Skip to content

chore(deps): bump gradio from 6.15.2 to 6.16.0#171

Merged
amrit110 merged 2 commits into
mainfrom
dependabot/uv/gradio-6.16.0
Jun 4, 2026
Merged

chore(deps): bump gradio from 6.15.2 to 6.16.0#171
amrit110 merged 2 commits into
mainfrom
dependabot/uv/gradio-6.16.0

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github Jun 3, 2026

Bumps gradio from 6.15.2 to 6.16.0.

Release notes

Sourced from gradio's releases.

gradio@6.16.0

Features

  • #13422 96d4fd1 - Make the session heartbeat interval configurable via the GRADIO_HEARTBEAT_INTERVAL environment variable (#13346). Thanks @​wjddnwp29!
  • #13459 6320116 - Show a friendly landing page (instead of a raw JSON-RPC error) when the MCP endpoint is opened in a browser. Thanks @​ShirGanon!

Fixes

  • #13437 97d541f - Fix path traversal in gr.FileExplorer.preprocess by validating selected paths with _safe_join (consistent with ls()), rejecting absolute/.. paths that escape root_dir. Thanks @​abidlabs!
  • #13438 010ee63 - Fix open-redirect bypass in gradio.oauth._redirect_to_target where 4+ leading slashes (or backslashes) in _target_url produced a scheme-relative redirect to an external host, restoring CVE-2026-28415. Thanks @​abidlabs!
  • #13240 0d670ad - Fix browser freeze when a dataframe's value is set (e.g. via a tab select event), and only dispatch the tabs select event when the selected tab actually changes. Thanks @​freddyaboulton!
  • #13461 702a8b1 - Fix runtime language switching not re-translating component labels/values (only the footer updated). @gradio/utils resolved its own duplicate svelte-i18n instance whose locale store was never updated; the retranslation trigger now uses the live formatter store injected by @gradio/core. Thanks @​abidlabs!
  • #13458 939e84c - Defer Node front proxy startup until Python is ready in SSR mode. Thanks @​pngwn!
  • #13436 48d0e27 - Fix SSRF in Image/Gallery SVG postprocessing and Audio streaming postprocessing by routing user-influenced URL fetches through safehttpx. Thanks @​abidlabs!
  • #13451 29bd7a0 - gr.Dropdown() Fixes. Thanks @​dawoodkhan82!
Changelog

Sourced from gradio's changelog.

6.16.0

Features

  • #13422 96d4fd1 - Make the session heartbeat interval configurable via the GRADIO_HEARTBEAT_INTERVAL environment variable (#13346). Thanks @​wjddnwp29!
  • #13459 6320116 - Show a friendly landing page (instead of a raw JSON-RPC error) when the MCP endpoint is opened in a browser. Thanks @​ShirGanon!

Fixes

  • #13437 97d541f - Fix path traversal in gr.FileExplorer.preprocess by validating selected paths with _safe_join (consistent with ls()), rejecting absolute/.. paths that escape root_dir. Thanks @​abidlabs!
  • #13438 010ee63 - Fix open-redirect bypass in gradio.oauth._redirect_to_target where 4+ leading slashes (or backslashes) in _target_url produced a scheme-relative redirect to an external host, restoring CVE-2026-28415. Thanks @​abidlabs!
  • #13240 0d670ad - Fix browser freeze when a dataframe's value is set (e.g. via a tab select event), and only dispatch the tabs select event when the selected tab actually changes. Thanks @​freddyaboulton!
  • #13461 702a8b1 - Fix runtime language switching not re-translating component labels/values (only the footer updated). @gradio/utils resolved its own duplicate svelte-i18n instance whose locale store was never updated; the retranslation trigger now uses the live formatter store injected by @gradio/core. Thanks @​abidlabs!
  • #13458 939e84c - Defer Node front proxy startup until Python is ready in SSR mode. Thanks @​pngwn!
  • #13436 48d0e27 - Fix SSRF in Image/Gallery SVG postprocessing and Audio streaming postprocessing by routing user-influenced URL fetches through safehttpx. Thanks @​abidlabs!
  • #13451 29bd7a0 - gr.Dropdown() Fixes. Thanks @​dawoodkhan82!
Commits
  • 72f78a2 chore: update versions (#13432)
  • 29bd7a0 gr.Dropdown() Fixes (#13451)
  • 702a8b1 Fix runtime language switching not re-translating component props, and other ...
  • 053dbe2 docs: upgrade MiniMax demo to M3 (#13462)
  • 939e84c Fix another ssr server startup race condition (#13458)
  • 6320116 Show a landing page for browser GET requests to the MCP endpoint (#13459)
  • 4183c81 Fix various typos found by codespell (#13440)
  • 48d0e27 fix: SSRF in Image/Gallery SVG and Audio postprocessing (GHSA-3xvj-7669-6whx)...
  • 61cc3ec ci: upgrade Playwright to 1.60 (#13457)
  • b8f3db2 ci: shorten Playwright install timeout (#13455)
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file python:uv Pull requests that update python:uv code labels Jun 3, 2026
dependabot Bot and others added 2 commits June 4, 2026 01:22
@dependabot
chore(deps): bump gradio from 6.15.2 to 6.16.0
0faeb6f 
Bumps [gradio](https://github.com/gradio-app/gradio) from 6.15.2 to 6.16.0.
- [Release notes](https://github.com/gradio-app/gradio/releases)
- [Changelog](https://github.com/gradio-app/gradio/blob/main/CHANGELOG.md)
- [Commits](https://github.com/gradio-app/gradio/compare/gradio@6.15.2...gradio@6.16.0)

---
updated-dependencies:
- dependency-name: gradio
  dependency-version: 6.16.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
chore: bump aiohttp to 3.14.0 to fix CVE-2026-34993, CVE-2026-47265
c407593 
Co-authored-by: aieng-bot <aieng-bot@vectorinstitute.ai>
@amrit110 amrit110 force-pushed the dependabot/uv/gradio-6.16.0 branch from 556653d to c407593 Compare June 4, 2026 01:23
@amrit110 amrit110 merged commit 851b0d5 into main Jun 4, 2026
7 checks passed
@amrit110 amrit110 deleted the dependabot/uv/gradio-6.16.0 branch June 4, 2026 01:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file python:uv Pull requests that update python:uv code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@amrit110