Update dependency jupyterlab to v3.6.8 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
jupyterlab (changelog)	3.5.0 -> 3.6.8

GitHub Vulnerability Alerts

CVE-2024-22421

Impact

Users of JupyterLab who click on a malicious link may get their Authorization and XSRFToken tokens exposed to a third party when running an older jupyter-server version.

Patches

JupyterLab 4.1.0b2, 4.0.11, and 3.6.7 were patched.

Workarounds

No workaround has been identified, however users should ensure to upgrade jupyter-server to version 2.7.2 or newer which includes a redirect vulnerability fix.

References

Vulnerability reported by user @​davwwwx via the bug bounty program sponsored by the European Commission and hosted on the Intigriti platform.

CVE-2024-43805

Impact

The vulnerability depends on user interaction by opening a malicious notebook with Markdown cells, or Markdown file using JupyterLab preview feature.

A malicious user can access any data that the attacked user has access to as well as perform arbitrary requests acting as the attacked user.

Patches

JupyterLab v3.6.8, v4.2.5 and Jupyter Notebook v7.2.2 were patched.

Workarounds

There is no workaround for the underlying DOM Clobbering susceptibility. However, select plugins can be disabled on deployments which cannot update in a timely fashion to minimise the risk. These are:

• @jupyterlab/mathjax-extension:plugin - users will loose ability to preview mathematical equations
• @jupyterlab/markdownviewer-extension:plugin - users will loose ability to open Markdown previews
• @jupyterlab/mathjax2-extension:plugin (if installed with optional jupyterlab-mathjax2 package) - an older version of the mathjax plugin for JupyterLab 4.x

To disable these extensions run:

jupyter labextension disable @​jupyterlab/markdownviewer-extension:plugin
jupyter labextension disable @​jupyterlab/mathjax-extension:plugin
jupyter labextension disable @​jupyterlab/mathjax2-extension:plugin

To confirm that the plugins were disabled run:

jupyter labextension list

References

None

Notes

This change has a potential to break rendering of some markdown. There is a setting in Sanitizer which allows to revert to the previous sanitizer settings (allowNamedProperties).

---

Release Notes

jupyterlab/jupyterlab (jupyterlab)

v3.6.8

Compare Source

3.6.8

(Full Changelog)

Bugs fixed

• Fix workspaces loading #​15842 (@​krassowski)

Maintenance and upkeep improvements

• Run Python tests on MacOS with Python 12, replace canvas with jest-canvas-mock #​16314 (@​krassowski)
• Ignore empty stdout data when logging in verdaccio #​16459 (@​fcollonval)
• Install Firefox from brew on Mac on CI #​16245 (@​krassowski)

Documentation improvements

• Run Python tests on MacOS with Python 12, replace canvas with jest-canvas-mock #​16314 (@​krassowski)
• Remove SO links, add more recent issue to FAQ #​15811 (@​krassowski)

Other merged PRs

• Removed broken gif links in README.md files #​16151 (@​Tanmay-Deshmukh)

Contributors to this release

(GitHub contributors page for this release)

@​afshin | @​ajbozarth | @​AllanChain | @​andrii-i | @​bollwyvl | @​brichet | @​davidbrochart | @​diyoyo | @​echarles | @​ellisonbg | @​ericsnekbytes | @​fcollonval | @​FoSuCloud | @​g547315 | @​gabalafou | @​github-actions | @​guyq1997 | @​HaudinFlorence | @​j264415 | @​JasonWeill | @​joaopalmeiro | @​jtpio | @​jupyterlab-dev-mode | @​jupyterlab-probot | @​kiliansinger | @​kolibril13 | @​krassowski | @​linlol | @​lumberbot-app | @​mahendrapaipuri | @​meeseeksmachine | @​Mehak261124 | @​None | @​Rob-P-Smith | @​RRosio | @​srdas | @​tonyfast | @​trungleduc | @​welcome | @​williamstein | @​xc2 | @​Zsailer

v3.6.7

Compare Source

3.6.7

(Full Changelog)

Security fixes

• Potential authentication and CSRF tokens leak in JupyterLab (GHSA-44cc-43rp-5947)

Bugs fixed

• [3.6.x] Fix M1 install, declare node-gyp@^9.0.0 #​15395 (@​dlqqq)
• Backport PR #​14534 and PR #​15237 on branch 3.6.x (Hide completer when changing notebook tabs) #​15244 (@​meeseeksmachine)

