🌟 What's New

🎉 New Features

Consolidated Label Studio Codebase

This release introduces a simplified Label Studio repository structure.

Previously, the Label Studio frontend and Data Manager codebases were each located in a separate repository: label-studio-frontend and dm2. Starting with this release, the Label Studio Frontend and Data Manager code will be updated and maintained in the main label-studio repository.

The Label Studio Frontend code is now located in the label-studio repository under web/libs/editor, and the Data Manager code can be found under web/libs/datamanager. For more information, see our contributing guide.

This consolidated codebase has many benefits, including streamlined and simplified workflows, increased efficiency when performing cross-component changes, and improved navigation. Most importantly, a unified codebase will make it easier for our Open Source community to navigate and understand the Label Studio code architecture, lowering the barrier to entry for new contributors. (#5154)

🔐 Security

• This release includes several measures to increase SSRF protection (#5316), which address CVE-2023-47116 (#5316):
  • When SSRF_PROTECTION_ENABLED is set to true (note that it defaults to false), our new default is to ban all IPs within reserved blocks, for both IPv4 and IPv6.
  • We are introducing two new environment variables, to be used in conjunction with SSRF_PROTECTION_ENABLED=true:
    USER_ADDITIONAL_BANNED_SUBNETS — Use this to specify additional IP addresses or CIDR blocks to ban from server-side requests (e.g. the URL-based file uploader).
    USE_DEFAULT_BANNED_SUBNETS — This is set to True by default. If you would like to have full control over banned subnets, you can set this to False and use USER_ADDITIONAL_BANNED_SUBNETS to specify all the IP addresses / CIDR blocks you’d like to disallow instead.
  • We have also improved our error messages to make it clearer when an action is being blocked due to SSRF protections.
• Implemented comprehensive HTML sanitization to safeguard against vulnerabilities and ensure a secure user experience. (#5232)
• Addressed several vulnerabilities found in the npm-axios package. (#5229)

🐞 Bug Fixes

• Fixed an issue where Label Studio crashed when configuring multiple hotkeys using the hotkey="," format. (#5240)
• Fixed an issue where credential validation was failing in the Label Studio interface for cloud storages configured using SDK. (#5228)
• Fixed an issue where cancelled and updated annotations were not recalculating is_labeled and other counters. (#4472)
• Fixed an issue where annotation drafts were not changing when switching to view all mode. (#5141)
• Fixed an issue where users would encounter an error when using the Storage filename filter in the Data Manager. (#5289)
• Fixed an issue where users were unable to use the View all annotations option when the project included images that had an empty URL. (#5245)
• Fixed an issue where relations were not displayed if they were added by a user while reviewing a task. (#5140)
• Fixed an issue where users were seeing the Comments tab (an Enterprise-only feature) when resizing their screen. (#5230)

🤩 Contributors

• @juliosgarbi
• @jombooth
• @Gondragos
• @hlomzik
• @KonstantinKorotaev
• @makseq
• @Travis1282