chore(deps): update dependency jupyterlab to v4.2.5 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
jupyterlab (changelog)	4.0.9 -> 4.2.5
jupyterlab (changelog)	==4.0.9 -> ==4.2.5

GitHub Vulnerability Alerts

CVE-2024-22420

Impact

The vulnerability depends on user interaction by opening a malicious notebook with Markdown cells, or Markdown file using JupyterLab preview feature.

A malicious user can access any data that the attacked user has access to as well as perform arbitrary requests acting as the attacked user.

Patches

JupyterLab v4.0.11 was patched.

Workarounds

Users can either disable the table of contents extension by running:

jupyter labextension disable @​jupyterlab/toc-extension:registry

References

Vulnerability reported via the bug bounty program sponsored by the European Commission and hosted on the Intigriti platform.

CVE-2024-22421

Impact

Users of JupyterLab who click on a malicious link may get their Authorization and XSRFToken tokens exposed to a third party when running an older jupyter-server version.

Patches

JupyterLab 4.1.0b2, 4.0.11, and 3.6.7 were patched.

Workarounds

No workaround has been identified, however users should ensure to upgrade jupyter-server to version 2.7.2 or newer which includes a redirect vulnerability fix.

References

Vulnerability reported by user @​davwwwx via the bug bounty program sponsored by the European Commission and hosted on the Intigriti platform.

CVE-2024-43805

Impact

The vulnerability depends on user interaction by opening a malicious notebook with Markdown cells, or Markdown file using JupyterLab preview feature.

A malicious user can access any data that the attacked user has access to as well as perform arbitrary requests acting as the attacked user.

Patches

JupyterLab v3.6.8, v4.2.5 and Jupyter Notebook v7.2.2 were patched.

Workarounds

There is no workaround for the underlying DOM Clobbering susceptibility. However, select plugins can be disabled on deployments which cannot update in a timely fashion to minimise the risk. These are:

• @jupyterlab/mathjax-extension:plugin - users will loose ability to preview mathematical equations
• @jupyterlab/markdownviewer-extension:plugin - users will loose ability to open Markdown previews
• @jupyterlab/mathjax2-extension:plugin (if installed with optional jupyterlab-mathjax2 package) - an older version of the mathjax plugin for JupyterLab 4.x

To disable these extensions run:

jupyter labextension disable @​jupyterlab/markdownviewer-extension:plugin
jupyter labextension disable @​jupyterlab/mathjax-extension:plugin
jupyter labextension disable @​jupyterlab/mathjax2-extension:plugin

To confirm that the plugins were disabled run:

jupyter labextension list

References

None

Notes

This change has a potential to break rendering of some markdown. There is a setting in Sanitizer which allows to revert to the previous sanitizer settings (allowNamedProperties).

---

Release Notes

jupyterlab/jupyterlab (jupyterlab)

v4.2.5

Compare Source

4.2.5

(Full Changelog)

Bugs fixed

• Use locale name instead of display/native name to toggle language #​16710 (@​maitreya2954)
• Prevent replacing code with find and replace in read-only cells #​16682 (@​itsmevichu)
• Do not block shift-click mouse up handler on active cell #​16647 (@​EdsterG)

Maintenance and upkeep improvements

• Bump braces from 3.0.2 to 3.0.3 #​16486 (@​dependabot[bot])

Documentation improvements

• Fix JupyterLab install instructions in the debugger docs #​16683 (@​jtpio)

Contributors to this release

(GitHub contributors page for this release)

@​davidbrochart | @​fcollonval | @​github-actions | @​HaudinFlorence | @​JasonWeill | @​jtpio | @​jupyterlab-probot | @​krassowski | @​meeseeksmachine | @​Mehak261124 | @​Rob-P-Smith | @​tonyfast | @​welcome | @​williamstein

v4.2.4

Compare Source

4.2.4

(Full Changelog)

Bugs fixed

• Fix the identifier to download licenses in JSON format #​16584 (@​joaopalmeiro)
• Update JupyterLab wordmark color #​16567 (@​joaopalmeiro)
• Add customisation options to prevent inline completer resizing aggressively #​16507 (@​krassowski)
• Fix license table CSS selector to apply the selected row styles #​16547 (@​joaopalmeiro)

Maintenance and upkeep improvements

• Bump ws from 8.12.0 to 8.17.1 #​16495 (@​dependabot[bot])

Documentation improvements

• Fix galata docs on overriding tmpPath #​16587 (@​krassowski)
• Align extension migration docs with the latest extension template #​16450 (@​jtpio)

Contributors to this release

(GitHub contributors page for this release)

