⬆️ 🤖 Dependencies: bump nicegui from 1.4.9 to 3.4.0

[dependabot]

Bumps nicegui from 1.4.9 to 3.4.0.

Release notes

Sourced from nicegui's releases.

v3.4.0

Security

• ⚠️ Prevent arbitrary file access when using app.add_media_files (GHSA-hxp3-63hc-5366 by @​y4rvin, @​evnchn, @​falkoschindler)
• ⚠️ Prevent XSS attacks via user-defined content for ui.add_css, ui.add_scss, or ui.add_sass (GHSA-72qc-wxch-74mg by @​twmoon, @​evnchn, @​falkoschindler)
• ⚠️ Prevent XSS attacks via user-defined SVG content in ui.interactive_image using a new sanitize parameter (GHSA-2m4f-cg75-76w2 by @​twmoon, @​evnchn, @​falkoschindler)

New features and enhancements

• Let element.clear() return the element (builder pattern) (#5461 by @​falkoschindler, @​evnchn)
• Support wildcard routing in ui.sub_pages (#5437, #5440, #5529, #5530, #5541 by @​davetapley, @​evnchn, @​falkoschindler, @​rodja)
• Lazily start active link refresher task (#5438 by @​bulletmark, @​evnchn, @​falkoschindler)
• Remove orjson dependency for PyPy (#5161 by @​evnchn, @​falkoschindler)
• Load Vue components faster (#5496 by @​evnchn)
• Load codehilite.css faster (#5497 by @​evnchn, @​falkoschindler)
• Load headwind.css faster (#5513 by @​evnchn)
• Allow emitting events from other threads (#4985, #5546 by @​MaidScientistIzutsumiMarin, @​rodja, @​ftilde, @​evnchn, @​falkoschindler)
• Allow upgrading to pywebview 6 (#5555 by @​paco-sevilla, @​evnchn, @​falkoschindler)
• Drop support for non-ESM support browsers (#5514 by @​evnchn)
• Warn about accidental script mode due to missing shared=True in ui.add_head_html (#5472, #5478 by @​davetapley, @​evnchn, @​falkoschindler)
• Forward --clean and --noconfirm to pyinstaller in nicegui-pack (#5469 by @​himbeles)
• Raise exception when trying to run script mode in REPL (#5414, #5456 by @​defkev, @​falkoschindler, @​evnchn, @​python-and-novella, @​plambertgis)
• Compile SASS and SCSS in the browser (#5321, #5449 by @​falkoschindler, @​evnchn)

Deprecation

• ⚠️ Deprecate ui.add_scss and ui.add_sass in favor of ui.add_css (#5321, #5449 by @​falkoschindler, @​evnchn)

Bugfixes

• Fix .tooltip() for complex elements like ui.table (#5447, #5482 by @​pandabearcodes, @​python-and-novella, @​evnchn, @​himbeles, @​falkoschindler)
• Fix sizing problem of ui.interactive_image (#5479, #5517 by @​daniel-anderberg, @​evnchn, @​falkoschindler)
• Fix default values of ui.range (#5467 by @​Mick235711)
• Fix padding of horizontal ui.stepper (#5434, #5463 by @​Buruxianian, @​evnchn, @​falkoschindler)

Documentation

• Show a screenshot per example on the website (#4391, #5044 by @​kler, @​leocjj, @​rodja, @​falkoschindler, @​evnchn)
• Improve loading speed (#5507, #5515 by @​evnchn)
• Add a note about native mode on Windows requiring .NET (#5544 by @​phifuh, @​falkoschindler)
• Add missing link in ui.sub_pages demo (#5498, #5504 by @​evnchn, @​falkoschindler)
• Remove error message "The type of the None singleton." (#5488, #5489 by @​evnchn)

Testing

• Add possibility to perform tests without NiceGUI pytest plugins (#5377, #5380 by @​himbeles, @​evnchn, @​rodja, @​falkoschindler)

Dependencies

• Bump actions/checkout from 5 to 6 (#5506 by @​dependabot)

... (truncated)

