chore(deps): update dependency streamlit to v1.54.0 [security]

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
streamlit (changelog)	==1.32.0 → ==1.54.0

---

Path traveral in Streamlit on windows

CVE-2024-42474 / GHSA-rxff-vr5r-8cj5

More information

Details

1. Impacted Products

Streamilt Open Source versions before 1.37.0.

2. Introduction

Snowflake Streamlit open source addressed a security vulnerability via the static file sharing feature. The vulnerability was patched on Jul 25, 2024, as part of Streamlit open source version 1.37.0. The vulnerability only affects Windows.

3. Path Traversal Vulnerability

3.1 Description

On May 12, 2024, Streamlit was informed via our bug bounty program about a path traversal vulnerability in the open source library. We fixed and merged a patch remediating the vulnerability on Jul 25, 2024. The issue was determined to be in the moderate severity range with a maximum CVSSv3 base score of 5.9

3.2 Scenarios and attack vector(s)

Users of hosted Streamlit app(s) on Windows were vulnerable to a path traversal vulnerability when the static file sharing feature is enabled. An attacker could utilize the vulnerability to leak the password hash of the Windows user running Streamlit.

3.3 Resolution

The vulnerability has been fixed in all Streamlit versions released since Jul 25, 2024. We recommend all users upgrade to Version 1.37.0.

4. Contact

Please contact security@snowflake.com if you have any questions regarding this advisory. If you discover a security vulnerability in one of our products or websites, please report the issue to HackerOne. For more information, please see our Vulnerability Disclosure Policy.

Severity

• CVSS Score: 6.0 / 10 (Medium)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

References

• https://github.com/streamlit/streamlit/security/advisories/GHSA-rxff-vr5r-8cj5
• https://nvd.nist.gov/vuln/detail/CVE-2024-42474
• https://github.com/streamlit/streamlit/commit/3a639859cfdfba2187c81897d44a3e33825eb0a3
• https://github.com/pypa/advisory-database/tree/main/vulns/streamlit/PYSEC-2024-153.yaml
• https://github.com/advisories/GHSA-rxff-vr5r-8cj5

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Unauthenticated SSRF Vulnerability in Streamlit on Windows (NTLM Credential Exposure)

CVE-2026-33682 / GHSA-7p48-42j8-8846

More information

Details

Streamlit Open Source Security Advisory

1. Impacted Products

Streamlit Open Source versions prior to 1.54.0 running on Windows hosts.

2. Introduction

Snowflake Streamlit Open Source addressed a security vulnerability affecting Windows deployments related to improper handling and validation of filesystem paths within component request handling. The vulnerability was reported through the responsible disclosure program and has been remediated in Streamlit Open Source version 1.54.0. This issue affects only Streamlit deployments running on Windows operating systems.

3. Server-Side Request Forgery (SSRF) and NTLM Credential Exposure

3.1 Description

Streamlit was informed by a security researcher of an unauthenticated Server-Side Request Forgery (SSRF) vulnerability. The vulnerability arises from improper validation of attacker-supplied filesystem paths. In certain code paths, including within the ComponentRequestHandler, filesystem paths are resolved using os.path.realpath() or Path.resolve() before sufficient validation occurs.

On Windows systems, supplying a malicious UNC path (e.g., \\attacker-controlled-host\share) can cause the Streamlit server to initiate outbound SMB connections over port 445. When Windows attempts to authenticate to the remote SMB server, NTLMv2 challenge-response credentials of the Windows user running the Streamlit process may be transmitted.

This behavior may allow an attacker to:

• Perform NTLM relay attacks against other internal services
• Identify internally reachable SMB hosts via timing analysis

Note: The issue is unauthenticated and does not require user interaction.

Captured NTLMv2 challenge-response hashes could be subjected to offline brute-force attacks in an attempt to recover the associated plaintext account password. While NTLMv2 incorporates a server challenge (nonce) that mitigates the use of precomputed rainbow tables, it does not prevent targeted offline password cracking against weak credentials.

Additionally, Microsoft has publicly discouraged the continued use of NTLM in favor of Kerberos and is actively progressing toward disabling NTLM by default in future Windows releases. Organizations that enforce NTLM restrictions, disable outbound NTLM authentication, require SMB signing, or block NTLM authentication to remote servers can reduce or eliminate the risk associated with credential relay or hash exposure scenarios.