Maintenance and upkeep improvements

• Pin actions/labeler to v4 to fix failing CI action #​15496 (@​krassowski)
• Fix URLs in debugger-extension #​15462 (@​fcollonval)
• Fix docs deployment failing on 3.6 branch #​15424 (@​krassowski)

Contributors to this release

(GitHub contributors page for this release)

@​afshin | @​andrii-i | @​blink1073 | @​bollwyvl | @​brichet | @​davidbrochart | @​dharmaquark | @​dlqqq | @​echarles | @​fcollonval | @​g547315 | @​gabalafou | @​GabrielaVives | @​github-actions | @​HaudinFlorence | @​j264415 | @​JasonWeill | @​jtpio | @​jupyterlab-probot | @​krassowski | @​lumberbot-app | @​meeseeksmachine | @​misterfads | @​mlucool | @​parmentelat | @​skyetim | @​tonyfast | @​welcome | @​Wh1isper

v3.6.6

Compare Source

3.6.6

(Full Changelog)

Maintenance and upkeep improvements

• Remove pre-commit job #​15154 (@​fcollonval)
• Install playwright browser in jupyterlab.browser_check #​15117 (@​brichet)
• Fix pepy.tech links #​14982 (@​fcollonval)
• Fix broken link #​14937 (@​fcollonval)
• Rename readthedoc config #​14927 (@​fcollonval)
• Update the jupyter labextension list compat message #​14680 (@​jtpio)

Documentation improvements

• Install playwright browser in jupyterlab.browser_check #​15117 (@​brichet)
• Fix pepy.tech links #​14982 (@​fcollonval)
• Create JupyterLab 3.4.4 accessibility statement #​14856 (@​isabela-pf)
• Update docs to jupyter_server_config.py #​13208 (@​jtpio)
• Update the jupyter labextension list compat message #​14680 (@​jtpio)

Contributors to this release

(GitHub contributors page for this release)

@​afshin | @​bollwyvl | @​brichet | @​echarles | @​fcollonval | @​g547315 | @​github-actions | @​isabela-pf | @​j264415 | @​jtpio | @​jupyterlab-probot | @​krassowski | @​lumberbot-app | @​meeseeksmachine | @​tonyfast | @​welcome

v3.6.5

Compare Source

3.6.5

(Full Changelog)

Bugs fixed

• Ensure the kernel selector show the default kernel if notebook does not have a valid assigned kernel #​14693 (@​echarles)
• Avoid clearing the host node while rendering Markdown #​14579 (@​c3Vu)

Maintenance and upkeep improvements

• Update requirements: conda != Python, jupyter-server over notebook #​14709 (@​krassowski)
• Fix integration test looking for jupyter heading #​14621 (@​fcollonval)

Contributors to this release

(GitHub contributors page for this release)

@​andrii-i | @​brijsiyag | @​echarles | @​fcollonval | @​GabrielaVives | @​github-actions | @​JasonWeill | @​jtpio | @​jupyterlab-probot | @​krassowski | @​lumberbot-app | @​meeseeksmachine | @​tonyfast | @​welcome

v3.6.4

Compare Source

3.6.4

(Full Changelog)

Enhancements made

• Set Contents.ContentType to string #​12875 (@​trungleduc)
• Allow maxHeight being equal to minHeight for HoverBox's visibility #​14533 (@​nishikantparmariam)
• Right-align notification buttons, reduce outer padding, add space between buttons and message #​14412 (@​andrii-i)
• Pass traceback to ServerConnection.ResponseError #​14328 (@​a3626a)

Bugs fixed

• Use @​jupyterlab/shared-models #​14583 (@​fcollonval)
• Updates announcements to better conform to RFC atom standard. #​14480 (@​fcollonval)
• Update jupyter ydoc #​14374 (@​hbcarlos)
• Decodes URI before adding it to the tab title #​14178 (@​hbcarlos)
• Fix cursor placement in stdin history search and navigation #​14225 (@​krassowski)

Maintenance and upkeep improvements

• Skip checking for updates in UI tests #​14609 (@​fcollonval)
• Fix CI: remove/update broken docs links #​14414 (@​krassowski)
• Fix documentation build on CI #​14423 (@​jtpio)

