Skip to content

v0.9.6

Latest
Latest

Choose a tag to compare

View all tags
@github-actions github-actions released this 25 Jun 22:25
v0.9.6
92a7d36
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

reflex v0.9.6 ships alongside reflex-base 0.9.6, reflex-components-core 0.9.6, reflex-components-moment 0.9.2, and reflex-components-plotly 0.9.3.

Features

  • rx._x.hybrid_property now works on dataclasses, Pydantic models, and SQLAlchemy models, not just State classes. Accessed through an object var on the frontend (e.g. State.info.a_b), it renders as a var using the same code as the backend β€” and now raises a clear error if the frontend logic reads a backend (underscore-prefixed) var instead of silently baking in the server-side default. (#6617, #6621)
  • Auto-memoized (rx.memo) components now compile to per-module output paths. Each emits to a .web/app_components/ path mirroring its defining Python module instead of a single shared components.jsx, so identically-rendered subtrees in different modules no longer overwrite each other and same-named memos across modules can coexist on one page. (#6457)
  • reflex init now writes a managed AGENTS.md section (preserving your surrounding content) and bridges it to Claude Code via a CLAUDE.md that imports @AGENTS.md. (#6620)
  • StringVar gained lstrip and rstrip, and strip now accepts an optional chars argument, matching Python's str API. (#5417)
  • rx.plotly accepts a locale prop to localize number/date formatting and modebar labels; the matching plotly.js-locales data is resolved and merged automatically per chart. (#6428)
  • package.json generation accepts extra keys. package_json_template takes **additional_keys (e.g. name, packageManager, engines), and reflex.lock/package.json is now synced to .web/package.json before install so the manifest and lockfile stay aligned. (#6658)

Bug Fixes

  • πŸ”’ Security β€” minimum dependency versions raised (#6665):
    • starlette >= 1.3.1 β€” Host-header path poisoning, request.form() DoS, and UNC-path SSRF
    • python-multipart >= 0.0.32 β€” querystring DoS, unbounded header field size, and negative Content-Length buffering in parse_form
    • granian >= 2.7.4 β€” WSGI and WebSocket header-panic DoS
    • bundled vite β†’ 8.0.16 β€” server.fs.deny bypass on Windows alternate paths (CVE-2026-53571)
  • Bound arguments now pass through to upload handlers, so on_drop=State.handle_upload(rx.upload_files(...), field) forwards field to the backend instead of raising a missing-argument error. (#5290)
  • rx.cond preserves literal string types, so rx.cond(State.flag, "green", "red") infers Var[Literal["green", "red"]] instead of widening to Var[str] β€” fixing Pyright errors on props like Radix color_scheme. (#6545)
  • rx.debounce_input no longer crashes with ReferenceError: input is not defined when wrapping a native DOM element such as rx.el.input or rx.el.textarea. (#6637)
  • rx.moment pins moment-timezone to exactly 0.6.2 (instead of a caret range) for reproducible frontend installs. (#6649)
  • modify_state rebinds the event token correctly, so delta resolution and computed vars in shared-state fan-out tasks observe the right client token. (#6673)
  • Avoid re-entering config loading when a State subclass is defined in rxconfig.py. (#6662)

Miscellaneous

  • pyi_hashes.json entries are now computed from the final .pyi content (after ruff format / ruff check --fix), so formatting-only generator changes no longer flag spurious hash changes.

Full Changelog: v0.9.5.post2...reflex-components-core-v0.9.6

Assets 2
Loading