Skip to content

chore: update dependencies to patch security vulnerabilities#294

Merged
Erikpostt merged 2 commits into
mainfrom
fix/resolve-vulnerabilities
May 11, 2026
Merged

chore: update dependencies to patch security vulnerabilities#294
Erikpostt merged 2 commits into
mainfrom
fix/resolve-vulnerabilities

Conversation

@Erikpostt

@Erikpostt Erikpostt commented May 8, 2026

Copy link
Copy Markdown
Contributor

Description

Dependabot observed multiple vulnerabilities which are caused by outdated dependencies.

Changes

  • Update tornado to >=6.4.1 (fixes DoS and cookie injection vulnerabilities)
  • Update mistune to >=3.0.2 (fixes ReDoS in LINK_TITLE_RE)
  • Update pytest to >=7.4.4 (fixes tmpdir handling vulnerability)
  • Update jupyter-server to 2.18.2 (fixes CORS bypass, path traversal)
  • Update jupyterlab to 4.5.7 (fixes XSS vulnerabilities)
  • Update nbconvert to >=7.17.0 (fixes path traversal in cell attachments)
  • Update requests to >=2.32.6 (fixes insecure temp file reuse)
  • Update multiple dev dependencies to patch aiohttp issues

@Erikpostt
chore: update dependencies to patch security vulnerabilities
871ddf7 
- Update tornado to >=6.4.1 (fixes DoS and cookie injection vulnerabilities)
- Update mistune to >=3.0.2 (fixes ReDoS in LINK_TITLE_RE)
- Update pytest to >=7.4.4 (fixes tmpdir handling vulnerability)
- Update jupyter-server to 2.18.2 (fixes CORS bypass, path traversal)
- Update jupyterlab to 4.5.7 (fixes XSS vulnerabilities)
- Update nbconvert to >=7.17.0 (fixes path traversal in cell attachments)
- Update requests to >=2.32.6 (fixes insecure temp file reuse)
- Update multiple dev dependencies to patch aiohttp issues

Addresses 26 open security vulnerabilities from Dependabot scan
@Erikpostt Erikpostt requested a review from nienketimmermans May 8, 2026 12:24
@Erikpostt Erikpostt marked this pull request as ready for review May 8, 2026 12:24
nienketimmermans
nienketimmermans reviewed May 11, 2026
View reviewed changes
Comment thread pyproject.toml Outdated
jupyter = "^1.1.1"
jupyterlab-widgets = "<=3.0.15"
jupyter = ">=1.1.1"
jupyterlab-widgets = ">3.0.15"

@nienketimmermans nienketimmermans May 11, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I remember that we previously had issues with newer versions of jupyterlab-widgets, but is that solved now?

@Erikpostt

Erikpostt commented May 11, 2026

Copy link
Copy Markdown
Contributor Author

A previous error for @nienketimmermans on Windows 11 was No such file or directory. I couldn't find a similar issue online, but did run across InvalidArchiveError in multiple occasions (e.g. here ). This may be due to a max path length set by default on Windows systems (which may pass for me because of my shorter name). There's a proposed solution here, but in the meantime I'll downgrade jupyter-widgets to 3.0.15` and check whether there's any vulnerabilities popping up.

@nienketimmermans nienketimmermans self-requested a review May 11, 2026 08:06
@Erikpostt Erikpostt merged commit d172e02 into main May 11, 2026
1 check passed
@Erikpostt Erikpostt deleted the fix/resolve-vulnerabilities branch May 11, 2026 11:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@nienketimmermans nienketimmermans nienketimmermans approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Erikpostt @nienketimmermans