Bump nicegui from 3.7.1 to 3.8.0

[dependabot]

Bumps nicegui from 3.7.1 to 3.8.0.

Release notes

Sourced from nicegui's releases.

v3.8.0

Security

• ⚠️ Prevent XSS via unsanitized method names in run_method() (GHSA-78qv-3mpx-9cqq by @​anuraagbaishya, @​evnchn, @​falkoschindler)

  Breaking change: For security reasons, run_method() and run_*_method() no longer accept arbitrary JavaScript expressions as method names. Only actual method names are supported now. If you previously passed JS functions like

  row = await grid.run_grid_method('(g) => g.getDisplayedRowAtIndex(0).data')

  use

  row = await run_javascript(f'return getElement({grid.id}).api.getDisplayedRowAtIndex(0).data')

  instead.

New features and enhancements

• Preserve cursor position when calling ui.codemirror.set_value (#5775 by @​falkoschindler, @​evnchn)
• Wake outbox loop on stop() to avoid ~1s shutdown delay (#5804, #5805 by @​Denubis, @​evnchn, @​falkoschindler)
• Prevent prune_user_storage crash when UI elements are created before ui.run_with() (#5480, #5768 by @​TulyOpt, @​Phloog, @​jammerhund, @​evnchn, @​falkoschindler)
• Expose ui.aggrid.VERSION constant for AG Grid version reference (#5726, #5727 by @​taschini, @​evnchn, @​falkoschindler)

Bugfixes

• Guard innerHTML writes in ui.html, ui.markdown and ui.interactive_image to avoid server-side updates overwriting client-side DOM modifications (#5749, #5761, #5816, #5821, #5823, #5826 by @​Denubis, @​phifuh, @​evnchn, @​falkoschindler)
• Fix ui.echart zoom reset on data update by using getOption() API (#5819, #5822 by @​rtrrtr, @​falkoschindler, @​evnchn)
• Fix ui.log background color being tinted by inner scroll-area element (#5828, #5831 by @​rolfn, @​falkoschindler, @​evnchn)
• Cancel connection-wait task when page coroutine completes first to prevent task leak (#5803, #5806 by @​Denubis, @​evnchn, @​falkoschindler)
• Fix jumpy ui.table fullscreen toggle with smooth scrolling enabled (#5789 by @​falkoschindler, @​evnchn)
• Guard against missing element in beforeUnmount hooks during @ui.refreshable rebuild (#5765, #5766 by @​evnchn, @​falkoschindler)
• Fix Leaflet Draw circle resize broken by ES module strict mode (#5751, #5756 by @​MicaelJarniac, @​evnchn, @​falkoschindler)
• Exclude Python prefix directory from reload file watcher to prevent spurious reloads (#5750, #5780 by @​phifuh, @​evnchn)
• Fix WebSocket URL missing host on HTTPS due to JS operator precedence (#5734 by @​evnchn)
• Fix race condition: use static DOMPurify import to avoid mid-module yield (#5732, #5799 by @​evnchn, @​codingpaula, @​rodja, @​falkoschindler)

Documentation

• Add security best practices section (#5736 by @​evnchn, @​falkoschindler)
• Add a "Reaktiv Order Calculator" example (#4758, #5783, #5812 by @​FabianGoessling, @​buiapp, @​evnchn, @​buiapp, @​falkoschindler)
• Add a "Device Control" example with events and logging (#5201, #5737 by @​weinibuliu, @​rodja, @​eddie3ruff, @​evnchn, @​falkoschindler)
• Add AI co-authorship attribution guidance to CONTRIBUTING.md (#5758 by @​evnchn, @​falkoschindler)
• Upgrade the "SQLite Database" example to Tortoise ORM 1.0.0 (#5754 by @​falkoschindler)
• Improve Plausible's SPA compatibility for website analytics (#5830 by @​evnchn, @​rodja)
• Make first demo always load immediately for better SEO (#5793, #5800 by @​evnchn, @​falkoschindler)
• Fix Googlebot homepage screenshot with unbounded h-screen (#5792 by @​evnchn)
• Select search text when reopening search dialog (#5744, #5779 by @​Aleborg-Finansforbundet, @​marcrichard22, @​evnchn, @​falkoschindler)
• Fix sponsor button border styling with dark mode support (#5778 by @​evnchn)
• Use static URL for sponsor images instead of local path (#5733 by @​evnchn)

Testing

... (truncated)

Commits

• 97def3b fix pytest still using run_method with JS function
• 1861f59 Merge commit from fork
• cc50d24 Plausible SPA compatibility (#5830)
• 1f78a2a update dependency summary
• f1131c7 fix Dependabot alerts 98 to 101
• b662dca Fix ui.log background color being tinted by inner element (#5831)
• 1fd3345 Cancel connection-wait task when page coroutine completes first (#5806)
• 9c08d12 Revert vnode cache and guard innerHTML writes (#5826)
• b4802cb Fix blank page after client-side sub_pages navigation (#5821)
• 9e46d49 Fix echart zoom reset on data update by using getOption() API (#5822)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.