From f7b76789bbad3c274a6db9e771f6244bf1fe6003 Mon Sep 17 00:00:00 2001 From: Mathijs de Bruin Date: Thu, 7 Nov 2024 13:09:01 +0000 Subject: [PATCH] Bump changelog for 1.3.2 and 2.0rc0. --- CHANGELOG.md | 167 +++++++++++++++++++++++++-------------------------- 1 file changed, 81 insertions(+), 86 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index eb58059a0d..d6a8c34e0c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,12 +4,92 @@ All notable changes to Chainlit will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/). +## [1.3.2] - 2024-11-08 + +### Security Advisory +**IMPORTANT**: +- This release drops support for FastAPI versions before 0.115.3 and Starlette versions before 0.41.2 due to a severe security vulnerability (CVE-2024-47874). We strongly encourage all downstream dependencies to upgrade as well. +- This release still contains a known security vulnerability in the element feature that could allow unauthorized file access. We strongly recommend against using elements in production environments until a comprehensive fix is implemented in an upcoming release. + +### Security +- **[breaking]** Updated dependencies to address critical issues (#1493): + - Upgraded fastapi to 0.115.3 to address CVE-2024-47874 in Starlette + - Upgraded starlette to 0.41.2 (required for security fix) + - Upgraded werkzeug to 3.0.6 + +Note: This is a breaking change as older FastAPI versions are no longer supported. +To prioritize security, we opted to break with semver on this particular occasion. + +### Fixed +- Resolved incorrect message ordering in UI (#1501) + +## [2.0rc0] - 2024-11-08 + +### Security Advisory +**IMPORTANT**: +- This release drops support for FastAPI versions before 0.115.3 and Starlette versions before 0.41.2 due to a severe security vulnerability (CVE-2024-47874). We strongly encourage all downstream dependencies to upgrade as well. +- The element feature currently contains a known security vulnerability that could allow unauthorized file access. We strongly recommend against using elements in production environments until a comprehensive fix is implemented in an upcoming release. + +### Changed +- **[breaking]**: Completely revamped audio implementation: + - Replaced `AudioChunk` with `InputAudioChunk` and `OutputAudioChunk` + - Changed audio sampling rate from 44100 to 24000 + - Removed several audio configuration options (`min_decibels`, `initial_silence_timeout`, `silence_timeout`, `chunk_duration`, `max_duration`) + - Modified `on_audio_end` callback + - Removed `RecordScreen` componenta + - Removed several audio-related configuration options from `config.toml` + +### Security +- Comprehensive security updates: + - **[breaking]** Upgraded fastapi to 0.115.3 and starlette to 0.41.2 to address severe security vulnerability CVE-2024-47874 (#1493) + - Note: This is a breaking change as older FastAPI versions are no longer supported + - Added authentication for file uploads (#1441, #1472) + - Updated starlette, werkzeug, and frontend dependencies (#1431, #1414) + +### Added +- Realtime audio streaming and processing (#1401, #1406, #1409): + - New `AudioPresence` component for visual representation + - Implemented `WavRecorder` and `WavStreamPlayer` classes + - Introduced new `on_audio_start` callback + - Added audio interruption functionality + - New audio connection signaling with `on` and `off` states +- Interactive DataFrame display with auto-fit content using MUI Data Grid (#1373, #1467) +- Optional websocket connection in react-client (#1379) +- Enhanced image interaction with popup view and download option (#1402) +- Configurable user session timeout and OAuth prompt settings (#1032, #1456) +- Support for IETF BCP 47 language tags (e.g., es-419) (#1399) +- Current URL included in message payload (#1403) + +### Fixed +- Enhanced UI interactions: + - Allow empty chat input when submitting attachments (#1261) + - Fixed dialog boxes extending beyond window bounds (#1446) + - Fixed spaces in avatar filenames (#1418) +- Improved messaging and displays: + - Resolved incorrect message ordering (#1501) + - Fixed tasklist functionality when Chainlit is submounted (#1433) + - Fixed display_name copying during authentication (#1425) + - Fixed step argument input and concurrency issues (#1409) +- Fixed SQLAlchemy identifier quoting (#1395) + +### Development +- Comprehensive build and CI improvements: + - Implemented ruff for linting and formatting (#1495) + - Added mypy daemon for faster type-checking (#1495) + - Added GitHub Actions linting (#1445) + - Enabled direct installation from GitHub (#1423) + - Various build