Skip to content

Bump from jupyter_server >=2.10.0 to jupyter_server >=2.20.0 #2207

Open
vontedduchaithra wants to merge 2 commits into
masterfrom
fix/jupyter-server-cve-2024-35178
Open

Bump from jupyter_server >=2.10.0 to jupyter_server >=2.20.0 #2207
vontedduchaithra wants to merge 2 commits into
masterfrom
fix/jupyter-server-cve-2024-35178

Conversation

@vontedduchaithra

Copy link
Copy Markdown
Contributor

Fixes path traversal vulnerability in jupyter_server <=2.17.0.

Fixes path traversal vulnerability in jupyter_server <=2.17.0.

Signed-off-by: Vonteddu Chaithra <Vonteddu.Chaithra1@ibm.com>
@vontedduchaithra vontedduchaithra self-assigned this Jul 1, 2026
@coveralls

coveralls commented Jul 1, 2026

Copy link
Copy Markdown
Collaborator

Coverage Status

coverage: 77.195%. first build — fix/jupyter-server-cve-2024-35178 into master

@vontedduchaithra vontedduchaithra added backport Create backport PR when PR gets merged dependencies Pull requests from dependabot python Pull requests that update python code labels Jul 1, 2026
@andy-maier andy-maier added this to the 1.26.0 milestone Jul 5, 2026
@@ -0,0 +1,6 @@
Bumped ``jupyter_server`` to >=2.20.0 on Python>=3.10 to fix

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The number in the filename (37) must be the issue number you are addressing, because towncrier creates a link to this issue in the generated change log.

If there is no corresponding issue (like in this case), use noissue.NN.fix.rst as the filename, where NN is some number that is not yet used in this release (like 37). The noissue text at the start of the filename causes towncrier not to create an issue link.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Resolved

Comment thread changes/37.fix.rst Outdated
caused by an incorrect ``startswith()`` root-directory check that
allowed authenticated users to read, write, and delete files in sibling
directories sharing a name prefix with the server's ``root_dir``.
Also documented this Dependabot alert pattern in the development guide.

@andy-maier andy-maier Jul 5, 2026

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I did not see a change in the development guide for that in this PR.
The handling of Dependabot alerts is already documented in section "Handling Dependabot alerts and PRs". If you want to change that, I suggest to do that in a separate PR.

If there is no change in the development guide in this PR, the respective sentence should be removed from the change log.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Resolved

Signed-off-by: Vonteddu Chaithra <Vonteddu.Chaithra1@ibm.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

backport Create backport PR when PR gets merged dependencies Pull requests from dependabot python Pull requests that update python code review needed

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants