Chainlit

Security Advisory
**IMPORTANT**:
- The element feature currently contains a known security vulnerability that could allow unauthorized file access. We strongly recommend against using elements in production environments until a comprehensive fix is implemented in an upcoming release.

Changed
- **[breaking]**: Completely revamped audio implementation (1401, 1410):
- Replaced `AudioChunk` with `InputAudioChunk` and `OutputAudioChunk`
- Changed default audio sampling rate from 44100 to 24000
- Removed several audio configuration options (`min_decibels`, `initial_silence_timeout`, `silence_timeout`, `chunk_duration`, `max_duration`)
- Removed `RecordScreen` component
- Factored storage clients into separate modules (1363)

Added
- Realtime audio streaming and processing (1401, 1406, 1410):
- New `AudioPresence` component for visual representation
- Implemented `WavRecorder` and `WavStreamPlayer` classes
- Introduced new `on_audio_start` callback
- Added audio interruption functionality
- New audio connection signaling with `on` and `off` states
- Interactive DataFrame display with auto-fit content using MUI Data Grid (1373, 1467)
- Optional websocket connection in react-client (1379)
- Enhanced image interaction with popup view and download option (1402)
- Current URL included in message payload (1403)
- Allow empty chat input when submitting attachments (1261)

Fixes
- Various backend fixes and cleanup (1432):
- Use importlib.util.find_spec to check if a package is installed
- Use `raise... from` to wrap exceptions
- Fix error message in Discord integration
- Several minor fixups/cleanup

Development
- Implemented ruff for linting and formatting (1495)
- Added mypy daemon for faster type-checking (1495)
- Added GitHub Actions linting (1445)
- Enabled direct installation from GitHub (1423)
- Various build script improvements (1462)

Security Advisory
**IMPORTANT**:
- This release drops support for FastAPI versions before 0.115.3 and Starlette versions before 0.41.2 due to a severe security vulnerability (CVE-2024-47874). We strongly encourage all downstream dependencies to upgrade as well.
- This release still contains a known security vulnerability in the element feature that could allow unauthorized file access. We strongly recommend against using elements in production environments until a comprehensive fix is implemented in an upcoming release.

Security
- **[breaking]** Updated dependencies to address critical issues (1493):
- Upgraded fastapi to 0.115.3 to address CVE-2024-47874 in Starlette
- Upgraded starlette to 0.41.2 (required for security fix)
- Upgraded werkzeug to 3.0.6

Note: This is a breaking change as older FastAPI versions are no longer supported.
To prioritize security, we opted to break with semver on this particular occasion.

Fixed
- Resolved incorrect message ordering in UI (1501)

Security Advisory

- **IMPORTANT**: This release temporarily reverts the file access security improvements from 1.3.0 to restore element functionality. The element feature currently has a known security vulnerability that could allow unauthorized access to files. We strongly recommend against using elements in production environments until the next release.
- A comprehensive security fix will be implemented in an upcoming release.

Changed

- Reverted authentication requirements for file access endpoints to restore element functionality (1474)

Development

- Work in progress on implementing HTTP-only cookie authentication for proper security (1472)

Security

- Fixed critical endpoint security vulnerabilities (1441)
- Enhanced authentication for file-related endpoints (1431)
- Upgraded frontend and backend dependencies to address security issues (1431)

Added

- SQLite support in SQLAlchemy integration (1319)
- Support for IETF BCP 47 language tags, enabling localized languages like es-419 (1399)
- Environment variables `OAUTH_<PROVIDER>_PROMPT` and `OAUTH_PROMPT` to
override oauth prompt parameter. Enabling users to explicitly enable login/consent prompts for oauth, e.g. `OAUTH_PROMPT=consent` to prevent automatic re-login. (1362, 1456).
- Added `get_element()` method to SQLAlchemyDataLayer (1346)

Changed

- Bumped LiteralAI dependency to version 0.0.625 (1376)
- Optimized LiteralDataLayer for improved performance and consistency (1376)
- Refactored context handling in SQLAlchemy data layer (1319)
- Updated package metadata with correct authors, license, and documentation links (1413)
- Enhanced GitHub Actions workflow with restricted permissions (1349)

Fixed

- Resolved dialog boxes extending beyond window bounds (1446)
- Fixed tasklist functionality when Chainlit is submounted (1433)
- Corrected handling of `display_name` in PersistentUser during authentication (1425)
- Fixed SQLAlchemy identifier quoting (1395)
- Improved spaces handling in avatar filenames (1418)

Development

- Implemented extensive test coverage for LiteralDataLayer and SQLAlchemyDataLayer
- Added comprehensive unit tests for file-related endpoints
- Enhanced code organization and import structure
- Improved Python code style and linting (1353)
- Resolved various small text and documentation issues (1347, 1348)

Security

- Fixed critical vulnerabilities allowing arbitrary file read access (1326)
- Improved path traversal protection in various endpoints (1326)

Added

- Hebrew translation JSON (1322)
- Translation files for Indian languages (1321)
- Support for displaying function calls as tools in Chain of Thought for LlamaIndexCallbackHandler (1285)
- Improved feedback UI with refined type handling (1325)

Changed

- Upgraded cryptography from 43.0.0 to 43.0.1 in backend dependencies (1298)
- Improved GitHub Actions workflow (1301)
- Enhanced data layer cleanup for better performance (1288)
- Factored out callbacks with extensive test coverage (1292)
- Adopted strict adherence to Semantic Versioning (SemVer)

Fixed

- Websocket connection issues when submounting Chainlit (1337)
- Show_input functionality on chat resume for SQLAlchemy (1221)
- Negative feedback class incorrectness (1332)
- Interaction issues with Chat Profile Description Popover (1276)
- Centered steps within assistant messages (1324)
- Minor spelling errors (1341)

Development

- Added documentation for release engineering process (1293)
- Implemented testing for FastAPI version matrix (1306)
- Removed wait statements from E2E tests for improved performance (1270)
- Bumped dataclasses to latest version (1291)
- Ensured environment loading before other imports (1328)

Security

- **[breaking]**: Listen to 127.0.0.1 (localhost) instead on 0.0.0.0 (public) (861).
- **[breaking]**: Dropped support for Python 3.8, solving dependency resolution, addressing vulnerable dependencies (1192, 1236, 1250).

Fixed

- Frontend connection resuming after connection loss (828).
- Gracefully handle HTTP errors in data layers (1232).
- AttributeError: 'ChatCompletionChunk' object has no attribute 'get' in llama_index (1229).
- `edit_message` in correct place in default config, allowing users to edit messages (1218).

Added

- `CHAINLIT_APP_ROOT` environment variable to modify `APP_ROOT`, enabling the ability to set the location of `config.toml` and other setting files (1259).
- Poetry lockfile in GIT repository for reproducible builds (1191).
- pytest-based testing infrastructure, first unit tests of backend and testing on all supported Python versions (1245 and 1271).
- Black and isort added to dev dependencies group (1217).