script improvements (#1462) +- Enhanced codebase organization: + - Factored storage clients into separate modules (#1363) + - Extended package metadata (#1413) + - Various backend fixes and cleanup (#1432) + ## [1.3.1] - 2024-10-25 ### Security Advisory - **IMPORTANT**: This release temporarily reverts the file access security improvements from 1.3.0 to restore element functionality. The element feature currently has a known security vulnerability that could allow unauthorized access to files. We strongly recommend against using elements in production environments until the next release. -- A comprehensive security fix using HTTP-only cookie authentication will be implemented in an upcoming release. +- A comprehensive security fix will be implemented in an upcoming release. ### Changed @@ -59,91 +139,6 @@ override oauth prompt parameter. Enabling users to explicitly enable login/conse - Improved Python code style and linting (#1353) - Resolved various small text and documentation issues (#1347, #1348) -## [2.0.dev2] - 2024-10-25 - -### Security Advisory - -- **IMPORTANT**: This release temporarily reverts the file access security improvements from 2.0.dev1 to restore element functionality. The element feature currently has a known security vulnerability that could allow unauthorized access to files. We strongly recommend against using elements in production environments until the next release. -- A comprehensive security fix using HTTP-only cookie authentication will be implemented in an upcoming release. - -### Changed - -- Reverted authentication requirements for file access endpoints to restore element functionality (#1474) - -### Development - -- Work in progress on implementing HTTP-only cookie authentication for proper security (#1472) - -## [2.0.dev1] - 2024-10-22 - -### Added - -- Interactive DataFrame display component using MUI Data Grid (#1373) -- Optional websocket connection in react-client (#1379) -- Current URL in message payload (#1403) -- Improved image interaction - clicking opens popup with download option (#1402) -- Configurable user session timeout (#1032) - -### Security - -- Fixed file access vulnerability in get_file and upload_file endpoints (#1441) -- Added authentication to /project/file endpoint (#1441) -- Addressed security vulnerabilities in frontend dependencies (#1431, #1414) - -### Fixed - -- Dialog boxes extending beyond window (#1446) -- Allow empty chat input when submitting attachments (#1261) -- Tasklist when Chainlit is submounted (#1433) -- Spaces in avatar filenames (#1418) -- Step argument input and concurrency issues (#1409) -- Display_name copying to PersistentUser during authentication (#1425) - -### Development - -- Refactored storage clients into separate modules (#1363) -- Support for IETF BCP 47 language tags (#1399) -- Improved GitHub Actions workflows and build process (#1445) -- Direct installation from GitHub support (#1423) -- Extended package metadata with homepage and documentation links (#1413) -- Various backend fixes and code cleanup (#1432) - -## [2.0.dev0] - 2024-10-08 - -### Breaking Changes - -- Completely revamped audio implementation: - - Removed `AudioChunk` type, replaced with `InputAudioChunk` and `OutputAudioChunk` - - Changed audio sampling rate from 44100 to 24000 - - Removed several audio configuration options (`min_decibels`, `initial_silence_timeout`, `silence_timeout`, `chunk_duration`, `max_duration`) - - Introduced new `on_audio_start` callback - - Modified `on_audio_end` callback to no longer accept file elements as arguments - -### Added - -- New audio connection signaling with `on` and `off` states -- Introduced `AudioPresence` component for visual representation of audio state -- Added `WavRecorder` and `WavStreamPlayer` classes for improved audio handling -- New `startConversation` and `endConversation` methods in `useAudio` hook -- Implemented audio interruption functionality - -### Changed - -- Updated `useChatInteract` hook to include `startAudioStream` method -- Modified `useChatSession` to handle new audio streaming functionality -- Updated UI components to reflect new audio implementation, including new microphone icons and audio presence indicators -- Refactored `InputBoxFooter` to display audio presence when active - -### Removed - -- Eliminated `RecordScreen` component -- Removed several audio-related configuration options from `config.toml` - -### Development - -- Added new wavtools directory with various audio processing utilities -- Implemented new AudioWorklet processors for more efficient audio handling - ## [1.2.0] - 2024-09-16 ### Security