Vulnerabilities in bundled javascript libraries?

[wshanks]

A security scanning tool flagged a few of the bundled javascript libraries in notebook version 6.4.12 as insecure. From what I understand, going forward notebook will draw its javascript components from this package. Should these components be updated or have the vulnerabilities been considered and deemed not applicable to notebook/nbclassic? Sorry if this is noise. I just wanted to pass along what I noticed.

Here is a summary:

• CodeMirror less than 5.58.2 CVE
• marked less than 1.1.1 Patch (no CVE)
• jquery-ui less than 1.13.0 CVE, CVE2, CVE3.
• underscore less than 1.13.0-2 CVE

[echarles]

@RRosio I think this has been addressed in #152

Can you please confirm?

[RRosio]

@echarles Yes I can confirm that! Those changes addressed this issue so with that I think we can close this! Thank you @wshanks for submitting this issue and bringing these CVEs to our attention! For future reference I would like to add here a link to the Jupyter Security outline on handling reporting CVEs https://jupyter.org/security

[wshanks]

Thanks, @RRosio! Sorry, when I opened this, I was thinking of these as annoying nags from a scanning tool rather than actual security vulnerabilities, but I will follow jupyter.org/security next time.

[wshanks]

@RRosio Following the recommendation from https://jupyter.org/security, I tried sending an email to [email protected] about another JS library with CVE's, but the email was bounced by Google Groups. From jupyter/security#14, I would guess it was getting too much spam and closed outside email? Do you have a recommendation for how I should report the library? I can open another issue like this one if you want. I see that someone did that in #183.

[RRosio]

Hi @wshanks, thank you for reaching out here. We really do appreciate security vulnerabilities being reported through the process outlined by the security committee, unless they are unexpectedly reported as an issue. It seems like some of us may be receiving the email from Google indicating that our email has bounced back but it has actually made it through to the group. We are not sure why this issue is happening, but I believe that you should be receiving a reply to your report soon!

[wshanks]

I haven't seen any reply so far. There is still one JS library with CVE's opened against it. Also, #183 addressed a CVE in another JS library, but there has been no release since that was merged.

I am just giving an update and not trying to nag 🙂 Personally, I can't use nbclassic at work when it contains CVE's, so it would be nice to address them, but I can survive.

[echarles]

We have also merged https://github.com/jupyter/nbclassic/pull/152/files which upgrades some other js libs.

As soon as #195 is done, we will cut a release. Does the current main branch addresses the CVE you have identified? If not, what else should we do before the release?

[RRosio]

Correct me if I'm wrong @wshanks, but I believe based on your comments earlier that there is another JS dependency that you were emailing about, which was not initially reported in this issue and therefore not addressed in #152. Apologies about not receiving a reply after emailing the security group-email. I don't have access to it myself.

@echarles I had initially suggested that @wshanks email the security group-email to report an additional JS dependency vulnerability, however it seems Will has not yet received a reply, and I don't know who has received communication of this vulnerability. Would it be best to have that reported in an issue so that the upcoming release includes the upgrade?

[echarles]

@wshanks could you open a separated issue with the JS dep(s) that need to be upgraded before the upcoming release? Thx

[wshanks]

Thanks @echarles and @RRosio, I opened #200 for the remaining JS dep.