chore(deps): bump jupyter/pytest to close dependabot security alerts#668
Open
LuciferYang wants to merge 1 commit into
Open
chore(deps): bump jupyter/pytest to close dependabot security alerts#668LuciferYang wants to merge 1 commit into
LuciferYang wants to merge 1 commit into
Conversation
Bumps in docker/requirements.txt (notebook demo image): - jupyter-server 1.24.0 → 2.20.0 (1 critical + 3 high + 4 medium CVEs) - jupyterlab 3.6.7 → 4.5.9 (3 high + 1 medium + 1 low CVEs) - pytest 8.3.5 → 9.0.3 (1 medium CVE) - pytest-timeout 2.3.1 → 2.4.0 (compat bump alongside pytest 9) Closes Dependabot alerts lance-format#1-lance-format#4, lance-format#6-lance-format#15 in docker/requirements.txt. Blast radius: this file is consumed only by docker/Dockerfile (the interactive notebook image built via 'make docker-build'). CI test images (docker/Dockerfile.test-base) install their pytest deps independently and are unaffected. The 1.x → 2.x jupyter-server jump renames the config class from NotebookApp to ServerApp. The notebook launcher in docker/Dockerfile already uses --ServerApp.token/--ServerApp.password (2.x style), so those flags become effective under 2.x rather than being silently ignored under 1.x.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Bumps three pinned Python packages in
docker/requirements.txtto close all 14 open Dependabot security alerts on this file.jupyter-server1.24.02.20.0jupyterlab3.6.74.5.9pytest8.3.59.0.3pytest-timeout2.3.12.4.0Full list: https://github.com/lance-format/lance-spark/security/dependabot
The critical one is #14 — a stored-XSS in
NbconvertFileHandler(jupyter-server≤ 2.19.0, GHSA advisory).Blast radius
docker/requirements.txtis consumed only bydocker/Dockerfile— the interactive Jupyter/notebook demo image built bymake docker-build. The CI integration-test image (docker/Dockerfile.test-base, exercised by theSpark,Spark AWS, andSpark Search Dockerworkflows via.github/actions/docker-build) installs its own pytest dependencies viapip install pytest pytest-timeout packaging azure-storage-blob boto3and is not affected by this file — itspytestwill pick up the latest at build time regardless.So this bump changes the notebook demo image only, not the CI test image and not the Maven build.
jupyter-server1.x → 2.x compatibility noteThe 1.x → 2.x jump renames the primary config class from
NotebookApptoServerApp. The notebook launcher indocker/Dockerfilealready uses the 2.x-style flags (--ServerApp.token='',--ServerApp.password='',--port=8888), so those flags become effective under 2.x rather than being silently ignored under 1.x. This is a bug fix, not a regression.jupyterlab3.x → 4.x is also a major bump, but the launcher only invokesjupyter-lab(no dependency on 3.x-specific extension APIs), so risk is low.Test plan
The
Spark Search Dockerworkflow does trigger ondocker/**changes and gets exercised on this PR (via.github/actions/docker-build), but its build path usesdocker/Dockerfile.test-base→docker/Dockerfile.test— neither of those Dockerfiles readsdocker/requirements.txt.Dockerfile.test-baseinstalls its own pytest deps inline (pip install pytest pytest-timeout packaging azure-storage-blob boto3, no pin file), andDockerfile.testonly adds the lance-spark bundle on top. So a green Search Docker run confirmsdocker/**changes didn't break the CI image layout, but it does not exercise this bump.The interactive notebook image (
docker/Dockerfile,make docker-build) is the sole consumer ofrequirements.txt, and no CI job builds it today. So verification was done locally against a minimal image that mirrors the apt + venv layers ofdocker/Dockerfileexactly, with the newrequirements.txtpinned in.Smoke image (identical apt packages,
python3 -m venv /opt/venv,pip install -r requirements.txt) built cleanly on Ubuntu 24.04.Installed versions (verified via
pip showinside the image):Runtime checks:
Simulating the
docker/Dockerfilenotebook launcher —jupyter-lab --ServerApp.token='' --ServerApp.password='' --port=8888 --no-browser --allow-root:One expected
WARN:ServerApp.token config is deprecated in 2.0. Use IdentityProvider.token.— the flags still work; migrating toIdentityProvider.tokenis a separate concern and not in scope for this security-bump PR.Follow-up (not part of this PR)
The CI gap that let all 14 alerts accumulate —
docker/Dockerfilenever being built by CI, even thoughdocker/**changes trigger the Search Docker workflow — is worth closing with its own PR (chore(ci): build docker/Dockerfile on changes to docker/Dockerfile or docker/requirements.txt— build-only, no publish). Not bundled here per "one PR, one concern."