openfl icon indicating copy to clipboard operation
openfl copied to clipboard
verified publisher icon securefederatedai

Mistune version brought in by JupyterLab and nbconvert has CVE against it

Open Einse57 opened this issue 3 years ago • 1 comments

The version of Mistune being used by JupyterLab and nbconvert has an active CVE against it https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-34749.

nbconvert recently updated to mistune 2.0.2 but the fix is in 2.0.3. It looks like they plan to migrate to mistune 3.0+ https://github.com/jupyter/nbconvert/pull/1820

JupyterLab is using the latest version of nbconvert. https://github.com/jupyterlab/jupyterlab/blob/c30f8094b1926010cc9e969709e01020fe3dd99d/pyproject.toml

Einse57 avatar Aug 23 '22 21:08 Einse57

The newest release from nbconvert, version 7.0.0, is using mistune 2.0.3 (see the pyproject.toml), but mistune 2.0.4 also works.

marmitar avatar Aug 26 '22 04:08 marmitar

@Einse57 per @TiagodePAlves's note, this is now resolved. mistune >=2.0.3 is required by nbconvert.

psfoley avatar Dec 12 '22 22:12 psfoley