Bump bokeh from 1.4.0 to 3.8.2

[dependabot]

Bumps bokeh from 1.4.0 to 3.8.2.

Changelog

Sourced from bokeh's changelog.

2026-01-06 3.8.2:

• bugfixes:

  • #14768 [component: server] Incomplete Origin Validation in WebSockets in Bokeh server applications

• tasks:

  • #14767 Backports for 3.8.2

2025-11-07 3.8.1:

• bugfixes:

  • #14618 [component: docs] Local documentation build fails with Extension error (sphinxext.opengraph)
  • #14626 [component: docs] Local documentation fails on Windows because of missing svg icons
  • #14651 [component: bokehjs] HoverTool parameter @$name for stacked bar chart not working in version 3.8.0

• tasks:

  • #14704 Backports for 3.8.1

2025-08-29 3.8:

• bugfixes:
  • #12430 [component: bokehjs] [BUG] Step glyphs do not support linked brushing
  • #12994 [component: bokehjs] [BUG] Patch does not output under certain conditions
  • #13616 [component: bokehjs] [BUG] DateRangePicker value does not reflect value in browser when selection is aborted
  • #14334 js_on_change not firing when range is updated in range tool
  • #14352 [component: bokehjs] Log Axis and Range1d < 1 failing
  • #14383 [component: bokehjs] SerializationError: circular reference When Passing List of Renderers to CustomJS Callbacks, but not when passing renderers sperately.
  • #14396 [component: examples] Remove context from time of day in span example
  • #14399 Bad typings for list_attr_splat (e.g. Plot.axis)
  • #14413 [component: bokehjs] ValueRef formatter does not handle datetime nullable well
  • #14420 [component: bokehjs] Enhance performance of WebGL multi_marker
  • #14422 [component: bokehjs] Legend renderer not correctly positioned when saved with SaveTool
  • #14424 [component: bokehjs] Patches with no data does not show plot with Bokeh 3.7+
  • #14458 [component: bokehjs] Removing and re-adding DOM nodes causes React problems
  • #14461 [component: tests] The regression test for issue #14207 is unreliable
  • #14468 [component: docs] Try on CodePen link does not work in documentation /docs/user_guide/advanced/bokehjs.html
  • #14469 [component: bokehjs] Canvas2D: Multiple readback operations using getImageData are faster with the willReadFrequently attribute set to true
  • #14476 Improve handling of pd.NA in Property.matches
  • #14497 mypy 1.15.0 fails in CI but not locally
  • #14499 [component: docs] IndexError on importing bokeh.sphinxext.bokeh_plot
  • #14520 [component: bokehjs] BokehJS complains about categorical factors for the BoxAnnotation widget
  • #14536 Flex layouts need to apply min_width and min_height selectively
  • #14540 [component: tests] Tests are failing on Windows and Python 3.10 after PR #14531
  • #14541 New SVG icons have inconsistent line widths
  • #14554 Add support for scalar uint32 color input.
  • #14565 [component: bokehjs] DataTable source update broken
  • #14574 [component: build] grammar build script failing with whitespace in path
  • #14597 [component: bokehjs] document_ready even trigger twice with Bokeh 3.4.0.dev4
  • #14602 [component: bokehjs] Layoutable components in side panels don't appear in exported images
  • #14620 Re-connect race condition on page reload

... (truncated)

Commits

• e5ce879 Deployment updates for release 3.8.2
• 2b3ee10 Don't validate npm credentials due to OICD limitations in npm (#14769)
• 756e3ae Migrate from NPM tokens to trusted providers for publishing in CI (#14766)
• 2f225a1 Update dependencies in build environment (#14758)
• 69d197c update switcher.json
• d915c8b update to latest ruff (#14661)
• 5f9f7b6 update release notes
• cedd113 handle wildcard host with port correctly
• a961ab7 small CI fixes for advisory fork merge
• d62939a Merge commit from fork
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

---

Note

Updates dependency pin in requirements.txt:

• Bumps bokeh from 1.4.0 to 3.8.2.

This is a major version jump that may introduce breaking changes for code using older Bokeh APIs.

^{Written by Cursor Bugbot for commit e20e957. This will update automatically on new commits. Configure here.}

[cursor]

This PR is being reviewed by Cursor Bugbot

Details

Your team is on the Bugbot Free tier. On this plan, Bugbot will review limited PRs each billing cycle for each member of your team.

To receive Bugbot reviews on all of your PRs, visit the Cursor dashboard to activate Pro and start your 14-day free trial.

[cursor]

Version mismatch between requirements.txt and environment.yml for security-critical bokeh update

High Severity

The bokeh version is updated to 3.8.2 in requirements.txt but environment.yml still specifies bokeh=1.4.0. This creates a version inconsistency where users installing via conda will get the vulnerable version, defeating the purpose of this security update. Additionally, environment.yml specifies Python 3.7 which is incompatible with bokeh 3.x (which requires Python 3.9+), so both the bokeh version and Python version in environment.yml need to be updated together.

 

[cursor]

CI will fail: bokeh 3.8.2 incompatible with Python 3.6

High Severity

The CI workflow in .github/workflows/classroom.yml configures python-version: 3.6, but bokeh==3.8.2 requires Python 3.9 or higher. When the workflow runs pip install -r ./requirements.txt, the installation will fail because bokeh 3.8.2 cannot be installed on Python 3.6. This will break the automated build and deployment pipeline.