@​andrii-i | @​brichet | @​ellisonbg | @​fcollonval | @​g547315 | @​gabalafou | @​github-actions | @​j264415 | @​JasonWeill | @​joaopalmeiro | @​jtpio | @​jupyterlab-probot | @​krassowski | @​meeseeksmachine | @​welcome

v4.2.3

Compare Source

4.2.3

(Full Changelog)

Bugs fixed

• Fix inline completer configure calls not being propagated correctly #​16508 (@​krassowski)
• Fix the lines placeholder taking up too much space #​16493 (@​krassowski)
• Use correct hub restart URL #​16471 (@​mahendrapaipuri)
• Fix check link CI failure in README (time zone converter site) #​16482 (@​afshin)

Documentation improvements

• Fix the description for the main inline completer plugin #​16526 (@​krassowski)
• Update JupyterLab 3.x maintenance announcement #​16506 (@​krassowski)
• Fix check link CI failure in README (time zone converter site) #​16482 (@​afshin)
• Fix typo in documentation - spurious single quote prefix #​16476 (@​achhina)
• Add a notice for Windows users to activate symbolic links in contributing section #​16465 (@​Darshan808)

Contributors to this release

(GitHub contributors page for this release)

@​brichet | @​fcollonval | @​github-actions | @​jtpio | @​jupyterlab-probot | @​krassowski | @​lumberbot-app | @​meeseeksmachine | @​Mehak261124 | @​welcome

v4.2.2

Compare Source

4.2.2

(Full Changelog)

Bugs fixed

• Fix width and margins of the notebook footer. #​16383 (@​HaudinFlorence)
• Fix async function display #​16443 (@​sanskriti2005)
• Fix code comments in tilde (~) fences incorrectly shown as headings in TOC #​16437 (@​itsmevichu)
• Fix typos in jupyter-collaboration-missing error message #​16436 (@​krishanbhasin-px)
• Reactive toolbar computation, again... #​16409 (@​brichet)
• Fix comments in nested markdown code blocks incorrectly being identified as TOC headings #​16420 (@​itsmevichu)
• Add the toolbar again when updating the title of PanelWithToolbar #​16390 (@​brichet)
• Align token usage for events #​16397 (@​fcollonval)
• Fix runtime console error in debugger extension #​16368 (@​afshin)

Maintenance and upkeep improvements

• Ignore empty stdout data when logging in verdaccio #​16459 (@​fcollonval)
• Fix some flaky ui tests #​16430 (@​brichet)
• Do not install cairo/pango on Mac in CI #​16434 (@​krassowski)
• Fix usage check job on CI (add setuptools dependency) #​16423 (@​jtpio)
• Run Python tests on MacOS with Python 12, replace canvas with jest-canvas-mock #​16314 (@​krassowski)
• Fix failing link check (point to JAWS on Wikipedia) #​16365 (@​krassowski)
• Do not check links to Jupyter blog on Medium #​16351 (@​krassowski)

Documentation improvements

• Ensure api directory is present to build documentation #​16467 (@​Darshan808)
• Add typings to the inline completer example #​16421 (@​jtpio)
• Run Python tests on MacOS with Python 12, replace canvas with jest-canvas-mock #​16314 (@​krassowski)
• Align tutorial with extension template #​16414 (@​jtpio)
• Update CHANGELOG.md #​16394 (@​fcollonval)
• Fix failing link check (point to JAWS on Wikipedia) #​16365 (@​krassowski)

Contributors to this release

(GitHub contributors page for this release)

@​davidbrochart | @​echarles | @​fcollonval | @​jtpio | @​jupyterlab-probot | @​krassowski | @​lumberbot-app | @​meeseeksmachine | @​srdas | @​welcome

v4.2.1

Compare Source

4.2.1

(Full Changelog)

Bugs fixed

• Fix Shift + Tab contextual help inspector tooltip regression #​16343 (@​krassowski)
• Fix workspace context menu incorrectly showing up in other sidebar sections #​16346 (@​krassowski)
• Fix execution in console in terminal interaction mode #​16348 (@​krassowski)
• Reactive toolbar: avoid simultaneous calls to _onResize() #​16335 (@​brichet)
• Resetting a shortcut does not restore and enable the default if it was modified #​16304 (@​itsmevichu)
• Allow to invoke inline completer anywhere (not only at the end of line) #​16298 (@​ajbozarth)
• Search and replace with substring in markdown and raw cells #​16293 (@​JasonWeill)
• Wait for the cell toolbar items to be rendered the first time before looking for overlap #​16291 (@​brichet)
• Add lowercase proxy vars and make priority consistent with other tools #​16287 (@​jgoodson)

