What's Changed
This release includes quality of life improvements to marimo slides, bug fixes to marimo islands that revive our quarto extension, a new lint rule, and minor security improvements.
⭐ Highlights
Slides minimap
Slide mode now has a minimap: a scrollable panel showing your cells at reduced scale, with click-to-navigate and drag-to-reorder support. It's performance-aware — cells only render in the minimap when they're in view.
Screen.Recording.2026-04-08.at.6.46.33.PM.mov
Islands revived
We've fixed many bugs with [marimo islands], a way to embed marimo outputs and/or Python code in other HTML. These fixes also make our quarto-marimo. (#9071) extension compatible with this version of marimo as well.
Security
This release includes minor security improvements, including input sanitization, path traversal prevention, open redirect blocking, and auth endpoint hardening.
- Sanitize plugin output slots (
marimo-mpl-interactive,marimo-panel) to prevent script injection (#9133) - Restrict
head_htmlinjection to run mode only (#9137) - Prevent directory traversal via symlinks in asset serving (#9134)
- Sanitize user-supplied
custom.css(#9131) - Block open redirects via protocol-relative URLs (e.g.
//evil.com) (#9112) - Restrict health endpoint exposure and add path validation for document writes (#9115)
We've also updated our security documentation with a standard operating procedure for future disclosures (#9114).
Thank You. The enthusiasm following our recent CVE disclosure is a testament to what a healthy open-source community looks like. A special thank you to @GCXWLP, @Jvr2022, @offset, @l3tchupkt, @Fushuling, @RacerZ-fighting, and @q1uf3ng for their engagement and reports during this sprint. It takes a community to keep FOSS secure. We're lucky to have this one!
All changes
- fix: sanitize marimo-mpl-interactive marimo-panel by @mscolnick in #9133
- fix: restrict head_html to run by @dmadisetti in #9137
- fix: don't follow symlinks in assets.py by @mscolnick in #9134
- fix: sanitize custom.css by @mscolnick in #9131
- fix: prevent open redirect via protocol-relative URLs by @mscolnick in #9112
- chore: reported code scanning issues by @dmadisetti in #9115
- docs: Update security docs for 0.23.0 and outline SOP by @dmadisetti in #9114
- improvement: revive islands by @mscolnick in #9071
- feat: Lint rule to detect ordering discrepancies on top level functions by @dmadisetti in #8996
- add slides minimap by @Light2Dark in #9097
- Fix
mo.ui.matplotlibrendering on browser zoom by @manzt in #9125 - fix: handle mixed-type column sorting in data table by @kirangadhave in #9102
- fix: add requires() to set_ui_element_value, set_model_value, function_call by @mscolnick in #9113
- fix: wrap plugin slot in TooltipProvider to fix tooltip regression by @mscolnick in #9126
- fix keyboard shortcuts for input elements inside shadow DOM by @Light2Dark in #9105
- don't render data-tooltips for marimo components with tooltips by @Light2Dark in #9129
- fix: minor fixes to the data-table by @kirangadhave in #9100
- fix: added exception handling to _style_cells by @kirangadhave in #9101
- additional ruff fixes by @Light2Dark in #9132
- Ruff autofixes + some manual changes by @Light2Dark in #9121
- chore: bump ruff target-version to py310 by @kirangadhave in #9118
- fix: bump ruff version in pytest_changed plugin to 0.15.9 by @kirangadhave in #9135
- tests: verify empty env vars by @mscolnick in #9130
Full Changelog: 0.23.0...0.23.1