chore(deps): update dependency nicegui to v3.9.0 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
nicegui	3.8.0 → 3.9.0

GitHub Vulnerability Alerts

CVE-2026-33332

Summary

NiceGUI's app.add_media_file() and app.add_media_files() media routes accept a user-controlled query parameter that influences how files are read during streaming. The parameter is passed to the range-response implementation without validation, allowing an attacker to bypass chunked streaming and force the server to load entire files into memory at once.

With large media files and concurrent requests, this can lead to excessive memory consumption, degraded performance, or denial of service.

Impact

Affected applications: NiceGUI applications that serve media content via app.add_media_file() or app.add_media_files(), particularly those serving large files (video, audio).

What an attacker can do:

• Force the server to load entire files into memory instead of streaming them in chunks
• Amplify memory usage with concurrent requests to large media files
• Cause performance degradation, memory pressure, and potential OOM conditions

Attack difficulty: Low - requires only a crafted query parameter.

Remediation

Upgrade to a patched version of NiceGUI.

As a workaround, restrict access to media endpoints or strip unexpected query parameters at a reverse proxy layer.

---

Release Notes

zauberzeug/nicegui (nicegui)

v3.9.0

Compare Source

Security

• ⚠️ Prevent memory exhaustion via media streaming routes (GHSA-w5g8-5849-vj76 by @​aest3ra, @​Khaliun-sw1, @​evnchn, @​falkoschindler)

New features and enhancements

• Add ui.parallax element based on Quasar Parallax (#​4817 by @​evnchn, @​falkoschindler)
• Add camera controls "trackball" and "map" for ui.scene (#​3710, #​4820 by @​javierlopezrodriguez, @​evnchn, @​falkoschindler)
• Add native window events like shown, resized and file drop to app.native (#​3378, #​5866 by @​EmberLightVFX, @​falkoschindler, @​evnchn)
• Allow app.clients() to return all clients when path is None (#​5853 by @​AlePiccin, @​evnchn, @​falkoschindler)
• Remove KWONLY_SLOTS constant and inline @dataclass arguments (#​5856 by @​falkoschindler, @​evnchn)

Bugfixes

• Fix broken session storage when attaching to a FastAPI app that already has SessionMiddleware (#​2578, #​5857 by @​denniswittich, @​falkoschindler, @​evnchn)
• Fix ui.log scroll to bottom on Firefox (#​5788, #​5842 by @​platinops, @​falkoschindler, @​evnchn)
• Fix sort arrow animation in custom table header cells (#​5870, #​5871 by @​JuliusKoenig, @​falkoschindler, @​evnchn)
• Fix navigation from root page sub-pages to other @ui.page routes (#​5705, #​5777, #​5886 by @​CatamountJack, @​falkoschindler, @​evnchn)
• Fix syntax highlighting in ui.code by always using DOMPurify (#​5877 by @​falkoschindler, @​evnchn)
• Fix find_spec crashes in compiled environments like PyInstaller (#​5747, #​5836 by @​evnchn, @​falkoschindler)
• Fix @ui.refreshable_method refresh only updating last instance (#​5888, #​5890 by @​rodja, @​evnchn)

Documentation

• Use IntersectionObserver for the navigation tree to reduce render time on small screens (#​5832 by @​evnchn, @​falkoschindler)
• Add "Client-Side Secrets" section to security documentation (#​5838 by @​oxqnd, @​evnchn, @​falkoschindler)
• Improve the SVG clock example (#​5854 by @​rolfn, @​falkoschindler, @​evnchn)
• Replace the outdated app.storage.individual API with app.storage.user (#​5874 by @​KrilleGH)
• Fix invalid Python code shown in SPA demo (#​5881 by @​jmerle, @​evnchn, @​falkoschindler)
• Use public API imports in examples, tests, and website (#​5884 by @​falkoschindler)

Testing

• Fix User.should_see for child elements inside hidden containers (#​5873 by @​paco-sevilla, @​falkoschindler)
• Fix User test simulation for select options with None as value (#​5880, #​5883 by @​atollk, @​falkoschindler, @​evnchn)
• Support clicking ui.tab in user simulation (#​5885, #​5887 by @​atollk, @​falkoschindler, @​evnchn)

Dependencies

• Fix Dependabot alerts by upgrading rollup, rimraf and Svelte (#​5844 by @​falkoschindler, @​evnchn)
• Fix Dependabot alerts by upgrading vulnerable npm and pip dependencies (#​5850 by @​falkoschindler, @​evnchn)
• Bump actions/upload-artifact from 6 to 7 (#​5846 by @​dependabot)
• Bump docker/build-push-action from 6 to 7 (#​5861 by @​dependabot)
• Bump docker/setup-qemu-action from 3 to 4 (#​5862 by @​dependabot)
• Bump docker/setup-buildx-action from 3 to 4 (#​5863 by @​dependabot)
• Bump docker/login-action from 3 to 4 (#​5864 by @​dependabot)

---

Special thanks to our top sponsors Lechler GmbH and TestMu AI ✨

and all our other sponsors and contributors for supporting this project!

🙏 Want to support this project? Check out our GitHub Sponsors page to help us keep building amazing features!

---

Configuration

📅 Schedule: Branch creation - "" in timezone Europe/Berlin, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud