Bump from jupyter_server >=2.10.0 to jupyter_server >=2.20.0 #2207
Bump from jupyter_server >=2.10.0 to jupyter_server >=2.20.0 #2207vontedduchaithra wants to merge 2 commits into
Conversation
Fixes path traversal vulnerability in jupyter_server <=2.17.0. Signed-off-by: Vonteddu Chaithra <Vonteddu.Chaithra1@ibm.com>
|
coverage: 77.195%. first build — fix/jupyter-server-cve-2024-35178 into master |
| @@ -0,0 +1,6 @@ | |||
| Bumped ``jupyter_server`` to >=2.20.0 on Python>=3.10 to fix | |||
There was a problem hiding this comment.
The number in the filename (37) must be the issue number you are addressing, because towncrier creates a link to this issue in the generated change log.
If there is no corresponding issue (like in this case), use noissue.NN.fix.rst as the filename, where NN is some number that is not yet used in this release (like 37). The noissue text at the start of the filename causes towncrier not to create an issue link.
| caused by an incorrect ``startswith()`` root-directory check that | ||
| allowed authenticated users to read, write, and delete files in sibling | ||
| directories sharing a name prefix with the server's ``root_dir``. | ||
| Also documented this Dependabot alert pattern in the development guide. |
There was a problem hiding this comment.
I did not see a change in the development guide for that in this PR.
The handling of Dependabot alerts is already documented in section "Handling Dependabot alerts and PRs". If you want to change that, I suggest to do that in a separate PR.
If there is no change in the development guide in this PR, the respective sentence should be removed from the change log.
Signed-off-by: Vonteddu Chaithra <Vonteddu.Chaithra1@ibm.com>
Fixes path traversal vulnerability in jupyter_server <=2.17.0.