Commits

• 6502fb3 fix pytest for ui.interactive_image
• a1b89e2 Merge commit from fork
• a8fd25b Merge commit from fork
• 58ad0b3 Merge commit from fork
• f65751f update contributors
• b1fed78 Allow upgrading to pywebview 6 (#5555)
• 97c6b1e Add extras to dev dependencies (#5547)
• 7b22b5c add a note about the .NET dependency on Windows (fixes #5544)
• 35b9557 Treat task id 0 as always running for Slot (#5546)
• 77019a6 robustify some pytests
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[llamapreview]

AI Code Review by LlamaPReview

🎯 TL;DR & Recommendation

Recommendation: Request Changes

This PR upgrades NiceGUI from 1.4.9 to 3.4.0, a major version jump that has already broken CI linting and prevented test execution, indicating high risk of runtime incompatibility due to undocumented breaking changes.

📈 Findings Summary

Priority	File	Category	Impact Summary	Anchors
P1	pyproject.toml	Architecture	Major version upgrade causes CI lint failure and runtime incompatibility.	—
P1	pyproject.toml	Testing	CI test jobs skipped, preventing workflow verification.	—
P2	pyproject.toml	Security	Security fixes applied, but exposure needs manual review.	—
P2	pyproject.toml	Maintainability	Future development risks using deprecated APIs without audit.	—
P2	pyproject.toml	Performance	Performance changes speculative, require monitoring post-upgrade.	—

🔍 Notable Themes

• All findings originate from the NiceGUI major version bump (1.x → 3.x), underscoring the necessity for a systematic migration plan—including code audit for API changes, fix linting issues, ensure test coverage, and monitor for regressions—before merging.

📈 Risk Diagram

This diagram illustrates the risk of dependency upgrade breaking CI and causing unverified runtime changes.

sequenceDiagram
    participant D as Dependabot
    participant P as pyproject.toml
    participant C as CI Pipeline
    participant A as Application
    D->>P: Bump nicegui to 3.4.0
    P->>C: Trigger lint/test jobs
    C->>C: Lint fails (API incompatibility)
    note over C: R1(P1): Major version upgrade causing API incompatibility and lint failure
    C->>A: Tests skipped, no verification
    A->>A: Potential runtime failures
    note over A: Risk of silent failures due to breaking changes

Loading

---

💡 Have feedback? We'd love to hear it in our GitHub Discussions.
✨ This review was generated by LlamaPReview Advanced, which is free for all open-source projects. Learn more.

[llamapreview]

P1 | Confidence: High

• This major version upgrade (1.x → 3.x) represents a significant architectural shift. The release notes indicate breaking changes including deprecations of ui.add_scss and ui.add_sass, API changes to ui.interactive_image (new sanitize parameter), and security hardening. The CI/CD results show a linting failure, which is immediate evidence of incompatibility. This is not a speculative failure - the deterministic path is: dependency change → incompatible API usage → lint/test failure. Without code changes to adapt to the new API, this will cause runtime failures.
• The CI pipeline shows multiple test-related jobs were skipped (build, test, release), while lint failed. This indicates the upgrade has broken the development workflow before tests could even run. The lint / ⚡ Lint (UV) failure is a direct consequence of the version bump, suggesting type checking or import errors that prevent the test suite from executing. This creates a high-risk situation where we cannot verify if the application works post-upgrade.
• Speculative: The release notes highlight security fixes for XSS vulnerabilities in ui.interactive_image, ui.add_css/add_scss/add_sass, and app.add_media_files. While upgrading addresses known CVEs, the related_context queries found no usage of these specific functions. However, if the application uses user-generated content in UI components, the upgrade provides critical protection. The absence of findings doesn't guarantee safety—manual review of UI code paths is needed to confirm exposure.
• Speculative: Major version jumps often introduce behavioral changes beyond documented breaking changes. The release notes mention deprecation of ui.add_scss and ui.add_sass, removal of non-ESM browser support, and changes to element.clear() return value. Even if current code doesn't use these APIs (per empty related_context), future development could inadvertently use deprecated patterns. A systematic audit of NiceGUI usage against the 3.x migration guide is required to prevent technical debt.
• Speculative: The release notes mention performance improvements (faster Vue component loading, CSS loading optimizations, lazy task starting). However, without performance baselines or identified bottlenecks in the application, these benefits are theoretical. The upgrade could also introduce performance regressions in untested code paths. Recommend monitoring application metrics post-upgrade to validate any performance impact.