jupyterlab - Debian Package Tracker

general

source: jupyterlab (main)
version: 4.0.13+ds1+~2.0.1+~cs1.4.4-1
maintainer: Debian Javascript Maintainers (archive) (DMD)
uploaders: Roland Mas [DMD] – Bastien Roucariès [DMD] – Yadd [DMD]
arch: all
std-ver: 4.7.2
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

stable: 4.0.11+ds1+~cs11.25.27-7
testing: 4.0.11+ds5+~cs11.25.27-1
unstable: 4.0.13+ds1+~2.0.1+~cs1.4.4-1

versioned links

4.0.11+ds1+~cs11.25.27-7: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
4.0.11+ds5+~cs11.25.27-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
4.0.13+ds1+~2.0.1+~cs1.4.4-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

jupyterlab (1 bugs: 0, 1, 0, 0)

action needed

A new upstream version is available: 4.6.0b1+~4.0.0b0+~cs1.4.4 high

A new upstream version 4.6.0b1+~4.0.0b0+~cs1.4.4 is available, you should consider packaging it.

Created: 2026-05-26 Last update: 2026-06-04 10:30

9 security issues in trixie high

There are 9 open security issues in trixie.

8 important issues:

CVE-2024-56334: systeminformation is a System and OS information library for node.js. In affected versions SSIDs are not sanitized when before they are passed as a parameter to cmd.exe in the `getWindowsIEEE8021x` function. This means that malicious content in the SSID can be executed as OS commands. This vulnerability may enable an attacker, depending on how the package is used, to perform remote code execution or local privilege escalation. This issue has been addressed in version 5.23.7 and all users are advised to upgrade. There are no known workarounds for this vulnerability.
CVE-2025-68154: systeminformation is a System and OS information library for node.js. In versions prior to 5.27.14, the `fsSize()` function in systeminformation is vulnerable to OS command injection on Windows systems. The optional `drive` parameter is directly concatenated into a PowerShell command without sanitization, allowing arbitrary command execution when user-controlled input reaches this function. The actual exploitability depends on how applications use this function. If an application does not pass user-controlled input to `fsSize()`, it is not vulnerable. Version 5.27.14 contains a patch.
CVE-2026-26280: systeminformation is a System and OS information library for node.js. In versions prior to 5.30.8, a command injection vulnerability in the `wifiNetworks()` function allows an attacker to execute arbitrary OS commands via an unsanitized network interface parameter in the retry code path. In `lib/wifi.js`, the `wifiNetworks()` function sanitizes the `iface` parameter on the initial call (line 437). However, when the initial scan returns empty results, a `setTimeout` retry (lines 440-441) calls `getWifiNetworkListIw(iface)` with the **original unsanitized** `iface` value, which is passed directly to `execSync('iwlist ${iface} scan')`. Any application passing user-controlled input to `si.wifiNetworks()` is vulnerable to arbitrary command execution with the privileges of the Node.js process. Version 5.30.8 fixes the issue.
CVE-2026-26318: systeminformation is a System and OS information library for node.js. Versions prior to 5.31.0 are vulnerable to command injection via unsanitized `locate` output in `versions()`. Version 5.31.0 fixes the issue.
CVE-2026-40171: In Jupyter Notebook versions 7.0.0 through 7.5.5, JupyterLab versions 4.5.6 and earlier, and the corresponding @jupyter-notebook/help-extension and @jupyterlab/help-extension packages before 7.5.6 and 4.5.7, a stored cross-site scripting issue in the help command linker can be chained with attacker-controlled notebook content to steal authentication tokens with a single click. An attacker can craft a malicious notebook file containing elements that appear indistinguishable from legitimate controls and trigger execution when a user interacts with them. Successful exploitation allows theft of the user's authentication token and complete takeover of the Jupyter session through the REST API, including reading files, creating or modifying files, accessing kernels to execute arbitrary code, and creating terminals for shell access. This issue has been fixed in Notebook 7.5.6, JupyterLab 4.5.7, @jupyter-notebook/help-extension 7.5.6, and @jupyterlab/help-extension 4.5.7. As a workaround, disable the affected help extensions or set allowCommandLinker to false in the sanitizer configuration.
CVE-2026-42266: JupyterLab is an extensible environment for interactive and reproducible computing, based on the Jupyter Notebook Architecture. From 4.0.0 to 4.5.6, the allow-list of extensions that can be installed from PyPI Extension Manager (allowed_extensions_uris) is not correctly enforced by JupyterLab. The PyPI Extension Manager was not contained to packages listed on the default PyPI index. This vulnerability is fixed in 4.5.7.
CVE-2026-42557: jupyterlab is an extensible environment for interactive and reproducible computing, based on the Jupyter Notebook Architecture. Prior to 4.5.7, JupyterLab's HTML sanitizer allowlists data-commandlinker-command and data-commandlinker-args on button elements, while CommandLinker listens for all click events on document.body and executes the named command without checking whether the element came from trusted JupyterLab UI. A notebook with a pre-saved HTML cell output containing a deceptive button can trigger arbitrary JupyterLab commands - including arbitrary code execution - on a single user click, without any code being submitted for execution by the user. This vulnerability is fixed in 4.5.7.
CVE-2026-44724: systeminformation is a System and OS information library for node.js. From 4.17.0 to 5.31.5, on Linux, systeminformation is vulnerable to command injection in networkInterfaces() when an active NetworkManager connection profile name contains shell metacharacters. The vulnerable value is obtained internally from real nmcli device status output. The library sanitizes the network interface name before using it in shell commands, but it does not apply equivalent sanitization to the parsed NetworkManager connection profile name. That unsanitized connectionName is then interpolated into three shell command strings executed through execSync(). This vulnerability is fixed in 5.31.6.