As NTLM is considered legacy and increasingly deprecated (though not fully sunset), environments that have already implemented Microsoft-recommended NTLM hardening controls are less likely to be materially impacted. The overall risk therefore depends on the organization's authentication configuration and network security posture.

3.2 Scenarios and Attack Vectors

Streamlit applications running on Windows were vulnerable if component endpoints were exposed to untrusted networks. By appending an attacker-controlled SMB hostname to the URI path and issuing a GET request, the Streamlit server could be coerced into initiating an outbound SMB authentication attempt.

This could result in the leakage of NTLMv2 credential hashes for the Windows account running the Streamlit process.

3.3 Resolution

• The vulnerability has been fixed in Streamlit Open Source version 1.54.0.
• It is recommended that all Streamlit deployments on Windows be upgraded immediately to version 1.54.0 or later.

4. Contact

Please contact security@snowflake.com for any questions regarding this advisory.

If a security vulnerability is discovered in a Streamlit product or website, it should be reported through the responsible disclosure program. For more information, see the Vulnerability Disclosure Policy.

Severity

• CVSS Score: 4.7 / 10 (Medium)
• Vector String: CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N

References

• https://github.com/streamlit/streamlit/security/advisories/GHSA-7p48-42j8-8846
• https://github.com/streamlit/streamlit/commit/23692ca70b2f2ac720c72d1feb4f190c9d6eed76
• https://github.com/streamlit/streamlit/releases/tag/1.54.0
• https://nvd.nist.gov/vuln/detail/CVE-2026-33682
• https://github.com/advisories/GHSA-7p48-42j8-8846

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

streamlit/streamlit (streamlit)

v1.54.0

Compare Source

What's Changed

Breaking Changes 🛠

• Remove experimental query params by @​lukasmasuch in #​13142
• Remove deprecated st.experimental_user command by @​lukasmasuch in #​13626
• Set add_rows deprecation warning to show in browser by @​lukasmasuch in #​13628

New Features 🎉

• Use key as main identity for st.dataframe with selections by @​lukasmasuch in #​13558
• Use key as main identity for vega charts with selections by @​lukasmasuch in #​13559
• Add chartDivergingColors theming config option by @​mayagbarnes in #​13581
• Allow dynamically changing in min and max in st.date_input by @​lukasmasuch in #​13549
• Allow dynamically changing min_value and max_value in st.datetime_input when key is provided by @​lukasmasuch in #​13620
• Prepare pandas 3.0 compatibility by @​lukasmasuch in #​13630
• Allow dynamic changes to st.radio options when key is provided by @​lukasmasuch in #​13611
• Support auto-rerun when config.toml is created by @​lukasmasuch in #​13625
• Allow selecting text of pills in the MultiselectColumn and ListColumn by @​lukasmasuch in #​13663
• Prepare for binding widgets to query params - Part 1 by @​mayagbarnes in #​13681
• feat(logo): add support for Material icons and emojis in st.logo by @​rahuld109 in #​13416
• Allow dynamic changes to st.select_slider options when key is provided by @​lukasmasuch in #​13696
• Add "client.showErrorLinks` config option (#​11238)" by @​karubian in #​13472
• Allow dynamic changes to st.pydeck_chart parameters when key is provided by @​lukasmasuch in #​13703
• Support resolving to theme colors configs for charts by @​mayagbarnes in #​13739

Bug Fixes 🐛

• Fix bar chart error with uniform column values by @​sfc-gh-kmcgrady in #​13590
• [fix] Increase max width of uploaded files in st.chat_input by @​sfc-gh-nbellante in #​13589
• [fix] Add defensive check in Manifest Scanner by @​sfc-gh-bnisco in #​13612
• Support new auth features in Starlette by @​lukasmasuch in #​13571
• Hide developer options when toolbarMode="viewer" by @​sfc-gh-dmatthews in #​13623
• Fix SnowflakeConnection.query() cache key to include params by @​sfc-gh-kmcgrady in #​13652
• Fix crash with container elements in spinner context by @​sfc-gh-kmcgrady in #​13659
• Fix a regression with snowflake connection being closed by @​lukasmasuch in #​13665
• Fix TransientNode not capturing BlockNode as anchor when replacing by @​kmcgrady in #​13674
• Fix selectbox and multiselect clearing selections for custom objects by @​lukasmasuch in #​13648
• Fix KeyError when sorting melted bar chart data by @​lukasmasuch in #​13695
• Fix sidebar collapsing on mobile when clicking portaled elements by @​sfc-gh-kmcgrady in #​13653
• [fix] Display wildcard addresses as localhost in URLs by @​sfc-gh-nbellante in #​13720

Other Changes

• [chore] Release v1.53.0 by @​github-actions[bot] in #​13588
• [chore] Release v1.53.1 by @​github-actions[bot] in #​13676

New Contributors

• @​sfc-gh-kmcgrady made their first contribution in #​13590
• @​rahuld109 made their first contribution in #​13416
• @​rishi-kumar0612 made their first contribution in #​13004
• @​karubian made their first contribution in #​13472

Full Changelog: streamlit/streamlit@1.53.1...1.54.0

v1.53.1

Compare Source

Full Changelog: streamlit/streamlit@1.53.0...1.53.1

v1.53.0

Compare Source

What's Changed

Breaking Changes 🛠

• [feat] Move the isolate_styles param in CCv2 by @​sfc-gh-bnisco in #​13518
• [feat] Rename some external CCv2 types by @​sfc-gh-bnisco in #​13515

New Features 🎉

• Support for markdown in the metrics value and delta parameters by @​jensonjohnathon in #​13094
• Make Default Sidebar Width Configurable by @​jose-mindwayai in #​12154
• [feat] Update chat input UI with improved layout and styling by @​sfc-gh-nbellante in #​13088
• Add support for setting metric delta colors from color palette by @​lukasmasuch in #​13153
• Support configuring the format in st.metric by @​lukasmasuch in #​13193
• Support for markdown in select_slider options by @​jensonjohnathon in #​12960
• Navigate to home page on logo click by @​lukasmasuch in #​13222
• Add max_upload_size parameter to file_uploader and chat_input by @​rishabhjain1712 in #​12816
• Allow only adding or deleting rows in st.data_editor by @​lukasmasuch in #​13228
• Add icon_position support for button-like components by @​SiddhantSadangi in #​13150
• [feat] Add headingFontSize1-6 and headingFontWeight1-6 CSS Custom Properties by @​sfc-gh-bnisco in #​13268
• [feat] Enhance st.chat_input file upload UI with improved file chips and retry functionality by @​sfc-gh-nbellante in #​13223
• Add icon support to dialogs by @​KaranPradhan266 in #​13244
• Allow dynamic changes to selectbox options when key is provided by @​lukasmasuch in #​13383
• Add path tooltip on st.json value click by @​lukasmasuch in #​13113
• Support passing list of pydantic objects as dataframe-like structure by @​lukasmasuch in #​13348
• [feat] Update AGENTS rules for better a11y practices by @​sfc-gh-bnisco in #​13411
• [feat] Update eslint rules for better a11y support by @​sfc-gh-bnisco in #​13412
• Expose OIDC tokens by @​velochy in #​12044
• Support pre-defined formats in format of st.slider by @​lukasmasuch in #​13392
• Add on_release to st.cache_resource. by @​sfc-gh-jkinkead in #​13439
• Add gaps and sizes for xxsmall, xsmall, xlarge, xxlarge in st.container/columns/space by @​sfc-gh-tteixeira in #​13345
• Add new session_duration_seconds_total stats by @​vdonato in #​13414
• Add session scoping to caches. by @​sfc-gh-jkinkead in #​13482
• [feat] Simplify chat input UI with single-row layout for basic configurations by @​sfc-gh-nbellante in #​13364
• Add session-scoped connection support. by @​sfc-gh-jkinkead in #​13506
• [feat] Allow for optional js, css, and html params in CCv2 by @​sfc-gh-bnisco in #​13511
• Allow dynamically changing in min, max and step in st.number_input by @​lukasmasuch in #​13512
• Add optional support for running Streamlit with Starlette by @​lukasmasuch in #​13375
• Add SnowflakeCallersRightsConnection. by @​sfc-gh-jkinkead in #​13538
• Allow dynamic changes to multiselect options when key is provided by @​lukasmasuch in #​13448
• fix(multiselect): preserve scroll position when removing items by @​kagawa0710 in #​13384
• Add experimental ASGI app entry point for advanced server configuration by @​lukasmasuch in #​13537
• Allow OAuth redirect_uri to reference current port by @​velochy in #​12251
• Make st.logout use end_session_endpoint if provided in OIDC config (V2) by @​velochy in #​12693
• [feat] Add dynamic layout switching for st.chat_input by @​sfc-gh-nbellante in #​13546

