Releases: Chainlit/chainlit
1.3.2
⚠️ Security Advisory
IMPORTANT: The element feature currently contains a known security vulnerability that could allow unauthorized file access. We strongly recommend against using elements in production environments until a comprehensive fix is implemented in an upcoming release.
Breaking Changes
This release drops support for FastAPI versions before 0.115.3 and Starlette versions before 0.41.2 due to a severe security vulnerability (CVE-2024-47874). We strongly encourage all downstream dependencies to upgrade as well.
While this is technically a breaking change in a patch release, we are prioritizing security over strict semantic versioning in this case. We strongly encourage all users to upgrade to this version immediately for the latest security improvements.
Security Updates
- Critical dependency updates to address CVE-2024-47874 (#1493):
- Upgraded fastapi to 0.115.3
- Upgraded starlette to 0.41.2
- Upgraded werkzeug to 3.0.6
Bug Fixes
- Fixed incorrect message ordering in UI by @pmercier (#1501):
- Messages now display in the correct chronological order
- Resolved race conditions in message display logic
- Improved message state management
Contributors
- @dokterbob
- @pmercier made their first contribution in #1501
Full Changelog: 1.3.1...1.3.2
2.0.dev2
Important Security Notice
This development release temporarily reverts recent security improvements to restore element functionality. The element feature currently contains a known security vulnerability that could allow unauthorized file access. As this is a development release, it should not be used in production environments.
What's Changed
- Fixed elements not displaying when using authentication by @hayescode in #1474
- Temporarily reverted file access security improvements from 2.0.dev1 to restore functionality (#1441)
Development Status
Work is underway to implement HTTP-only cookie authentication as a comprehensive security solution. This will be a key feature of upcoming development releases.
Full Changelog: 2.0.dev1...2.0.dev2
1.3.1
Important Security Notice
This hotfix release temporarily reverts recent security improvements to restore element functionality. The element feature currently contains a known security vulnerability that could allow unauthorized file access. We strongly recommend against using elements in production environments until our next release, which will implement a comprehensive fix using HTTP-only cookie authentication.
What's Changed
- Fixed elements not displaying when using authentication by @hayescode in #1474
- Temporarily reverted file access security improvements from 1.3.0 to restore functionality (#1441)
Next Steps
We are actively working on a comprehensive security fix that will be released in the coming weeks.
Full Changelog: 1.3.0...1.3.1
2.0dev1
[2.0.dev1] - 2024-10-22
Features
- Added interactive
pandas.DataFrame
display component using MUI Data Grid (#1373) - Optional websocket connection in react-client (#1379)
- Added current URL to message payload (#1403)
- Improved image interaction UX - clicking opens in popup with download option (#1402)
- Added configurable user session timeout (#1032)
- Environment variables
OAUTH_<PROVIDER>_PROMPT
andOAUTH_PROMPT
to
override oauth prompt parameter.
Prevent automatic re-login withOAUTH_PROMPT=consent
. (#1362, #1456).
