-
Notifications
You must be signed in to change notification settings - Fork 62
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Vulnerabilities in bundled javascript libraries? #150
Comments
@echarles Yes I can confirm that! Those changes addressed this issue so with that I think we can close this! Thank you @wshanks for submitting this issue and bringing these CVEs to our attention! For future reference I would like to add here a link to the Jupyter Security outline on handling reporting CVEs https://jupyter.org/security |
Thanks, @RRosio! Sorry, when I opened this, I was thinking of these as annoying nags from a scanning tool rather than actual security vulnerabilities, but I will follow jupyter.org/security next time. |
@RRosio Following the recommendation from https://jupyter.org/security, I tried sending an email to [email protected] about another JS library with CVE's, but the email was bounced by Google Groups. From jupyter/security#14, I would guess it was getting too much spam and closed outside email? Do you have a recommendation for how I should report the library? I can open another issue like this one if you want. I see that someone did that in #183. |
Hi @wshanks, thank you for reaching out here. We really do appreciate security vulnerabilities being reported through the process outlined by the security committee, unless they are unexpectedly reported as an issue. It seems like some of us may be receiving the email from Google indicating that our email has bounced back but it has actually made it through to the group. We are not sure why this issue is happening, but I believe that you should be receiving a reply to your report soon! |
I haven't seen any reply so far. There is still one JS library with CVE's opened against it. Also, #183 addressed a CVE in another JS library, but there has been no release since that was merged. I am just giving an update and not trying to nag 🙂 Personally, I can't use nbclassic at work when it contains CVE's, so it would be nice to address them, but I can survive. |
We have also merged https://github.com/jupyter/nbclassic/pull/152/files which upgrades some other js libs. As soon as #195 is done, we will cut a release. Does the current main branch addresses the CVE you have identified? If not, what else should we do before the release? |
Correct me if I'm wrong @wshanks, but I believe based on your comments earlier that there is another JS dependency that you were emailing about, which was not initially reported in this issue and therefore not addressed in #152. Apologies about not receiving a reply after emailing the security group-email. I don't have access to it myself. @echarles I had initially suggested that @wshanks email the security group-email to report an additional JS dependency vulnerability, however it seems Will has not yet received a reply, and I don't know who has received communication of this vulnerability. Would it be best to have that reported in an issue so that the upcoming release includes the upgrade? |
@wshanks could you open a separated issue with the JS dep(s) that need to be upgraded before the upcoming release? Thx |
A security scanning tool flagged a few of the bundled javascript libraries in
notebook
version 6.4.12 as insecure. From what I understand, going forwardnotebook
will draw its javascript components from this package. Should these components be updated or have the vulnerabilities been considered and deemed not applicable tonotebook
/nbclassic
? Sorry if this is noise. I just wanted to pass along what I noticed.Here is a summary:
The text was updated successfully, but these errors were encountered: