chat input after the submit button is pressed by @kmcgrady in https://github.com/streamlit/streamlit/pull/8637
fix: #8500 bypass StrEnum 'index' to make position-indexable by @97k in https://github.com/streamlit/streamlit/pull/8622
Update scroll-margin-top by @raethlein in https://github.com/streamlit/streamlit/pull/8641
Fix cell error when data editor gets reconstructed by @LukasMasuch in https://github.com/streamlit/streamlit/pull/8640
Ensure that column config is cloned by @LukasMasuch in https://github.com/streamlit/streamlit/pull/8677
Add fallback method for CSV download by @LukasMasuch in https://github.com/streamlit/streamlit/pull/8452

Other Changes

Bump mheap/github-action-required-labels from 5.4.0 to 5.4.1 by @dependabot in https://github.com/streamlit/streamlit/pull/8582
Remove fullscreen button for st.table by @LukasMasuch in https://github.com/streamlit/streamlit/pull/8621
Improve typing for query params .update and .from_dict by @Asaurus1 in https://github.com/streamlit/streamlit/pull/8614
Improve anchor button visualization for titles and headings by @raethlein in https://github.com/streamlit/streamlit/pull/8587
Allow protobuf v5 by @mark-thm in https://github.com/streamlit/streamlit/pull/8624
Stabilize the vega-lite spec for altair-based charts by @LukasMasuch in https://github.com/streamlit/streamlit/pull/8628
Update address output in headless mode by @raethlein in https://github.com/streamlit/streamlit/pull/8647
Revert "Allow protobuf v5" by @raethlein in https://github.com/streamlit/streamlit/pull/8701

New Contributors

@LucianLiu6 made their first contribution in https://github.com/streamlit/streamlit/pull/8581
@mark-thm made their first contribution in https://github.com/streamlit/streamlit/pull/8624
@97k made their first contribution in https://github.com/streamlit/streamlit/pull/8622

Full Changelog: streamlit/streamlit@1.34.0...1.35.0

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.


          chore(deps): update dependency streamlit to v1.37.0 [security]

92cf81c

renovate-bot requested review from yoshi-approver and a team as code owners

August 15, 2024 16:24

forking-renovate bot added lang: python type:security labels

NimJay approved these changes

View reviewed changes

Collaborator

NimJay left a comment

All checks are passing. Approved.

NimJay merged commit 13359d6 into GoogleCloudPlatform:main

5 checks passed

renovate-bot deleted the renovate/pypi-streamlit-vulnerability branch

August 15, 2024 18:44

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

lang: python type:security