Security
- Fixed file access vulnerability in
get_file
andupload_file
endpoints (#1441) - Added authentication to
/project/file
endpoint (#1441) - Addressed security vulnerabilities in frontend dependencies (#1431, #1414)
Fixed
- Dialog boxes no longer extend beyond window (#1446)
- Allow empty chat input when submitting attachments (#1261)
- Fixed tasklist when Chainlit is submounted (#1433)
- Allow spaces in avatar filenames (#1418)
- Step argument input and concurrency issues (#1409)
- Correctly copy
display_name
toPersistentUser
during authentication (#1425)
Development
- Refactored storage clients into separate modules (#1363)
- Support for IETF BCP 47 language tags (#1399)
- Improved GitHub Actions workflows and build process (#1445)
- Allow direct installation from GitHub (#1423)
- Extended package metadata with homepage and documentation links (#1413)
- Various backend fixes and code cleanup (#1432)
1.3.0
Key Improvements
- Enhanced security with critical fixes for file handling and dependency updates (#1441, #1431, #1414)
- Added SQLite database support for storing chat history and user data (#1319)
- Made OAuth login behavior configurable through environment variables - use
OAUTH_PROMPT=consent
to prevent automatic re-login after logout (#1456) - Added support for localized languages like Latin American Spanish (es-419) through IETF language tags (#1399)
- Enhanced performance and reliability of cloud storage through LiteralAI 0.0.625 update (#1376)
What's Changed
- Made OAuth login prompts configurable via environment variables (#1456) by @dokterbob
- Fixed UI issue with dialog boxes extending beyond screen (#1446) by @laodanfeng
- Ensured user display names persist correctly after authentication (#1425) by @willydouhard
- Improved file upload and access security (#1441) by @dokterbob
- Fixed task list display when Chainlit is used within another app (#1433) by @dokterbob
- Added support for regional language variants like es-419 (#1399) by @erauld
- Fixed concurrent processing of user inputs (#1409) by @willydouhard
- Fixed avatar filename handling to support spaces (#1418) by @dokterbob
- Fixed database identifier handling in SQLAlchemy (#1395) by @hayescode
- Improved module loading performance (#1382) by @dokterbob
- Various documentation and text improvements (#1347, #1348, #1349) by @EWouters
New Contributors
- @laodanfeng made their first contribution in #1446
- @qvalentin made their first contribution in #1441
- @erauld made their first contribution in #1399
Full Commit Log: 1.2.0...1.3.0, CHANGELOG
2.0.dev0
Developer Preview
This is a developer preview release of Chainlit 2.0. It introduces significant changes and new features, particularly integration with the OpenAI Realtime API . As a dev preview, it may contain bugs and is not recommended for production use.
Major Changes
Realtime Audio Processing
The most significant change in this release is the introduction of realtime audio processing capabilities, as implemented in PR #1401 by @willydouhard. This feature enables real-time voice conversations with AI assistants.
Check out a screen grab of the demo on Twitter X.
For a practical implementation of this new feature, check out our cookbook entry on creating a realtime assistant.
Breaking Changes in Audio Implementation
- Replaced
AudioChunk
type withInputAudioChunk
andOutputAudioChunk
- Changed default audio sampling rate from 44100 to 24000
- Removed several audio configuration options (
min_decibels
,initial_silence_timeout
,silence_timeout
,chunk_duration
,max_duration
) - Introduced new
on_audio_start
callback - Modified
on_audio_end
callback to no longer accept file elements as arguments
New Features
- Audio connection signaling with
on
andoff
states AudioPresence
component for visual representation of audio stateWavRecorder
andWavStreamPlayer
classes for improved audio handlingstartConversation
andendConversation
methods inuseAudio
hook- Audio interruption functionality
Other Changes
- Updated
useChatInteract
hook withstartAudioStream
method - Modified
useChatSession
to handle new audio streaming functionality - Refactored UI components to reflect new audio implementation
- Added new wavtools directory with various audio processing utilities
- Implemented new AudioWorklet processors for more efficient audio handling
Removed
RecordScreen
component- Several audio-related configuration options from
config.toml
For a complete list of changes, please refer to the full changelog.
We encourage developers to test this preview release and provide feedback. Please report any issues or suggestions on our GitHub repository.
1.3.0rc0
Feedback and testing
This is a release candidate (rc0) for version 1.3.0.
We encourage thorough testing, especially of the LiteralAI integration and history features.
Feedback is highly appreciated to ensure stability for the final 1.3.0 release, specifically on the LiteralAI integration and SQLAlchemy/SQLite.
