chore(deps): update dependency nicegui to v3.10.0 [security]#531
Open
renovate[bot] wants to merge 5 commits intomainfrom
Open
chore(deps): update dependency nicegui to v3.10.0 [security]#531renovate[bot] wants to merge 5 commits intomainfrom
renovate[bot] wants to merge 5 commits intomainfrom
Conversation
renovate
Bot
requested a review
from helmut-hoffer-von-ankershoffen
as a code owner
renovate
Bot
added
bot
renovate
Bot
force-pushed
the
renovate/pypi-nicegui-vulnerability
branch
from
4adc790 to
cb4b52b
Compare
renovate
Bot
force-pushed
the
renovate/pypi-nicegui-vulnerability
branch
10 times, most recently
from
c8c1a2f to
e51412d
Compare
renovate
Bot
force-pushed
the
renovate/pypi-nicegui-vulnerability
branch
10 times, most recently
from
37a0f0d to
4fcc0f4
Compare
Merged
5 tasks
renovate
Bot
force-pushed
the
renovate/pypi-nicegui-vulnerability
branch
5 times, most recently
from
67fff13 to
5b9161f
Compare
renovate
Bot
force-pushed
the
renovate/pypi-nicegui-vulnerability
branch
from
5b9161f to
003f3a3
Compare
NiceGUI 3.10.0 made ValueChangeEventArguments generic and tightened ui.input/ui.switch value types to include None. Parameterize handlers with the new optional value types and coerce at usage sites. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Contributor
Author
Edited/Blocked NotificationRenovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR. You can manually request rebase by checking the rebase/retry box above. |
…ession NiceGUI 3.10.0 unified Outbox initialization through background_tasks. create_or_defer, which checks core.is_loop_running() instead of the previous app.is_started shortcut. Hitting a @ui.page handler via fastapi.testclient.TestClient now blocks the outer event loop, so is_loop_running() returns False while app.is_started is True, and the deferred path raises "Unable to register another startup handler". Switch test_serve_notebook to the async user fixture's http_client (httpx.AsyncClient with ASGITransport), which the nicegui testing plugin already wires up with a live event loop. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
helmut-hoffer-von-ankershoffen
removed
the
skip:test:long_running
helmut-hoffer-von-ankershoffen
added
the
skip:test:long_running
The label was removed by Renovate during rebase, causing long_running tests to run unintentionally. Empty commit re-triggers synchronize so github.event.pull_request.labels reflects the current label set. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
3.9.0→3.10.0NiceGUI: Upload filename sanitization bypass via backslashes allows path traversal on Windows
CVE-2026-39844 / GHSA-w8wv-vfpc-hw2w
More information
Details
Summary
The upload filename sanitization introduced in GHSA-9ffm-fxg3-xrhh uses
PurePosixPath(filename).nameto strip path components. SincePurePosixPathonly recognizes forward slashes (/) as path separators, an attacker can bypass this sanitization on Windows by using backslashes (\) in the upload filename.Applications that construct file paths using
file.name(a pattern demonstrated in NiceGUI's bundled examples) are vulnerable to arbitrary file write on Windows.Details
The sanitization in
nicegui/elements/upload_files.pyuses:PurePosixPathtreats backslashes as literal characters, not path separators:When this filename is used in a path operation on Windows (e.g.,
Path('uploads') / file.name), WindowsPathinterprets backslashes as directory separators, resolving the path outside the intended directory.Impact
On Windows deployments of NiceGUI applications that use
file.namein path construction:Linux and macOS are not affected, as they treat backslashes as literal filename characters.
Severity
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Release Notes
zauberzeug/nicegui (nicegui)
v3.10.0Compare Source
Security
ui.uploadon Windows (GHSA-w8wv-vfpc-hw2w by @offset, @evnchn, @falkoschindler)New features and enhancements
ui.status_code()to set HTTP status codes from page builders (#5810 by @evnchn, @falkoschindler)on_resizecallback toui.xtermto communicate terminal size to the PTY (#5847, #5858 by @jacopofar, @evnchn, @falkoschindler)ui.tabto findui.tabsancestor through intermediate containers (#5902 by @falkoschindler, @evnchn)helpers.pyinto a package with focused submodules (#5916 by @falkoschindler, @evnchn)Bugfixes
client.ipalways reporting "127.0.0.1" behind reverse proxies and On Air (#4786, #5906, #5920 by @ffilotto, @evnchn, @falkoschindler, @stephanpalmer)ValidationElement.errorbeing ignored when no validation is set (#5895, #5903 by @atollk, @falkoschindler, @evnchn)tailwind=False(#5868, #5904 by @platinops, @evnchn, @falkoschindler)initialized()adding event listeners on every call (#5898 by @falkoschindler, @evnchn)ui.timercallback tasks leaking when client disconnects mid-execution (#5930, #5931 by @NiklasNeugebauer, @falkoschindler, @evnchn)Documentation
Infrastructure
Special thanks to our top sponsors Lechler GmbH and TestMu AI ✨
and all our other sponsors and contributors for supporting this project!
🙏 Want to support this project? Check out our GitHub Sponsors page to help us keep building amazing features!
Configuration
📅 Schedule: (in timezone Europe/Berlin)
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.