fix(deps): bump nicegui lower bound to 3.11.0 to fix download regression

helmut-hoffer-von-ankershoffen · claude · helmut-hoffer-von-ankershoffen · commit f03f2e8490c1 · 2026-04-26T11:26:40.000+02:00
NiceGUI 3.10.0 has a bug where exceptions raised in async event handlers are silently swallowed (fixed by zauberzeug/nicegui#5945, #5946). This manifested as test_gui_run_download and test_gui_run_qupath_install_to_inspect timing out at "Download completed.": the start_download() coroutine fires "Downloading ..." but crashes before the success notification, and 3.10.0's broken exception handling never surfaces the failure. 3.11.0 also makes ValueChangeEventArguments generic over its value type (zauberzeug/nicegui#5785), so update three call sites that need the new signature: - dataset/_gui.py: ValueChangeEventArguments[str | None] for the source input; coerce its .value to str when invoking _download. - application/_gui/_page_application_describe.py: parameterize on_force_change with [bool | None] and bool()-coerce e.value before assigning to SubmitForm.force. - system/_gui.py: bool()-coerce the mask_secrets switch value passed to load_info(). CVE-2026-39844 (>=3.10.0) remediation is preserved by the new lower bound. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
diff --git a/pyproject.toml b/pyproject.toml
@@ -78,7 +78,7 @@ dependencies = [
     # From Template
     "fastapi[all,standard]>=0.123.10",
     "humanize>=4.14.0,<5",
-    "nicegui[native]>=3.10.0,<4",  # CVE-2026-21871, CVE-2026-21873, CVE-2026-21874 (>=3.5.0); CVE-2026-25516 (>=3.7.0, #418); CVE-2026-27156 (>=3.8.0, #448); CVE-2026-33332 (>=3.9.0, #498); CVE-2026-39844 (>=3.10.0).
+    "nicegui[native]>=3.11.0,<4",  # CVE-2026-21871, CVE-2026-21873, CVE-2026-21874 (>=3.5.0); CVE-2026-25516 (>=3.7.0, #418); CVE-2026-27156 (>=3.8.0, #448); CVE-2026-33332 (>=3.9.0, #498); CVE-2026-39844 (>=3.10.0). 3.11.0 fixes async event handler exception leaks (#5945, #5946) — without it test_gui_run_download / test_gui_run_qupath_install_to_inspect time out at "Download completed." because exceptions in the async download coroutine are silently swallowed.
     "packaging>=26,<27",
     "platformdirs>=4.5.1,<5",
     "psutil>=7.1.3,<8",
diff --git a/src/aignostics/application/_gui/_page_application_describe.py b/src/aignostics/application/_gui/_page_application_describe.py
@@ -315,7 +315,7 @@ def _add_application_version_selection_section() -> None:
                     # Show force checkbox for internal users
                     if user_info and user_info.is_internal_user:
 
-                        def on_force_change(e: ValueChangeEventArguments) -> None:
+                        def on_force_change(e: ValueChangeEventArguments[bool | None]) -> None:
                             if e.value:
                                 version_next_button.enable()
                                 if unhealthy_tooltip:
@@ -324,7 +324,7 @@ def on_force_change(e: ValueChangeEventArguments) -> None:
                                 version_next_button.disable()
                                 if unhealthy_tooltip:
                                     unhealthy_tooltip.set_visibility(True)
-                            submit_form.force = e.value
+                            submit_form.force = bool(e.value)
 
                         ui.checkbox("Force (skip health check)", on_change=on_force_change).mark("CHECKBOX_FORCE")
 
diff --git a/src/aignostics/dataset/_gui.py b/src/aignostics/dataset/_gui.py
@@ -88,7 +88,7 @@ async def page_idc() -> None:  # noqa: C901, PLR0915, RUF029
                     """
                 )
 
-            def _on_source_input_change(e: ValueChangeEventArguments) -> None:
+            def _on_source_input_change(e: ValueChangeEventArguments[str | None]) -> None:
                 """On change event."""
                 if download_form.download_button is None:
                     return
@@ -250,7 +250,7 @@ async def _download(source: str) -> None:
                         with ui.button("Download", icon="cloud_download").mark("BUTTON_DOWNLOAD") as download_button:
                             ui.tooltip("Download the selected dataset")
                         download_form.download_button = download_button
-                        download_form.download_button.on("click", lambda _: _download(source_input.value))
+                        download_form.download_button.on("click", lambda _: _download(source_input.value or ""))
                         download_form.download_button.disable()
 
             def update_progress() -> None:
diff --git a/src/aignostics/system/_gui.py b/src/aignostics/system/_gui.py
@@ -63,7 +63,9 @@ async def page_system() -> None:  # noqa: PLR0915
                             # Mask secrets switch with reload functionality
                             with ui.row().classes("w-full items-center gap-2 mb-4"):
                                 mask_secrets_switch = ui.switch(
-                                    text="Mask secrets", value=True, on_change=lambda e: load_info(mask_secrets=e.value)
+                                    text="Mask secrets",
+                                    value=True,
+                                    on_change=lambda e: load_info(mask_secrets=bool(e.value)),
                                 )
 
                             spinner = ui.spinner(size="lg").classes(
diff --git a/uv.lock b/uv.lock
