chore(deps): update dependency jupyterlab to v4.0.11 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
jupyterlab (changelog)	4.0.9 -> 4.0.11

GitHub Vulnerability Alerts

CVE-2024-22420

Impact

The vulnerability depends on user interaction by opening a malicious notebook with Markdown cells, or Markdown file using JupyterLab preview feature.

A malicious user can access any data that the attacked user has access to as well as perform arbitrary requests acting as the attacked user.

Patches

JupyterLab v4.0.11 was patched.

Workarounds

Users can either disable the table of contents extension by running:

jupyter labextension disable @​jupyterlab/toc-extension:registry

References

Vulnerability reported via the bug bounty program sponsored by the European Commission and hosted on the Intigriti platform.

CVE-2024-22421

Impact

Users of JupyterLab who click on a malicious link may get their Authorization and XSRFToken tokens exposed to a third party when running an older jupyter-server version.

Patches

JupyterLab 4.1.0b2, 4.0.11, and 3.6.7 were patched.

Workarounds

No workaround has been identified, however users should ensure to upgrade jupyter-server to version 2.7.2 or newer which includes a redirect vulnerability fix.

References

Vulnerability reported by user @​davwwwx via the bug bounty program sponsored by the European Commission and hosted on the Intigriti platform.

---

Release Notes

jupyterlab/jupyterlab (jupyterlab)

v4.0.11

Compare Source

4.0.11

(Full Changelog)

Security fixes

• Potential authentication and CSRF tokens leak in JupyterLab (GHSA-44cc-43rp-5947)
• SXSS in Markdown Preview (GHSA-4m77-cmpx-vjc4)

Bugs fixed

• Fixes focus indicator on input checkbox for Firefox #​15612 (@​alden-ilao)

Documentation improvements

• Fix link to yarn docs in extension migration guide #​15640 (@​krassowski)

Contributors to this release

(GitHub contributors page for this release)

@​brichet | @​fcollonval | @​github-actions | @​jtpio | @​jupyterlab-probot | @​krassowski | @​meeseeksmachine | @​misterfads | @​welcome

v4.0.10

Compare Source

4.0.10

(Full Changelog)

Bugs fixed

• Backport PR #​15386: Improve scrolling to heading #​15565 (@​krassowski)
• Workaround focus leaving input box on consecutive submissions #​15479 (@​krassowski)
• Fix search coming back in notebook and editor #​15443 (@​krassowski)
• Fix jupyter labextension watch --help #​15542 (@​akx)
• Fix FormComponent showing error indicators in all fields when using a customValidate function #​15464 (@​mmichilot)
• Fix Shift + L not working in stdin #​15440 (@​krassowski)

Maintenance and upkeep improvements

• Backport PR #​15499: Adopt ruff format #​15564 (@​krassowski)
• Pin actions/labeler to v4 to fix failing CI action #​15496 (@​krassowski)
• Fix URLs in debugger-extension #​15462 (@​fcollonval)
• More robust galata/UI tests #​15355 (@​krassowski)

Documentation improvements

• Backport PR #​15499: Adopt ruff format #​15564 (@​krassowski)

Contributors to this release

(GitHub contributors page for this release)

@​afshin | @​brichet | @​davidbrochart | @​echarles | @​fcollonval | @​g547315 | @​gabalafou | @​GabrielaVives | @​github-actions | @​j264415 | @​jtpio | @​jupyterlab-probot | @​krassowski | @​lumberbot-app | @​meeseeksmachine | @​parmentelat | @​tonyfast | @​welcome | @​Wh1isper

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.