Documentation improvements

• Fix broken links in galata/README.md #​14451 (@​gabalafou)
• Fix documentation build on CI #​14423 (@​jtpio)
• Updates announcements to better conform to RFC atom standard. #​14480 (@​fcollonval)

Contributors to this release

(GitHub contributors page for this release)

@​andrii-i | @​brichet | @​ellisonbg | @​fcollonval | @​gabalafou | @​GabrielaVives | @​github-actions | @​HaudinFlorence | @​hbcarlos | @​JasonWeill | @​jtpio | @​jupyterlab-probot | @​krassowski | @​lumberbot-app | @​meeseeksmachine | @​mlucool | @​tonyfast | @​welcome

v3.6.3

Compare Source

(Full Changelog)

Maintenance and upkeep improvements

• Bump lumino 1.x #​14286 (@​fcollonval)
• Provide @​jupyterlab/shared-models as singleton #​14229 (@​fcollonval)

Documentation improvements

• Provide @​jupyterlab/shared-models as singleton #​14229 (@​fcollonval)

Contributors to this release

(GitHub contributors page for this release)

@​andrii-i | @​bollwyvl | @​brichet | @​damiend97 | @​fcollonval | @​github-actions | @​JasonWeill | @​jtpio | @​jupyterlab-probot | @​krassowski | @​welcome

v3.6.2

Compare Source

(Full Changelog)

Bugs fixed

• Fix save as without changing the file name #​14212 (@​hbcarlos)
• Fix save as in collaborative mode #​14182 (@​hbcarlos)
• Fix non-document wide undo stack #​14063 (@​fcollonval)
• Fix code/content/ui font-size change #​14077 (@​FoSuCloud)
• Restore @​jupyterlab/shared-models as proxy to @​jupyter/ydoc #​14133 (@​fcollonval)
• Doc session #​14128 (@​hbcarlos)
• Use local paths instead of driveName:path in the shared model #​13866 (@​hbcarlos)
• use singleton boolean type for codemirror lineWiseCopyCut setting #​14055 (@​bollwyvl)

Maintenance and upkeep improvements

• Fix integrity #​14226 (@​fcollonval)
• Increases timeout #​14045 (@​brichet)
• Use Python 3.11 for js-debugger tests #​13941 (@​fcollonval)
• Fix verdaccio start up with nodejs 18.14.0 #​13959 (@​fcollonval)

Documentation improvements

• Add note for jest configuration and JLab 3.6 #​14207 (@​fcollonval)

Contributors to this release

(GitHub contributors page for this release)

@​andrii-i | @​blink1073 | @​bollwyvl | @​brichet | @​bt- | @​dlqqq | @​domoritz | @​echarles | @​fcollonval | @​fperez | @​gabalafou | @​GabrielaVives | @​github-actions | @​goanpeca | @​HaudinFlorence | @​hbcarlos | @​ianhi | @​jasongrout | @​JasonWeill | @​jtpio | @​jupyterlab-dev-mode | @​jupyterlab-probot | @​krassowski | @​meeseeksdev | @​meeseeksmachine | @​mlucool | @​psychemedia | @​telamonian | @​tonyfast | @​vidartf | @​welcome

v3.6.1

Compare Source

(Full Changelog)

Bugs fixed

• Revert target to ES2017 #​13914 (@​fcollonval)

Documentation improvements

• Revert target to ES2017 #​13914 (@​fcollonval)
• Fix minor typo in urls.rst #​13902 (@​chbrandt)

Contributors to this release

(GitHub contributors page for this release)

@​fcollonval | @​jupyterlab-probot | @​meeseeksmachine

v3.6.0

Compare Source

(Full Changelog)

New features added

• Add copy and paste commands to terminal context menu #​13535 (@​krassowski)
• Turn terminal links into anchors using xterm addon #​13645 (@​mgcth)
• Allows to pause the execution during debug #​13494 (@​brichet)
• Ask confirmation when closing a document #​13489 (@​fcollonval)
• Add events service #​13465 (@​fcollonval)
• Add notification queue and display using toast #​12959 (@​telamonian)
• Add announcements #​13444 (@​fcollonval)
• Add line history to Stdin cell outputs #​13431 (@​fcollonval)
• Add user configuration for additional schemes for the sanitizer plugin #​13419 (@​fcollonval)
• User service #​12926 (@​hbcarlos)