1 issue left for the package maintainer to handle:

CVE-2025-59842: (needs triaging) jupyterlab is an extensible environment for interactive and reproducible computing, based on the Jupyter Notebook Architecture. Prior to version 4.4.8, links generated with LaTeX typesetters in Markdown files and Markdown cells in JupyterLab and Jupyter Notebook did not include the noopener attribute. This is deemed to have no impact on the default installations. Theoretically users of third-party LaTeX-rendering extensions could find themselves vulnerable to reverse tabnabbing attacks if links generated by those extensions included target=_blank (no such extensions are known at time of writing) and they were to click on a link generated in LaTeX (typically visibly different from other links). This issue has been patched in version 4.4.8.

You can find information about how to handle this issue in the security team's documentation.

Created: 2025-09-27 Last update: 2026-06-03 17:19

4 security issues in sid high

There are 4 open security issues in sid.

4 important issues:

CVE-2025-59842: jupyterlab is an extensible environment for interactive and reproducible computing, based on the Jupyter Notebook Architecture. Prior to version 4.4.8, links generated with LaTeX typesetters in Markdown files and Markdown cells in JupyterLab and Jupyter Notebook did not include the noopener attribute. This is deemed to have no impact on the default installations. Theoretically users of third-party LaTeX-rendering extensions could find themselves vulnerable to reverse tabnabbing attacks if links generated by those extensions included target=_blank (no such extensions are known at time of writing) and they were to click on a link generated in LaTeX (typically visibly different from other links). This issue has been patched in version 4.4.8.
CVE-2026-40171: In Jupyter Notebook versions 7.0.0 through 7.5.5, JupyterLab versions 4.5.6 and earlier, and the corresponding @jupyter-notebook/help-extension and @jupyterlab/help-extension packages before 7.5.6 and 4.5.7, a stored cross-site scripting issue in the help command linker can be chained with attacker-controlled notebook content to steal authentication tokens with a single click. An attacker can craft a malicious notebook file containing elements that appear indistinguishable from legitimate controls and trigger execution when a user interacts with them. Successful exploitation allows theft of the user's authentication token and complete takeover of the Jupyter session through the REST API, including reading files, creating or modifying files, accessing kernels to execute arbitrary code, and creating terminals for shell access. This issue has been fixed in Notebook 7.5.6, JupyterLab 4.5.7, @jupyter-notebook/help-extension 7.5.6, and @jupyterlab/help-extension 4.5.7. As a workaround, disable the affected help extensions or set allowCommandLinker to false in the sanitizer configuration.
CVE-2026-42266: JupyterLab is an extensible environment for interactive and reproducible computing, based on the Jupyter Notebook Architecture. From 4.0.0 to 4.5.6, the allow-list of extensions that can be installed from PyPI Extension Manager (allowed_extensions_uris) is not correctly enforced by JupyterLab. The PyPI Extension Manager was not contained to packages listed on the default PyPI index. This vulnerability is fixed in 4.5.7.