Key Features and Improvements
- Added SQLite support to the SQLAlchemy integration (#1319)
- Implemented extensive test coverage for LiteralDataLayer and SQLAlchemyDataLayer (#1376, #1346)
- Refactored the LiteralDataLayer for improved performance and consistency (#1376)
- Added
get_element()
method to SQLAlchemyDataLayer (#1346) - Enhanced OAuth logout process to prevent automatic re-login (#1362)
What's Changed
- Bump LiteralAI to 0.0.625, refactor LiteralDataLayer by @dokterbob in #1376
- Prevent automatic oauth login after logout by @ModEnter in #1362
- Update README.md by @willydouhard in 1d3ffd4
- Don't run code during import, don't import LiteralDataLayer by default by @dokterbob in #1382
- Update readme by @constantinidan in #1351
- Python fixes by @EWouters in #1353
- Get rid of context from SQL Alchemy data layer, fix SQLite support by @DanielAvdar in #1319
- Add get_element() and test infra for sql_alchemy.py by @hayescode in #1346
- YAML fixes, restrict GH Actions perms by @EWouters in #1349
- Markdownlint fixes by @EWouters in #1348
- Small text fixes by @EWouters in #1347
New Contributors
- @ModEnter made their first contribution in #1362
- @constantinidan made their first contribution in #1351
- @DanielAvdar made their first contribution in #1319
- @hayescode made their first contribution in #1346
Full Changelog: 1.2.0...1.3.0rc0
1.2.0rc0
Add experimental assistant feature
1.2.0
Security
- Fixed critical vulnerabilities allowing arbitrary file read access (#1326)
- Improved path traversal protection in various endpoints (#1326)
Added
- Hebrew translation JSON (#1322)
- Translation files for Indian languages (#1321)
- Support for displaying function calls as tools in Chain of Thought for LlamaIndexCallbackHandler (#1285)
- Improved feedback UI with refined type handling (#1325)
Changed
- Upgraded cryptography from 43.0.0 to 43.0.1 in backend dependencies (#1298)
- Improved GitHub Actions workflow (#1301)
- Enhanced data layer cleanup for better performance (#1288)
- Factored out callbacks with extensive test coverage (#1292)
- Adopted strict adherence to Semantic Versioning (SemVer)
Fixed
- Websocket connection issues when submounting Chainlit (#1337)
- Show_input functionality on chat resume for SQLAlchemy (#1221)
- Negative feedback class incorrectness (#1332)
- Interaction issues with Chat Profile Description Popover (#1276)
- Centered steps within assistant messages (#1324)
- Minor spelling errors (#1341)
Development
1.1.404
Breaking Changes
- Python Version: This release requires Python 3.9 or higher. Please ensure you're using a compatible Python version before upgrading.
- Containerized Deployments: If you're using containerized deployments, you may need to specify
--host 0.0.0.0
for your container to work correctly with the new security changes.
What's Changed
- add css class based on active theme by @haskinsjg in #1201
- Ignore missing type stubs in Azure datalake. by @dokterbob in #1197
- fix: lc callback by @willydouhard in #1203
- Stop ignoring poetry lockfile. #1190 by @dokterbob in #1191
- Black isort as dev deps in pyproject.toml by @dokterbob in #1217
- Unbreak the build by @dokterbob in #1236
- fix: edit_message in correct place in config.toml by @EWouters in #1218
- #1178 Fix AttributeError: 'ChatCompletionChunk' object has no attribute 'get' by @dvquy13 in #1229
- Python unittest structure by @dokterbob in #1245
- Gracefully handle HTTP errors when sending steps by @oshoma in #1248
- Cleanup Python 3.9 by @EWouters in #1250
- modify config.py by @raihanou1 in #861
- Adding CHAINLIT_APP_ROOT to modify APP_ROOT by @MervinPraison in #1259
- fix: resolve #828 by updating websocket's thread id header with currentThreadId to ensure session continuation after backend restart by @qtangs in #996
- Various improvements in tests/CI by @dokterbob in #1271
- Data layer refactor/cleanup by @dokterbob in #1277
- Revert "Data layer refactor/cleanup" by @dokterbob in #1287
- Changelog for version 1.2.0. by @dokterbob in #1289
- Fix publish workflow. by @dokterbob in #1299
- Correct 1.2.0 release date in changelog by @dokterbob in #1297
- Fix publishworkflow again by @dokterbob in #1300
- Update pyproject with correct package version. by @dokterbob in #1302
New Contributors
- @haskinsjg made their first contribution in #1201
- @dokterbob made their first contribution in #1197
- @EWouters made their first contribution in #1218
- @dvquy13 made their first contribution in #1229
- @oshoma made their first contribution in #1248
- @raihanou1 made their first contribution in #861
- @MervinPraison made their first contribution in #1259
Full Changelog: 1.1.402...1.1.404