Enhancements made

• Expose contentVisibility widget hiding mode #​13860 (@​fcollonval)
• default locale will use OS default locale #​13721 (@​fcollonval)
• Enable strict CSS containment for MainAreaWidget #​13811 (@​krassowski)
• User defined default viewer take precedence for rendered factory #​11541 (@​fcollonval)
• Remove not needed Completer.IRenderer.sanitizer #​13700 (@​fcollonval)
• Contain the tabs within the tabbar (do not use translation transform) #​13671 (@​krassowski)
• Sanitize notification message #​13510 (@​fcollonval)
• Use more the contextual collaborative model attribute #​13564 (@​fcollonval)
• Add lumino with support for plugin deactivation #​13541 (@​fcollonval)
• Sets whether the model is collaborative or not when registering its factory #​13526 (@​hbcarlos)
• RTC: Move user name to user panel #​13517 (@​martinRenou)
• jupyter_server_ydoc>=0.6.0,<0.7.0 #​13499 (@​fcollonval)
• Define file or activity icons color as static #​13408 (@​fcollonval)
• Added collaborative_document_save_de… #​13404 (@​fcollonval)
• Add a hover effect to plugin list entries #​13384 (@​krassowski)
• Bump Lumino 1.x #​13378 (@​fcollonval)
• Store original path as returned from contents API in the Contents.IModel #​13216 (@​krassowski)
• Update document dirty logic for RTC #​13364 (@​davidbrochart)
• Store document info in the state not in a separate context map out of the document interface. #​13317 (@​fcollonval)
• Use file ID #​13246 (@​davidbrochart)
• Relax doc provider API #​13214 (@​fcollonval)
• Avoids restoring widget in dock panel when first loading in 'single-document' mode #​13314 (@​brichet)
• Fix illegible white on yellow text of stacktrace in dark theme #​13249 (@​NikolayXHD)
• Use settings icons for 6 plugins #​13298 (@​krassowski)
• Do not run galata in .ipynb_checkpoints #​13297 (@​krassowski)
• Allow empty notebook #​13296 (@​martinRenou)
• Optimize text mimerenderer: ansi vs autolink #​13202 (@​vidartf)
• Remove Yjs locking mechanism #​13222 (@​davidbrochart)

Bugs fixed

• Define colour and background for filebrowser edit field #​13895 (@​krassowski)
• Reset execution indicator state when kernel restarts #​13832 (@​krassowski)
• Restore blueprint focus overrides on 3.x branch #​13879 (@​krassowski)
• Restore partial border effect for menu #​13878 (@​krassowski)
• Pin jupyter_ydoc #​13863 (@​fcollonval)
• Fix preferred_dir for examples #​13788 (@​fcollonval)
• Bump canvas to version with nodejs 18 binaries #​13783 (@​fcollonval)
• Explain why cell model may be missing in cell toolbar #​13763 (@​krassowski)
• Fix handling of settingEditorType #​13761 (@​jtpio)
• Fix execution indicator in RTC mode #​13693 (@​trungleduc)
• Force jupyter-server v1 to check against notebook v6 #​13716 (@​fcollonval)
• Write the browser open files for test #​13634 (@​fcollonval)
• Add the scaleFactor value from the embed options when creating the PNG representation for a Vega-based chart #​13610 (@​joaopalmeiro)
• Does not prevent default behavior when shift-clicking #​13616 (@​jmk89)
• Do not load CSS of disabled federated extensions #​11962 (@​jtpio)
• use jupyter_config_dir instead of config_path[0] for workspaces, settings #​13589 (@​minrk)
• Bump @​lumino/application #​13590 (@​fcollonval)
• Restores the appearance of the settingeditor's input focus #​13554 (@​brichet)
• Fix a wrong argument when calling 'renderMimeVariable' #​13531 (@​brichet)
• fix size of toc running indicator #​13568 (@​uenot)
• Fixes backward-incompatible changes for 3.6 #​13560 (@​hbcarlos)
• Make focus visible (mostly CSS) #​13415 (@​gabalafou)
• Set corrections to icons and switch colors #​13500 (@​HaudinFlorence)
• Default IDocumentProviderFactory.IOptions generic to ISharedDocument #​13490 (@​jtpio)
• Use same key for saving user info in local store #​13482 (@​hbcarlos)
• Set fallback values for icons colors. #​13468 ([@​HaudinFlorence](https://redirect.githu

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.