Security
- ⚠️ Prevent local file disclosure in
ui.restructured_textvia Docutils file insertion directives (GHSA-jfrm-rx66-g536 by @dennyabrahamsinaga, @h3ri0s, @falkoschindler, @evnchn) - ⚠️ Prevent unauthenticated log-volume denial of service in dynamic resource and ESM module routes (GHSA-pq7c-x8g4-rvp6 by @bitinerant, @evnchn, @falkoschindler)
New features and enhancements
- Make
enable(),disable(),set_enabled(),set_visibility()and many more methods chainable (#6014, #6016 by @stragrothsk, @falkoschindler, @evnchn) - Auto-dedent
ui.mermaidcontent likeui.markdowndoes (#6011, #6012 by @BasementSociety, @falkoschindler, @evnchn) - Suppress alarming
KeyboardInterrupttraceback fromrun.cpu_boundworkers on Ctrl-C (#6025, #6027 by @justus2510, @falkoschindler, @evnchn)
Bugfixes
- Fix
RuntimeError: A SemLock created in a fork context is being shared with a process in a spawn contextinui.run(native=True, reload=True)on CPython ≥ 3.11.5 (#1841, #6045 by @swrpug, @evnchn, @falkoschindler, @rodja, @JensOgorek, @yuanxion, @electronstudio, @knoppmyth, @Qhawaq, @sagarbehere, @frankhuurman, @MrGibus, @BanDroid) - Fix
KeyError: 'error'when callingValidationElement.validate()after theerrorprop was removed viaprops(remove=...)(#5977, #6042 by @manu-ns, @falkoschindler, @evnchn) - Fix silent
window.location.reload()on every WebSocket reconnect (#6018, #6019 by @arodidev, @falkoschindler, @evnchn) - Resolve
ElementFilter.DEFAULT_LOCAL_SCOPEat runtime so changing the class variable actually affects new instances (#6005, #6013 by @gzu300, @DarkRiddle1212, @falkoschindler) - Fix duplicate
app.timerand lifecycle handler (on_connect,on_disconnect,on_delete,on_shutdown,on_exception) registration in script mode (#6003, #6006 by @EchterTimo, @falkoschindler, @evnchn) - Preserve a meaningful DataFrame index in
ui.aggrid.from_pandasandui.table.from_pandas(#5995, #6002 by @NichtJens, @DarkRiddle1212, @falkoschindler, @evnchn)
Note: DataFrames with an informative index now produce additional column(s) in the resulting grid/table. To restore the previous "drop the index" behavior, calldf.reset_index(drop=True)before passing the DataFrame. - Bracket IPv6 hosts and omit default ports in printed URLs (#5996 by @bulletmark, @falkoschindler, @evnchn)
- Fix
ui.codereporting the wrong language and throwing aReferenceErrorin the CodeMirrorfindLanguageerror path (#5982 by @Jepson2k, @falkoschindler) - Fix material settings not applying to GLTF models in
ui.scene(#3515, #5708 by @maria-korosteleva, @evnchn, @falkoschindler, @fabian0702)
Documentation
- Add
llms.md— a self-contained LLM reference covering NiceGUI's API surface, mental models, and common anti-patterns for AI-assisted development (#6021, #6049 by @joko-zauberzeug, @falkoschindler, @evnchn, @rodja) - Restructure CONTRIBUTING.md around the contributor journey, drop rule duplication, and split out a new "For maintainers" section (#6029 by @falkoschindler, @evnchn)
- Restructure AI agent instructions: extract code-review guidance into REVIEW.md, trim AGENTS.md, and tighten Cursor/Copilot prompts (#6030 by @falkoschindler, @evnchn)
- Document packaging with Nuitka (#6009, #6010 by @SHDocter, @falkoschindler, @evnchn)
- Improve authentication example (#6046 by @NichtJens, @evnchn, @falkoschindler)
- Improve
Sortabledocumentation (#6017 by @falkoschindler, @denniswittich) - Clarify the
client_idsecurity model and add an "Examples Are Starting Points" callout (#6004 by @evnchn, @falkoschindler) - Fix Nested
ui.sub_pagesdoc demo link target and label (#5999, #6008 by @aisartag, @falkoschindler, @evnchn)
Testing
- Fix click handler dispatch in user simulation (#6043 by @Jepson2k, @falkoschindler, @evnchn)
Note 1: Click handlers onui.checkboxandui.switchnow receivee.args = Noneinstead ofnot element.value; reade.sender.value(or useon_value_change) for the post-toggle value.
Note 2: Also,find(...).click()no longer broadcasts to every matched element — it picks the lowest-ID enabled match and dispatches once. Tests that relied on simultaneous multi-match clicks need to issue separate calls. - Implement
ui.sub_pagesnavigation in user-simulated tests (#5193 by @rodja, @falkoschindler)
Dependencies
- Bump Mermaid from 11.12.2 to 11.15.0 to consume upstream security patches (#6047 by @falkoschindler, @evnchn)
Infrastructure
- Use
uv sync --lockedin CI workflows so lockfile drift fails fast with a clear diagnostic (#6036 by @evnchn, @falkoschindler) - Use
uv sync --lockedin Copilot setup steps for deterministic agent boot environments (#6040 by @evnchn, @falkoschindler) - Switch Dependabot from the
pipecosystem touv(#6037 by @evnchn, @falkoschindler) - Declare PyPI trove classifiers so NiceGUI appears in PyPI's faceted search (#6041 by @evnchn, @falkoschindler)
- Expand
[project.urls]with PEP 753 well-known labels (#6039 by @evnchn, @falkoschindler)
Special thanks to our top sponsors TestMu AI, Lechler GmbH and joet-s ✨
and all our other sponsors and contributors for supporting this project!
🙏 Want to support this project? Check out our GitHub Sponsors page to help us keep building amazing features!