Maintenance and upkeep improvements

• Update 4.2.x branch config and links #​16324 (@​krassowski)

Documentation improvements

• Update 4.2.x branch config and links #​16324 (@​krassowski)

Contributors to this release

(GitHub contributors page for this release)

@​github-actions | @​jtpio | @​jupyterlab-probot | @​krassowski | @​meeseeksmachine | @​Rob-P-Smith | @​welcome

v4.2.0

Compare Source

(Full Changelog)

Bugs fixed

• Check the command is registered before calling notifyCommandChanged() #​16273 (@​jtpio)
• Set aria-label to title if no label for #​16262 (@​fcollonval)
• Fix changing font size in text editor #​16261 (@​FoSuCloud)
• Fix replace when replacement text matches source text multiple times #​16258 (@​JasonWeill)
• Add reopen closed command to tab context menu #​16250 (@​krassowski)

Maintenance and upkeep improvements

• Bump ejs from 3.1.8 to 3.1.10 #​16275 (@​dependabot)
• Bump the actions group with 2 updates #​16271 (@​dependabot)
• Make labeller remove outdated labels #​16257 (@​krassowski)
• Update to Playwright 1.43.1 #​15621 (@​jtpio)

Documentation improvements

• Add documentation on using jupyverse #​16190 (@​davidbrochart)

Contributors to this release

(GitHub contributors page for this release)

@​davidbrochart | @​dependabot | @​fcollonval | @​FoSuCloud | @​github-actions | @​JasonWeill | @​jtpio | @​jupyterlab-probot | @​krassowski | @​welcome

v4.1.8

Compare Source

4.1.8

(Full Changelog)

Bugs fixed

• Consider higher levels when toggling plugin #​16251 (@​divyansshhh)

Maintenance and upkeep improvements

• Install Firefox from brew on Mac on CI #​16245 (@​krassowski)

Contributors to this release

(GitHub contributors page for this release)

@​github-actions | @​jupyterlab-probot | @​krassowski | @​meeseeksmachine | @​welcome

v4.1.7

Compare Source

4.1.7

(Full Changelog)

Bugs fixed

• Fix toggling extension at system level #​16241 (@​krassowski)
• Fix extension toggling at different level #​16102 (@​divyansshhh)
• Partial backport of windowing fix from #​16013 #​16202 (@​krassowski)

Maintenance and upkeep improvements

• Fix documentation snapshots test #​16159 (@​krassowski)

Documentation improvements

• Clarify the LSP documentation #​16160 (@​krassowski)
• Removed broken gif links in README.md files #​16151 (@​Tanmay-Deshmukh)

Contributors to this release

(GitHub contributors page for this release)

@​andrii-i | @​bollwyvl | @​davidbrochart | @​echarles | @​fcollonval | @​github-actions | @​JasonWeill | @​jtpio | @​jupyterlab-probot | @​kolibril13 | @​krassowski | @​lumberbot-app | @​meeseeksmachine | @​welcome

v4.1.6

Compare Source

4.1.6

(Full Changelog)

Bugs fixed

• Fix outputarea collapse expand #​16124 (@​FoSuCloud)
• Disable placeholder for password input #​16128 (@​Alanhou1222)
• Fix for existing shortcuts getting triggered while edit shortcut #​16126 (@​Susilkessav)
• Use smart scroll in debugger to minimize distraction #​16084 (@​krassowski)
• Store the real position of the item in reactive toolbar #​16111 (@​brichet)
• Fix extension installation on Windows #​16064 (@​fcollonval)
• Removes dotted outline from active code cell #​16070 (@​JasonWeill)
• Long items should not wrap #​15844 (@​mdietz94)
• Fix manager isDisposed is not set #​15997 (@​fcollonval)

Maintenance and upkeep improvements

• Bump semver from 5.7.1 to 7.6.0 #​16121 (@​dependabot[bot])
• Revert traitlets pin #​16118 (@​krassowski)
• Use dependency_type: minimum for Minimum Versions check #​16105 (@​krassowski)
• Fix migration script, use extras for its dependencies #​16088 (@​krassowski)
• Add devcontainer #​15909 (@​fcollonval)
• Update Release Scripts #​15973 (@​blink1073)
• Adjust search test assertion to allow both Node 18 and 20+ #​16024 (@​krassowski)

Documentation improvements

• Fix migration script, use extras for its dependencies #​16088 (@​krassowski)
• Fix missing backtick in plugin manager docs #​16083 (@​krassowski)
• Add devcontainer #​15909 (@​fcollonval)

Contributors to this release

(GitHub contributors page for this release)

