CVE-2024-45296

Advisory

A security vulnerability in the path-to-regexp library has been addressed in the Marimo project by updating the dependency from version 7.1.0 to 8.0.0.

Affected package

Affected versions

Fixed versions

Vulnerability changelog

What's Changed

Highlights

**📸 Automatically snapshot notebooks as HTML** This release includes a notebook-level configuration that, when enabled, periodically and automatically snapshots your notebook as HTML, saving the snapshot to a folder `.marimo` in the notebook directory.

This allows you to enjoy the best of both worlds — your notebooks are stored as pure Python, while your outputs are automatically stashed to a directory for later viewing.

**📦 Packge sandbox improvements.** We've simplified marimo's package sandbox: now, when you open a marimo notebook with

bash
marimo edit --sandbox notebook.py


marimo will automatically track the packages used by your notebook and save them in the notebook as inline script metadata, along with their versions.

**🐍 IPython/Jupyter compatibility.** We've increased our compatibility with Jupyter/IPython rendering, adding support for `_repr*_` methods as well as mimebundles.

All changes

* fix(deps): update dependency path-to-regexp to v8 [security] by renovate in https://github.com/marimo-team/marimo/pull/2289
* fix: vegafusion rendering when used outside mo.ui.altair_chart by mscolnick in https://github.com/marimo-team/marimo/pull/2285
* improvement: hide pure markdown code in html export by mscolnick in https://github.com/marimo-team/marimo/pull/2286
* feat: add Auto-export to markdown or html from the marimo editor by mscolnick in https://github.com/marimo-team/marimo/pull/2290
* fix: boolean charts in table headers for pandas by mscolnick in https://github.com/marimo-team/marimo/pull/2291
* improvement: set maximum bar width with column summaries by mscolnick in https://github.com/marimo-team/marimo/pull/2292
* feat: support more mime types by mscolnick in https://github.com/marimo-team/marimo/pull/2294
* fix: latex mime, exlclude text/plain, depcheck perf by mscolnick in https://github.com/marimo-team/marimo/pull/2295
* fix: cleanup download terminology by mscolnick in https://github.com/marimo-team/marimo/pull/2298
* fix: pandas filtering for string n/a by mscolnick in https://github.com/marimo-team/marimo/pull/2300
* improvement: handle fallback _repr_mime_ in formatters by mscolnick in https://github.com/marimo-team/marimo/pull/2304
* fix: handle altair usermeta embed_options manually by mscolnick in https://github.com/marimo-team/marimo/pull/2303
* improvement: simplify inline metadata config, turn on only in --sandbox by mscolnick in https://github.com/marimo-team/marimo/pull/2305
* improvement: inlcude version in --sandbox by mscolnick in https://github.com/marimo-team/marimo/pull/2306
* fix: Open destination path on notebook copy by wasimsandhu in https://github.com/marimo-team/marimo/pull/2308
* improvement: move auto-download to app config by mscolnick in https://github.com/marimo-team/marimo/pull/2309
* 0.8.15 by akshayka in https://github.com/marimo-team/marimo/pull/2310


**Full Changelog**: https://github.com/marimo-team/marimo/compare/0.8.14...0.8.15

Resources

• https://github.com/marimo-team/marimo/commit/6f66bc86cffd6b8748adc41c5d96d6385fcd08ac
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-45296