For most new projects, starting with the latest stable Bokeh release (3.x as of 2025) is advisable. However, Bokeh 2.3.3 remains a for specific legacy environments, and its patch‑release nature ensures that it will not introduce unexpected changes to existing codebases.
Bokeh 2.4.0 (released later in 2021) introduced new features and, more importantly, that is still present in 2.3.3. If you are using the Bokeh server in a production environment, upgrading to 2.4.0 or later is strongly recommended. Additionally, Bokeh 2.4.0 includes many other improvements and bug fixes. bokeh 2.3.3
If you're starting a new project today, should you use Bokeh 2.3.3 or jump to Bokeh 3.4+? Here’s a decision matrix: For most new projects, starting with the latest
This security flaw, tracked as CVE-2026-21883 , could allow for Cross-Site WebSocket Hijacking (CSWSH) in a deployed Bokeh server instance. An attacker could potentially gain unauthorized access to sensitive data or manipulate visualizations by exploiting the flawed hostname validation logic in WebSocket connections. If you are using the Bokeh server in
: Mandated that extensions fetch exact versions from the Content Delivery Network (CDN), a change designed to prevent version mismatches that could break custom user-built components. Documentation and Community Support
# Jittering the y-axis slightly for better visualization p.circle( x='decibels', y='year', source=source, size=5, alpha=0.3, color="navy", legend_label="Individual Readings" )
: Stick with Bokeh 2.3.3 if you have a working production system that you don't want to risk breaking. Choose Bokeh 3.x for greenfield projects where you can adopt the latest patterns.