Update dependency streamlit to v1.11.1 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
streamlit (source, changelog)	==1.2.0 -> ==1.11.1

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

CVE-2022-35918

Impact

Users hosting Streamlit app(s) that use custom components are vulnerable to a directory traversal attack that could leak data from their web server file-system such as: server logs, world readable files, and potentially other sensitive information.

An attacker can craft a malicious URL with file paths and the streamlit server would process that URL and return the contents of that file.

Patches

On July 27th at 2:20PM PST we rolled out a patch in release 1.11.1. This patch ensures that any file operations are restricted only to the custom component directory and cannot traverse outside of that. We strongly recommend users upgrade to v1.11.1 as soon as possible. We have notified the Streamlit community and popular hosting providers about this issue so they can patch quickly. As a precautionary measure, we are also upgrading all users on Streamlit Cloud wherever possible. We continue to check other occurrences of this vulnerability and monitor potential exploits wherever we can.

Finally, as a general security practice, we recommend users review custom components for any malicious code before using them in their apps. Following security best practices such as running web servers with low privileges, firewalls, etc. for hosting your apps, helps in mitigating the severity of such exploits.

Workarounds

None.

References

• https://docs.google.com/document/d/e/2PACX-1vRzF9K6gwv9KnQz---1pt0SdHMVt-CHuKMmdTH1uct7xPcK7vToP4FvYdI84aO6rGfCmrBSaViri0Nd/pub

For more information

If you have any questions or comments about this advisory:

• Email us at [email protected]

---

Release Notes

streamlit/streamlit (streamlit)

v1.11.1

Compare Source

v1.11.0

Compare Source

v1.10.0

Compare Source

v1.9.2

Compare Source

v1.9.1

Compare Source

v1.9.0

Compare Source

v1.8.1

Compare Source

v1.8.0

Compare Source

v1.7.0

Compare Source

• ❄️ Add st.snow()!

v1.6.0

Compare Source

• 🗜 WebSocket compression is now disabled by default, which will improve CPU and latency performance for large dataframes. You can use the server.enableWebsocketCompression
   configuration option to re-enable it if you find the increased network traffic more impactful.
• ☑️ 🔘 Radio and checkboxes improve focus on Keyboard navigation (#​4308)

v1.5.1

Compare Source

v1.5.0

Compare Source

Release date: Jan 27, 2022

Notable Changes

• 🌟 Favicon defaults to a PNG to allow for transparency (#​4272).
• 🚦 Select Slider Widget now has the disabled parameter that removes interactivity (completing all of our widgets) (#​4314).

Other Changes

• 🔤 Improvements to our markdown library to provide better support for HTML (specifically nested HTML) (#​4221).
• 📖 Expanders maintain their expanded state better when multiple expanders are present (#​4290).
• 🗳 Improved file uploader and camera input to call its on_change handler only when necessary (#​4270).

v1.4.0

Compare Source

Highlights

• 📸 Introducing st.camera_input for uploading images straight from your camera.

Notable Changes

• 🚦 Widgets now have the disabled parameter that removes interactivity.
• 🚮 Clear st.experimental_memo and st.experimental_singleton programmatically by using the clear() method on a cached function.
• 📨 Developers can now configure the maximum size of a message to accommodate larger messages within the Streamlit application. See server.maxMessageSize.
• 🐍 We formally added support for Python 3.10.

Other Changes

• 😵‍💫 Calling str or repr on threading.current_thread() does not cause a RecursionError (#​4172).
• 📹 Gracefully stop screencast recording when user removes permission to record (#​4180).
• 🌇 Better scale images by using a higher-quality image bilinear resampling algorithm (#​4159).

v1.3.1

Compare Source

• 🎈 Fix st.balloons to show the balloons
• 📊 Allow st.columns to create space even if empty

v1.3.0

Compare Source

Release date: Dec 16, 2021

Notable Changes

• 💯 Support for NumPy values in st.metric .
• 🌐 Support for Mesh Layers in PyDeck.
• 📊 Updated Plotly chart version to support the latest features.
• 🏀 st.spinner element has visual animated spinner.
• 🍰 st.caption supports HTML in text with unsafe_allow_html parameter.

Other Changes

• 🪲 Bug fix: Allow st.session_state to be used to set number_input values with no warning (#​4047).
• 🪲 Bug fix: Fix footer alignment in wide mode (#​4035).
• 🐞 Bug fix: Better support for Graphviz and Bokeh charts in containers (columns, expanders, etc.) (#​4039).
• 🐞 Bug fix: Support inline data values in Vega-Lite (#​4070).
• ✍️ Types: Updated type annotations for experimental memo and singleton decorators.
• ✍️ Types: Improved type annotations for st.selectbox, st.select_slider, st.radio, st.number_input, and st.multiselect .

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.