Chainlit

Security Advisory

- **IMPORTANT**: This release temporarily reverts the file access security improvements from 1.3.0 to restore element functionality. The element feature currently has a known security vulnerability that could allow unauthorized access to files. We strongly recommend against using elements in production environments until the next release.
- A comprehensive security fix will be implemented in an upcoming release.

Changed

- Reverted authentication requirements for file access endpoints to restore element functionality (1474)

Development

- Work in progress on implementing HTTP-only cookie authentication for proper security (1472)

Security

- Fixed critical endpoint security vulnerabilities (1441)
- Enhanced authentication for file-related endpoints (1431)
- Upgraded frontend and backend dependencies to address security issues (1431)

Added

- SQLite support in SQLAlchemy integration (1319)
- Support for IETF BCP 47 language tags, enabling localized languages like es-419 (1399)
- Environment variables `OAUTH_<PROVIDER>_PROMPT` and `OAUTH_PROMPT` to
override oauth prompt parameter. Enabling users to explicitly enable login/consent prompts for oauth, e.g. `OAUTH_PROMPT=consent` to prevent automatic re-login. (1362, 1456).
- Added `get_element()` method to SQLAlchemyDataLayer (1346)

Changed

- Bumped LiteralAI dependency to version 0.0.625 (1376)
- Optimized LiteralDataLayer for improved performance and consistency (1376)
- Refactored context handling in SQLAlchemy data layer (1319)
- Updated package metadata with correct authors, license, and documentation links (1413)
- Enhanced GitHub Actions workflow with restricted permissions (1349)

Fixed

- Resolved dialog boxes extending beyond window bounds (1446)
- Fixed tasklist functionality when Chainlit is submounted (1433)
- Corrected handling of `display_name` in PersistentUser during authentication (1425)
- Fixed SQLAlchemy identifier quoting (1395)
- Improved spaces handling in avatar filenames (1418)

Development

- Implemented extensive test coverage for LiteralDataLayer and SQLAlchemyDataLayer
- Added comprehensive unit tests for file-related endpoints
- Enhanced code organization and import structure
- Improved Python code style and linting (1353)
- Resolved various small text and documentation issues (1347, 1348)

Security

- Fixed critical vulnerabilities allowing arbitrary file read access (1326)
- Improved path traversal protection in various endpoints (1326)

Added

- Hebrew translation JSON (1322)
- Translation files for Indian languages (1321)
- Support for displaying function calls as tools in Chain of Thought for LlamaIndexCallbackHandler (1285)
- Improved feedback UI with refined type handling (1325)

Changed

- Upgraded cryptography from 43.0.0 to 43.0.1 in backend dependencies (1298)
- Improved GitHub Actions workflow (1301)
- Enhanced data layer cleanup for better performance (1288)
- Factored out callbacks with extensive test coverage (1292)
- Adopted strict adherence to Semantic Versioning (SemVer)

Fixed

- Websocket connection issues when submounting Chainlit (1337)
- Show_input functionality on chat resume for SQLAlchemy (1221)
- Negative feedback class incorrectness (1332)
- Interaction issues with Chat Profile Description Popover (1276)
- Centered steps within assistant messages (1324)
- Minor spelling errors (1341)

Development

- Added documentation for release engineering process (1293)
- Implemented testing for FastAPI version matrix (1306)
- Removed wait statements from E2E tests for improved performance (1270)
- Bumped dataclasses to latest version (1291)
- Ensured environment loading before other imports (1328)

Security

- **[breaking]**: Listen to 127.0.0.1 (localhost) instead on 0.0.0.0 (public) (861).
- **[breaking]**: Dropped support for Python 3.8, solving dependency resolution, addressing vulnerable dependencies (1192, 1236, 1250).

Fixed

- Frontend connection resuming after connection loss (828).
- Gracefully handle HTTP errors in data layers (1232).
- AttributeError: 'ChatCompletionChunk' object has no attribute 'get' in llama_index (1229).
- `edit_message` in correct place in default config, allowing users to edit messages (1218).

Added

- `CHAINLIT_APP_ROOT` environment variable to modify `APP_ROOT`, enabling the ability to set the location of `config.toml` and other setting files (1259).
- Poetry lockfile in GIT repository for reproducible builds (1191).
- pytest-based testing infrastructure, first unit tests of backend and testing on all supported Python versions (1245 and 1271).
- Black and isort added to dev dependencies group (1217).

Fixed

- Langchain Callback handler IndexError
- Attempt to fix websocket issues

Added

- The `User` class now has a `display_name` field. It will not be persisted by the data layer.
- The logout button will now reload the page (needed for custom auth providers)