Bug Fixes 🐛

• [fix] improve width/height error message to say "positive integer" by @​sfc-gh-lwilby in #​13206
• Fix unexpected shrinking of logo with top nav by @​lukasmasuch in #​13226
• [fix] Do not render sidebar nav when top nav enabled by @​sfc-gh-bnisco in #​13227
• Implement transient spinners by @​kmcgrady in #​12826
• [fix] Include default in key for CCv2 instances by @​sfc-gh-bnisco in #​13266
• [fix] Ensure key down targeting works for elements in Shadow DOM by @​sfc-gh-bnisco in #​13264
• Fix data editor regression when starting from empty column by @​lukasmasuch in #​13309
• Prevent st.dialog from showing elements from previous dialog by @​lukasmasuch in #​13297
• Fix auth-related issues caused by dependency updates by @​lukasmasuch in #​13333
• [Fix] Theme preference persistence across reloads by @​mayagbarnes in #​13306
• [fix] Handle undefined theme properties in CCv2 by @​sfc-gh-bnisco in #​13240
• [fix] Ensure crossOrigin attribute is properly set for CCv2 stylesheets by @​sfc-gh-bnisco in #​13376
• Fix the spinner time text alignment by @​lukasmasuch in #​13388
• [fix] tooltip text leaking with newlines in help by @​sfc-gh-lwilby in #​13365
• [fix] Ensure anchor links in Markdown headers are accessible from keyboard by @​sfc-gh-bnisco in #​13378
• [fix] Ensure help Tooltips are accessible by @​sfc-gh-bnisco in #​13379
• [Fix] st.html handles list indentation by @​mayagbarnes in #​13437
• [Fix] st.selectbox set via session state does not restore initial value by @​mayagbarnes in #​13438
• [Fix] Altair charts with vconcat and hconcat by @​mayagbarnes in #​13423
• Fix custom theme when embedded with embed_options by @​ranmocy in #​13498
• Improve st.number_input precision by @​mayagbarnes in #​13484
• Add ability to clear transient nodes when the script is run by @​kmcgrady in #​13166
• [fix] Correct justifyContents to justifyContent in Icon styled-components by @​sfc-gh-nbellante in #​13557
• [fix] Fix upload button functionality after drag-drop and delete in st.chat_input by @​sfc-gh-nbellante in #​13556

Other Changes

• [chore] Release v1.52.0 by @​github-actions[bot] in #​13186
• [chore] Release v1.52.1 by @​github-actions[bot] in #​13235
• [Fix] Theme hashing by @​mayagbarnes in #​13173
• Use the correct snowflake.com domains by @​lukasmasuch in #​13363
• [chore] Release v1.52.2 by @​github-actions[bot] in #​13390
• [polish] Update chat input file chip border radius to match Figma by @​sfc-gh-nbellante in #​13532
• [Fix] Consolidate border/hover colors by @​mayagbarnes in #​13536
• [feat] Replace inline error messages with tooltips in st.chat_input file upload UI by @​sfc-gh-nbellante in #​13542
• [fix] Update ghost button colors for st.chat_input buttons by @​sfc-gh-nbellante in #​13535
• [fix] Improve st.chat_input file delete button colors by @​sfc-gh-nbellante in #​13554
• [polish] Replace Mic icon with MicNone icon in st.chat_input by @​sfc-gh-nbellante in #​13553
• [fix] Shorten st.chat_input file chip display to adhere to designs by @​sfc-gh-nbellante in #​13555
• [feat] Add image thumbnails to st.chat_input file uploads by @​sfc-gh-nbellante in #​13547

New Contributors

• @​jensonjohnathon made their first contribution in #​13094
• @​jose-mindwayai made their first contribution in #​12154
• @​rishabhjain1712 made their first contribution in #​12816
• @​KaranPradhan266 made their first contribution in #​13244
• @​ranmocy made their first contribution in #​13498
• @​kagawa0710 made their first contribution in #​13384