@​afshin | @​brichet | @​fcollonval | @​gabalafou | @​github-actions | @​JasonWeill | @​jtpio | @​jupyterlab-probot | @​krassowski | @​lumberbot-app | @​meeseeksmachine | @​Mehak261124 | @​RRosio | @​trungleduc | @​welcome

v4.1.5

Compare Source

4.1.5

(Full Changelog)

Bugs fixed

• Fix Theme color is not applied to Toolbar Button #​15957 (@​FoSuCloud)
• Uses the browser window's selection as the default search query #​15834 (@​JasonWeill)
• Show outline on the full item in file browser, only when needed #​15860 (@​krassowski)
• Short-circuit selectItemByName() if already selected #​15970 (@​krassowski)
• Fix browser-test.js #​15892 (@​fcollonval)
• Avoid concurrency when computing the items in notebook toolbar #​15954 (@​brichet)
• Fixes filter for Chinese, other non-ASCII filenames #​15935 (@​JasonWeill)

Maintenance and upkeep improvements

• Ignore links to GitHub user and organisation profiles #​15959 (@​krassowski)

Contributors to this release

(GitHub contributors page for this release)

@​andrii-i | @​brichet | @​jtpio | @​jupyterlab-probot | @​krassowski | @​linlol | @​meeseeksmachine | @​welcome

v4.1.4

Compare Source

4.1.4

(Full Changelog)

Bugs fixed

• Fix creating files in custom drives, fix ContentsManagerMock #​15291 (@​jtpio)
• Fix Theme color is not applied to SwitchKernel ToolbarButton #​15924 (@​FoSuCloud)
• Revert "Prevent command shortcuts from preventing user input" #​15938 (@​krassowski)
• Fix spurious dedent when opening inspector tooltip #​15898 (@​krassowski)
• Add an explicit default for inline completer providers #​15899 (@​krassowski)

Contributors to this release

(GitHub contributors page for this release)

@​ericsnekbytes | @​github-actions | @​jtpio | @​jupyterlab-probot | @​krassowski | @​meeseeksmachine

v4.1.3

Compare Source

4.1.3

(Full Changelog)

Bugs fixed

• Fix Pressing enter in console with console run keystroke set to enter creates a newline and runs #​15869 (@​FoSuCloud)
• Fix saving of item positions in reactive toolbar #​15843 (@​brichet)
• Prevent command shortcuts from preventing user input #​15790 (@​krassowski)
• Fix missing signals in file editor adapter #​15873 (@​krassowski)
• Fix codemirror highlight for Python builtin #​15805 (@​AllanChain)
• When attaching only typeset after rendering is completed #​15810 (@​krassowski)

Maintenance and upkeep improvements

• Update docstrings to mention Jupyter Server API #​15880 (@​jtpio)
• Bump es5-ext from 0.10.62 to 0.10.63 #​15878 (@​dependabot[bot])
• Fix clean script #​15854 (@​krassowski)
• Update branch configuration for 4.1.x #​15848 (@​krassowski)

Documentation improvements

• Fix broken link #​15851 (@​fcollonval)
• Update branch configuration for 4.1.x #​15848 (@​krassowski)

Contributors to this release

(GitHub contributors page for this release)

@​AllanChain | @​brichet | @​ericsnekbytes | @​fcollonval | @​FoSuCloud | @​github-actions | @​JasonWeill | @​jtpio | @​jupyterlab-probot | @​krassowski | @​linlol | @​lumberbot-app | @​meeseeksmachine | @​welcome

v4.1.2

Compare Source

(Full Changelog)

Bugs fixed

• Fix highlight sequencing when replacing text in code cells #​15803 (@​JasonWeill)
• Windows platforms, erratic pasting of text into Markdown field #​15794 (@​kiliansinger)
• Restore notebook scrolling on dragging a cell to the viewport edge #​15782 (@​krassowski)
• Fix typing in editable elements inside of open shadow DOM #​15774 (@​krassowski)

Maintenance and upkeep improvements

• [docker] Allow non-unique GID #​15699 (@​trungleduc)

Documentation improvements

• Remove SO links, add more recent issue to FAQ #​15811 (@​krassowski)
• Fix outdated link to mybinder.org on index page of documentation #​15800 (@​nluetts)
• Fix typing in editable elements inside of open shadow DOM #​15774 (@​krassowski)

Contributors to this release

(GitHub contributors page for this release)

@​FoSuCloud | @​github-actions | @​JasonWeill | @​jupyterlab-probot | @​kiliansinger | @​krassowski | @​lumberbot-app | @​nluetts | [@

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.