chore(deps-dev)(deps-dev): bump marimo from 0.23.0 to 0.23.1 in the python-dependencies group

[dependabot]

Bumps the python-dependencies group with 1 update: marimo.

Updates marimo from 0.23.0 to 0.23.1

Release notes

Sourced from marimo's releases.

0.23.1

What's Changed

This release includes quality of life improvements to marimo slides, bug fixes to marimo islands that revive our quarto extension, a new lint rule, and minor security improvements.

⭐ Highlights

Slides minimap

Slide mode now has a minimap: a scrollable panel showing your cells at reduced scale, with click-to-navigate and drag-to-reorder support. It's performance-aware — cells only render in the minimap when they're in view.

Screen.Recording.2026-04-08.at.6.46.33.PM.mov

Islands revived

We've fixed many bugs with [marimo islands], a way to embed marimo outputs and/or Python code in other HTML. These fixes also make our quarto-marimo. (#9071) extension compatible with this version of marimo as well.

Security

This release includes minor security improvements, including input sanitization, path traversal prevention, open redirect blocking, and auth endpoint hardening.

• Sanitize plugin output slots (marimo-mpl-interactive, marimo-panel) to prevent script injection (#9133)
• Restrict head_html injection to run mode only (#9137)
• Prevent directory traversal via symlinks in asset serving (#9134)
• Sanitize user-supplied custom.css (#9131)
• Block open redirects via protocol-relative URLs (e.g. //evil.com) (#9112)
• Restrict health endpoint exposure and add path validation for document writes (#9115)

We've also updated our security documentation with a standard operating procedure for future disclosures (#9114).

Thank You. The enthusiasm following our recent CVE disclosure is a testament to what a healthy open-source community looks like. A special thank you to @​GCXWLP, @​Jvr2022, @​offset, @​l3tchupkt, @​Fushuling, @​RacerZ-fighting, and @​q1uf3ng for their engagement and reports during this sprint. It takes a community to keep FOSS secure. We're lucky to have this one!

All changes

• fix: sanitize marimo-mpl-interactive marimo-panel by @​mscolnick in #9133
• fix: restrict head_html to run by @​dmadisetti in #9137
• fix: don't follow symlinks in assets.py by @​mscolnick in #9134
• fix: sanitize custom.css by @​mscolnick in #9131
• fix: prevent open redirect via protocol-relative URLs by @​mscolnick in #9112
• chore: reported code scanning issues by @​dmadisetti in #9115
• docs: Update security docs for 0.23.0 and outline SOP by @​dmadisetti in #9114
• improvement: revive islands by @​mscolnick in #9071
• feat: Lint rule to detect ordering discrepancies on top level functions by @​dmadisetti in #8996
• add slides minimap by @​Light2Dark in #9097
• Fix mo.ui.matplotlib rendering on browser zoom by @​manzt in #9125
• fix: handle mixed-type column sorting in data table by @​kirangadhave in #9102
• fix: add requires() to set_ui_element_value, set_model_value, function_call by @​mscolnick in #9113
• fix: wrap plugin slot in TooltipProvider to fix tooltip regression by @​mscolnick in #9126
• fix keyboard shortcuts for input elements inside shadow DOM by @​Light2Dark in #9105
• don't render data-tooltips for marimo components with tooltips by @​Light2Dark in #9129

... (truncated)

Commits

• 64203be release: 0.23.1 (#9138)
• 3769323 fix: solve failing windows test with absolute path resolution (#9139)
• 1ee86d6 fix: sanitize marimo-mpl-interactive marimo-panel (#9133)
• 953ffbf improvement: revive islands (#9071)
• e1adaa0 fix: restrict head_html to run (#9137)
• 046cc42 fix: don't follow symlinks in assets.py (#9134)
• 0c319d2 additional ruff fixes (#9132)
• e1e6585 fix: bump ruff version in pytest_changed plugin to 0.15.9 (#9135)
• 6f81094 docs: Update security docs for 0.23.0 and outline SOP (#9114)
• 03ff68d fix: add requires() to set_ui_element_value, set_model_value, function_call (...
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions