chore(deps): bump nicegui from 3.9.0 to 3.12.0

[dependabot]

Bumps nicegui from 3.9.0 to 3.12.0.

Release notes

Sourced from nicegui's releases.

v3.12.0

Security

• ⚠️ Prevent local file disclosure in ui.restructured_text via Docutils file insertion directives (GHSA-jfrm-rx66-g536 by @​dennyabrahamsinaga, @​h3ri0s, @​falkoschindler, @​evnchn)
• ⚠️ Prevent unauthenticated log-volume denial of service in dynamic resource and ESM module routes (GHSA-pq7c-x8g4-rvp6 by @​bitinerant, @​evnchn, @​falkoschindler)

New features and enhancements

• Make enable(), disable(), set_enabled(), set_visibility() and many more methods chainable (#6014, #6016 by @​stragrothsk, @​falkoschindler, @​evnchn)
• Auto-dedent ui.mermaid content like ui.markdown does (#6011, #6012 by @​BasementSociety, @​falkoschindler, @​evnchn)
• Suppress alarming KeyboardInterrupt traceback from run.cpu_bound workers on Ctrl-C (#6025, #6027 by @​justus2510, @​falkoschindler, @​evnchn)

Bugfixes

• Fix RuntimeError: A SemLock created in a fork context is being shared with a process in a spawn context in ui.run(native=True, reload=True) on CPython ≥ 3.11.5 (#1841, #6045 by @​swrpug, @​evnchn, @​falkoschindler, @​rodja, @​JensOgorek, @​yuanxion, @​electronstudio, @​knoppmyth, @​Qhawaq, @​sagarbehere, @​frankhuurman, @​MrGibus, @​BanDroid)
• Fix KeyError: 'error' when calling ValidationElement.validate() after the error prop was removed via props(remove=...) (#5977, #6042 by @​manu-ns, @​falkoschindler, @​evnchn)
• Fix silent window.location.reload() on every WebSocket reconnect (#6018, #6019 by @​arodidev, @​falkoschindler, @​evnchn)
• Resolve ElementFilter.DEFAULT_LOCAL_SCOPE at runtime so changing the class variable actually affects new instances (#6005, #6013 by @​gzu300, @​DarkRiddle1212, @​falkoschindler)
• Fix duplicate app.timer and lifecycle handler (on_connect, on_disconnect, on_delete, on_shutdown, on_exception) registration in script mode (#6003, #6006 by @​EchterTimo, @​falkoschindler, @​evnchn)
• Preserve a meaningful DataFrame index in ui.aggrid.from_pandas and ui.table.from_pandas (#5995, #6002 by @​NichtJens, @​DarkRiddle1212, @​falkoschindler, @​evnchn) Note: DataFrames with an informative index now produce additional column(s) in the resulting grid/table. To restore the previous "drop the index" behavior, call df.reset_index(drop=True) before passing the DataFrame.
• Bracket IPv6 hosts and omit default ports in printed URLs (#5996 by @​bulletmark, @​falkoschindler, @​evnchn)
• Fix ui.code reporting the wrong language and throwing a ReferenceError in the CodeMirror findLanguage error path (#5982 by @​Jepson2k, @​falkoschindler)
• Fix material settings not applying to GLTF models in ui.scene (#3515, #5708 by @​maria-korosteleva, @​evnchn, @​falkoschindler, @​fabian0702)

Documentation

• Add llms.md — a self-contained LLM reference covering NiceGUI's API surface, mental models, and common anti-patterns for AI-assisted development (#6021, #6049 by @​joko-zauberzeug, @​falkoschindler, @​evnchn, @​rodja)
• Restructure CONTRIBUTING.md around the contributor journey, drop rule duplication, and split out a new "For maintainers" section (#6029 by @​falkoschindler, @​evnchn)
• Restructure AI agent instructions: extract code-review guidance into REVIEW.md, trim AGENTS.md, and tighten Cursor/Copilot prompts (#6030 by @​falkoschindler, @​evnchn)
• Document packaging with Nuitka (#6009, #6010 by @​SHDocter, @​falkoschindler, @​evnchn)
• Improve authentication example (#6046 by @​NichtJens, @​evnchn, @​falkoschindler)
• Improve Sortable documentation (#6017 by @​falkoschindler, @​denniswittich)
• Clarify the client_id security model and add an "Examples Are Starting Points" callout (#6004 by @​evnchn, @​falkoschindler)
• Fix Nested ui.sub_pages doc demo link target and label (#5999, #6008 by @​aisartag, @​falkoschindler, @​evnchn)

Testing

• Fix click handler dispatch in user simulation (#6043 by @​Jepson2k, @​falkoschindler, @​evnchn) Note 1: Click handlers on ui.checkbox and ui.switch now receive e.args = None instead of not element.value; read e.sender.value (or use on_value_change) for the post-toggle value. Note 2: Also, find(...).click() no longer broadcasts to every matched element — it picks the lowest-ID enabled match and dispatches once. Tests that relied on simultaneous multi-match clicks need to issue separate calls.
• Implement ui.sub_pages navigation in user-simulated tests (#5193 by @​rodja, @​falkoschindler)

Dependencies

• Bump Mermaid from 11.12.2 to 11.15.0 to consume upstream security patches (#6047 by @​falkoschindler, @​evnchn)

Infrastructure

• Use uv sync --locked in CI workflows so lockfile drift fails fast with a clear diagnostic (#6036 by @​evnchn, @​falkoschindler)

... (truncated)

Commits

• 0a98a67 Merge commit from fork
• 453e577 Merge commit from fork
• 8427af3 Improved authentication example (#6046)
• 5c3d7fc Surface llms.txt in the homepage CTA alongside the JSON documentation index (...
• 7916128 Add llms.md — LLM reference for AI-assisted NiceGUI development (#6021)
• 2c41369 update sponsors
• a474161 Bump Mermaid to 11.15.0 (#6047)
• 2bb0f7b fix Dependabot alerts 258 and 259
• 2af17d9 Fix SemLock fork/spawn RuntimeError in ui.run(native=True, reload=True) (#6...
• 6f55f40 fix Dependabot alerts 256 and 257
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.