Full Changelog: streamlit/streamlit@1.52.2...1.53.0

v1.52.2

Compare Source

Full Changelog: streamlit/streamlit@1.52.1...1.52.2

v1.52.1

Compare Source

Full Changelog: streamlit/streamlit@1.52.0...1.52.1

v1.52.0

Compare Source

What's Changed

Breaking Changes 🛠

• Remove native bokeh charts support by @​lukasmasuch in #​12964
• Add deprecation note to add_rows command by @​lukasmasuch in #​13080
• Deprecate kwargs support for st.vega_lite_chart by @​lukasmasuch in #​13141

New Features 🎉

• [feature] support width="content" on st.container by @​sfc-gh-lwilby in #​12848
• [AdvancedLayouts] Add height="content" to st.dataframe and st.data_editor. by @​sfc-gh-lwilby in #​12875
• [AdvancedLayouts] Add height to st.plotly_chart by @​sfc-gh-lwilby in #​12593
• [feat] Add accept_audio parameter to enable audio recording in chat_input by @​sfc-gh-nbellante in #​12836
• [feat] Add help argument and tooltip to st.badge by @​marcolanfranchi in #​12897
• [feat] Add frontend for executing JS in st.html by @​sfc-gh-bnisco in #​12918
• Use key as main identity for st.file_uploader widget by @​lukasmasuch in #​12955
• Use key as main identity for st.camera_input widget by @​lukasmasuch in #​12781
• [feat] Add microphone permission denied error handling to audio components by @​sfc-gh-nbellante in #​12914
• Implement missing placeholder for st.dataframe by @​lukasmasuch in #​12968
• Show warning when hiding index in dynamic data editor by @​lukasmasuch in #​12978
• Add deferred download button by @​sfc-gh-aamadhavan in #​12942
• [feat][TextAlignment] Adds text alignment parameter to st.text by @​sfc-gh-lwilby in #​13032
• Add support for setting spinner as icon by @​lukasmasuch in #​13045
• Add support for Python 3.14 by @​lukasmasuch in #​12967
• Datetime input by @​sfc-gh-aamadhavan in #​13029
• Allow configuring delta arrow in st.metric by @​lukasmasuch in #​12982
• [feat][TextAlignment] add text alignment for heading elements. by @​sfc-gh-lwilby in #​13034
• Support passing query params to st.switch_page by @​lukasmasuch in #​13027
• [feat] Add audio_sample_rate parameter to chat_input for customizable recording quality by @​sfc-gh-nbellante in #​13054
• Add optional uvloop support for better event loop performance by @​lukasmasuch in #​13047
• Allow configuring keyboard shortcuts on buttons by @​lukasmasuch in #​12975
• Support passing query params to st.page_link by @​lukasmasuch in #​13093
• [feat][TextAlignment] Adds text_alignment parameter to markdown elements by @​sfc-gh-lwilby in #​13036

Bug Fixes 🐛

• [fix] st.text_area negative height calculation by @​sfc-gh-lwilby in #​12891
• Fix MultiselectColumn issue when starting with empty rows by @​lukasmasuch in #​12935
• Fix MultiselectColumn shape error when adding data by @​lukasmasuch in #​12936
• [Fix] Font fallback & sidebar page nav font by @​mayagbarnes in #​12948
• [Fix] Disabled widgets show border when showWidgetBorder=true by @​mayagbarnes in #​12949
• [fix] st.pills and st.segmented_control wrapping regression by @​sfc-gh-lwilby in #​12969
• [fix] st.color_picker minimum width constraint by @​sfc-gh-lwilby in #​12962
• Improve metric sparkline hovering efficiency by @​lukasmasuch in #​12983
• [fix] st.dataframe date picker icon visibility in dark mode by @​aritradhabal in #​12994
• [fix] Fixes visual regression with st.audio_input waveform by @​sfc-gh-nbellante in #​13010
• Bump js-yaml from 3.14.1 to 3.14.2 in /component-lib by @​dependabot[bot] in #​13026
• [fix] Do not print warning for placeholder CCv2 definitions by @​sfc-gh-bnisco in #​13043
• [fix] st.feedback icon wrapping with minimum width enforcement by @​sfc-gh-lwilby in #​12970
• Remove upper bound for the packaging package by @​tomtung in #​13073
• Fix empty Markdown code blocks rendering as “undefined” by @​ashm-dev in #​13074
• [fix] segmented control wrapping issue by @​sfc-gh-lwilby in #​12879
• [fix] Ensure key is reflective of data arg in CCv2 instances by @​sfc-gh-bnisco in #​12950
• Fix query parameters not preserved on back navigation by @​lukasmasuch in #​13129
• Enable better file uploading on Android by @​lukasmasuch in #​13132
• [fix] Reclassify Auth Callback Error -> Warning by @​sfc-gh-bnisco in #​13127
• Improve st.line_chart hovering performance by @​lukasmasuch in #​13156

