Skip to content

chore(deps): update dependency jupyterlab to v4.5.9 [security]#686

Merged
renovate[bot] merged 1 commit into
mainfrom
renovate/pypi-jupyterlab-vulnerability
Jun 23, 2026
Merged

chore(deps): update dependency jupyterlab to v4.5.9 [security]#686
renovate[bot] merged 1 commit into
mainfrom
renovate/pypi-jupyterlab-vulnerability

Conversation

@renovate

@renovate renovate Bot commented Jun 22, 2026

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Change Age Confidence
jupyterlab (changelog) 4.5.74.5.9 age confidence

JupyterLab: Stored XSS in extension manager through package metadata unsanitized URI protocol

GHSA-vmhf-c436-hxj4

More information

Details

A malicious PyPI package can place a javascript: URL in its [project.urls] metadata. JupyterLab's Extension Manager renders this as the extension's home-page link without validating the protocol, so a user who clicks the extension name executes attacker-controlled JavaScript in the JupyterLab origin.

Details

One of the PyPI package's URL (jupyterlab/extensions/pypi.py) is copied straight into the homepage_url rendered by the frontend in packages/extensionmanager/src/widget.tsx#L77-L88.

best_guess_home_url = (
    homepage_url            # home_page / [project.urls] Homepage
    or data.get("project_url")
    or data.get("package_url")
    or documentation_url    # docs_url / [project.urls] Documentation
    or source_url           # [project.urls] Source Code
    or bug_tracker_url      # bugtrack_url / [project.urls] Bug Tracker
)

##### homepage_url=best_guess_home_url
{entry.homepage_url ? (
  <a href={entry.homepage_url} target="_blank" rel="noopener noreferrer" ...>
    {entry.name}
  </a>
) : ( <div>{entry.name}</div> )}
Impact

An attacker needs to publish a package to PyPI (no access to the target). When the package appears in a victim's extension manager list and the victim clicks the extension name, the payload runs in the JupyterLab origin.

Preconditions: Extension Manager enabled with the default PyPI source, the malicious package appears in the victim's list/search results.

Patches

Patched in 4.5.9, commits 4e61e07 and d5d961f

Severity

  • CVSS Score: 5.1 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Release Notes

jupyterlab/jupyterlab (jupyterlab)

v4.5.9

Compare Source

4.5.9

(Full Changelog)

Bugs fixed
Contributors to this release

The following people contributed discussions, new ideas, code and documentation contributions, and review.
See our definition of contributors.

(GitHub contributors page for this release)

@​arun-357 (activity) | @​Darshan808 (activity) | @​krassowski (activity) | @​MUFFANUJ (activity) | @​Yann-P (activity)

v4.5.8

Compare Source

4.5.8

(Full Changelog)

Bugs fixed
Maintenance and upkeep improvements
Contributors to this release

The following people contributed discussions, new ideas, code and documentation contributions, and review.
See our definition of contributors.

(GitHub contributors page for this release)

@​AliMahmoudDev (activity) | @​CrafterKolyan (activity) | @​Darshan808 (activity) | @​krassowski (activity)

Configuration

📅 Schedule: (in timezone Europe/Berlin)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot requested a review from a team as a code owner June 22, 2026 05:17
@renovate renovate Bot added bot Automated pull requests or issues dependencies Pull requests that update a dependency file renovate Pull requests from Renovate skip:codecov Skip Codecov reporting and check skip:test:long_running Skip long-running tests (≥5min) labels Jun 22, 2026
@renovate renovate Bot enabled auto-merge (squash) June 22, 2026 05:17
@renovate renovate Bot force-pushed the renovate/pypi-jupyterlab-vulnerability branch from a87687e to 1101b43 Compare June 22, 2026 12:12
@sonarqubecloud

sonarqubecloud Bot commented Jun 22, 2026

Copy link
Copy Markdown

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@renovate renovate Bot merged commit 3370c71 into main Jun 23, 2026
24 of 26 checks passed
@renovate renovate Bot deleted the renovate/pypi-jupyterlab-vulnerability branch June 23, 2026 06:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@olivermeyer olivermeyer olivermeyer approved these changes

Assignees

No one assigned

Labels

bot Automated pull requests or issues dependencies Pull requests that update a dependency file renovate Pull requests from Renovate skip:codecov Skip Codecov reporting and check skip:test:long_running Skip long-running tests (≥5min)

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@olivermeyer