1.11.0
🌟 What's New
🎉 New Features
Consolidated Label Studio Codebase
This release introduces a simplified Label Studio repository structure.
Previously, the Label Studio frontend and Data Manager codebases were each located in a separate repository: label-studio-frontend and dm2. Starting with this release, the Label Studio Frontend and Data Manager code will be updated and maintained in the main label-studio repository.
The Label Studio Frontend code is now located in the label-studio repository under web/libs/editor
, and the Data Manager code can be found under web/libs/datamanager
. For more information, see our contributing guide.
This consolidated codebase has many benefits, including streamlined and simplified workflows, increased efficiency when performing cross-component changes, and improved navigation. Most importantly, a unified codebase will make it easier for our Open Source community to navigate and understand the Label Studio code architecture, lowering the barrier to entry for new contributors. (#5154)
🔐 Security
- This release includes several measures to increase SSRF protection (#5316), which address
CVE-2023-47116
(#5316):- When
SSRF_PROTECTION_ENABLED
is set totrue
(note that it defaults tofalse
), our new default is to ban all IPs within reserved blocks, for both IPv4 and IPv6. - We are introducing two new environment variables, to be used in conjunction with
SSRF_PROTECTION_ENABLED=true
:
USER_ADDITIONAL_BANNED_SUBNETS
— Use this to specify additional IP addresses or CIDR blocks to ban from server-side requests (e.g. the URL-based file uploader).
USE_DEFAULT_BANNED_SUBNETS
— This is set toTrue
by default. If you would like to have full control over banned subnets, you can set this toFalse
and useUSER_ADDITIONAL_BANNED_SUBNETS
to specify all the IP addresses / CIDR blocks you’d like to disallow instead. - We have also improved our error messages to make it clearer when an action is being blocked due to SSRF protections.
- When
- Implemented comprehensive HTML sanitization to safeguard against vulnerabilities and ensure a secure user experience. This addresses
CVE-2024-26152
. (#5232) - Addressed several vulnerabilities found in the npm-axios package. (#5229)
🐞 Bug Fixes
- Fixed an issue where Label Studio crashed when configuring multiple hotkeys using the
hotkey=","
format. (#5240) - Fixed an issue where credential validation was failing in the Label Studio interface for cloud storages configured using SDK. (#5228)
- Fixed an issue where cancelled and updated annotations were not recalculating
is_labeled
and other counters. (#4472) - Fixed an issue where annotation drafts were not changing when switching to view all mode. (#5141)
- Fixed an issue where users would encounter an error when using the Storage filename filter in the Data Manager. (#5289)
- Fixed an issue where users were unable to use the View all annotations option when the project included images that had an empty URL. (#5245)
- Fixed an issue where relations were not displayed if they were added by a user while reviewing a task. (#5140)
- Fixed an issue where users were seeing the Comments tab (an Enterprise-only feature) when resizing their screen. (#5230)