Other Changes

• Docs for Custom Components V2 by @​sfc-gh-dmatthews in #​12877
• [chore] Release v1.51.0 by @​github-actions[bot] in #​12889
• Update FormsContext by @​mayagbarnes in #​12788
• Add ScriptRunContext & ThemeContext by @​mayagbarnes in #​12789
• Add NavigationContext by @​mayagbarnes in #​12790
• Add SidebarConfigContext by @​mayagbarnes in #​12791
• Improve phrasing of st.plotly_chart **kwarg deprecation warning by @​sfc-gh-tteixeira in #​12989
• Add enhancement proposal process by @​lukasmasuch in #​12248
• Add support for altair 6 by @​lukasmasuch in #​13003
• [fix] Conditionally expose files/audio attributes in ChatInputValue based on accept parameters by @​sfc-gh-nbellante in #​13079
• Reduce entry bundle size - Part 1 by @​mayagbarnes in #​13071
• Reduce entry bundle size - Part 2 by @​mayagbarnes in #​13077
• Reduce entry bundle size - Part 3 by @​mayagbarnes in #​13099
• Reduce entry bundle size - Part 4 by @​mayagbarnes in #​13115
• Reduce entry bundle size - Part 5 by @​mayagbarnes in #​13128
• StreamlitMarkdown - module level plugin cache by @​mayagbarnes in #​13152

New Contributors

• @​marcolanfranchi made their first contribution in #​12897
• @​aritradhabal made their first contribution in #​12994
• @​sfc-gh-aamadhavan made their first contribution in #​12942
• @​tomtung made their first contribution in #​13073
• @​Copilot made their first contribution in #​13106

Full Changelog: streamlit/streamlit@1.51.0...1.52.0

v1.51.0

Compare Source

What's Changed

New Features 🎉

• [AdvancedLayouts] Add width to st.plotly_chart by @​sfc-gh-lwilby in #​12559
• Feat: Automatically hide row indices in st.dataframe when row selection is active by @​plumol in #​12448
• [AdvancedLayouts] Add width to st.vega_lite_chart by @​sfc-gh-lwilby in #​12517
• Add codeTextColor config & update linkColor by @​mayagbarnes in #​12562
• [AdvancedLayouts] Add height to st.vega_lite_chart by @​sfc-gh-lwilby in #​12577
• [AdvancedLayouts] Add width to st.pydeck_chart by @​sfc-gh-lwilby in #​12576
• Use key as main identity for st.color_picker by @​lukasmasuch in #​12569
• Add type argument to st.popover to match st.button by @​sfc-gh-tteixeira in #​12598
• [AdvancedLayouts] Add width to st.altair_chart by @​sfc-gh-lwilby in #​12608
• Add cursor kwarg to st.write_stream by @​sfc-gh-tteixeira in #​12597
• In streamlit hello, preload Python modules that are slow to compile in a fresh venv by @​sfc-gh-tteixeira in #​12617
• Reusable Custom Themes via theme.base config by @​mayagbarnes in #​12572
• Make streamlit run with no args mean streamlit run streamlit_app.py by @​sfc-gh-tteixeira in #​12599
• Allow st.feedback to have a default initial value (#​9469) -> #​9658 by @​andreasntr in #​12578
• [AdvancedLayouts] Add height to st.altair_chart by @​sfc-gh-lwilby in #​12630
• [AdvancedLayouts] Modernize height parameter for st.pydeck_chart by @​sfc-gh-lwilby in #​12613
• [AdvancedLayouts] Update width and height on st.map by @​sfc-gh-lwilby in #​12658
• [AdvancedLayouts] Modernize width/height parameters for st.scatter_chart by @​sfc-gh-lwilby in #​12659
• [AdvancedLayouts] Modernize width and height for st.area_chart and st.bar_chart by @​sfc-gh-lwilby in #​12672
• Custom Dark Theme - add light/dark section configurations for theme & theme.sidebar by @​mayagbarnes in #​12680
• Use key as main identity for st.segmented_control widget by @​lukasmasuch in #​12711
• Use key as main identity for st.radio widget by @​lukasmasuch in #​12705
• Use key as main identity for st.audio_input widget by @​lukasmasuch in #​12720
• Add pinned parameter to MultiselectColumn by @​lukasmasuch in #​12714
• Use key as main identity for st.slider and st.select_slider by @​lukasmasuch in #​12575
• Custom Dark Theme - support light/dark config inheritance & populate new session msg by @​mayagbarnes in #​12707
• Use key as main identity for st.chat_input widget by @​lukasmasuch in #​12725
• Add support for auto color to MutliselectColumn using chart colors by @​lukasmasuch in #​12724
• Allow configuring color for ProgressColumn by @​lukasmasuch in #​12738
• Use key as main identity for st.feedback and st.pills widgets by @​lukasmasuch in #​12717
• [AdvancedLayouts] Add stretch height to st.dataframe by @​sfc-gh-lwilby in #​12632
• Custom Dark Theme - theme & sidebar theme creation by @​mayagbarnes in #​12760
• Custom Dark Theme - main & settings menu updates by @​mayagbarnes in #​12761
• [feat] Add API for st.space by @​sfc-gh-lwilby in #​12737
• [feat] Add st.components.v2.components namespace and classes by [@​sfc-gh-bnisco](https://redirect.github.com

✂ Note

PR body was truncated to here.

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

Greetings from the CI/CD pipeline! 🏗️

I've aggregated the results of the automated checks for this PR below.

🏷️ Release Preview

I've checked the 'Feedback' link for the new version. 💬

Current: 0.5.1a1 → Next: 0.5.1a2

Signal	Value
Label	(none)
PR title	chore(deps): update dependency streamlit to v1.54.0 [security]
Bump	alpha

⚠️ No conventional commit prefix — alpha-only bump.
Suggested: fix: update the thing or feat: update the thing

---

🚀 Release Channel Compatibility

Predicted next version: 0.5.1a2

Channel	Status	Note	Current Constraint
Stable	⚪	Not in channel	-
Testing	⚪	Not in channel	-
Alpha	⚪	Not in channel	-

📋 Repo Health

I've checked the repo's posture (aka architectural alignment). 🧘

⚠️ Some required files are missing.

Latest Version: 0.5.1a1

✅ difficult_dialogs/version.py — Version file
❌ README.md — README
❌ LICENSE — License file
✅ pyproject.toml — pyproject.toml
✅ CHANGELOG.md — Changelog
⚠️ requirements.txt — Requirements
✅ difficult_dialogs/version.py has valid version block markers

🔨 Build Tests

The blueprints match the build! 📐

✅ All versions pass

Python	Build	Install	Tests
3.10	✅	✅	✅
3.11	✅	✅	✅
3.12	✅	✅	✅
3.13	✅	✅	✅
3.14	✅	✅	✅

⚖️ License Check

Evaluating the impact of these changes on our licensing. 📈

✅ No license violations found (9 packages).

License distribution: 3× MIT, 2× Apache Software License, 1× Apache-2.0 OR BSD-2-Clause, 1× BSD-3-Clause, 1× MIT License, 1× Mozilla Public License 2.0 (MPL 2.0)

Full breakdown — 9 packages

Package	Version	License	URL
build	1.4.2	MIT	link
certifi	2026.2.25	Mozilla Public License 2.0 (MPL 2.0)	link
charset-normalizer	3.4.6	MIT	link
difficult_dialogs	0.5.1a1	Apache Software License	link
idna	3.11	BSD-3-Clause	link
packaging	26.0	Apache-2.0 OR BSD-2-Clause	link
pyproject_hooks	1.2.0	MIT License	link
requests	2.33.1	Apache Software License	link
urllib3	2.6.3	MIT	link

Policy: Apache 2.0 (universal donor). StrongCopyleft / NetworkCopyleft / WeakCopyleft / Other / Error categories fail. MPL allowed.

📊 Coverage

Charting the progress of our testing efforts. 📉

✅ 99.0% total coverage

Full report: download the coverage-report artifact.

🔒 Security (pip-audit)

Ensuring our defenses are strong against vulnerabilities. 🏰

✅ No known vulnerabilities found (32 packages scanned).

🔍 Lint

Another day, another successful automated run. 🌅

❌ ruff: issues found — see job log

---

Your 24/7 automated code reviewer 🌙