CVE-2026-42557: jupyterlab is an extensible environment for interactive and reproducible computing, based on the Jupyter Notebook Architecture. Prior to 4.5.7, JupyterLab's HTML sanitizer allowlists data-commandlinker-command and data-commandlinker-args on button elements, while CommandLinker listens for all click events on document.body and executes the named command without checking whether the element came from trusted JupyterLab UI. A notebook with a pre-saved HTML cell output containing a deceptive button can trigger arbitrary JupyterLab commands - including arbitrary code execution - on a single user click, without any code being submitted for execution by the user. This vulnerability is fixed in 4.5.7.

Created: 2025-09-27 Last update: 2026-06-03 17:19

4 security issues in forky high

There are 4 open security issues in forky.

4 important issues:

CVE-2025-59842: jupyterlab is an extensible environment for interactive and reproducible computing, based on the Jupyter Notebook Architecture. Prior to version 4.4.8, links generated with LaTeX typesetters in Markdown files and Markdown cells in JupyterLab and Jupyter Notebook did not include the noopener attribute. This is deemed to have no impact on the default installations. Theoretically users of third-party LaTeX-rendering extensions could find themselves vulnerable to reverse tabnabbing attacks if links generated by those extensions included target=_blank (no such extensions are known at time of writing) and they were to click on a link generated in LaTeX (typically visibly different from other links). This issue has been patched in version 4.4.8.
CVE-2026-40171: In Jupyter Notebook versions 7.0.0 through 7.5.5, JupyterLab versions 4.5.6 and earlier, and the corresponding @jupyter-notebook/help-extension and @jupyterlab/help-extension packages before 7.5.6 and 4.5.7, a stored cross-site scripting issue in the help command linker can be chained with attacker-controlled notebook content to steal authentication tokens with a single click. An attacker can craft a malicious notebook file containing elements that appear indistinguishable from legitimate controls and trigger execution when a user interacts with them. Successful exploitation allows theft of the user's authentication token and complete takeover of the Jupyter session through the REST API, including reading files, creating or modifying files, accessing kernels to execute arbitrary code, and creating terminals for shell access. This issue has been fixed in Notebook 7.5.6, JupyterLab 4.5.7, @jupyter-notebook/help-extension 7.5.6, and @jupyterlab/help-extension 4.5.7. As a workaround, disable the affected help extensions or set allowCommandLinker to false in the sanitizer configuration.
CVE-2026-42266: JupyterLab is an extensible environment for interactive and reproducible computing, based on the Jupyter Notebook Architecture. From 4.0.0 to 4.5.6, the allow-list of extensions that can be installed from PyPI Extension Manager (allowed_extensions_uris) is not correctly enforced by JupyterLab. The PyPI Extension Manager was not contained to packages listed on the default PyPI index. This vulnerability is fixed in 4.5.7.
CVE-2026-42557: jupyterlab is an extensible environment for interactive and reproducible computing, based on the Jupyter Notebook Architecture. Prior to 4.5.7, JupyterLab's HTML sanitizer allowlists data-commandlinker-command and data-commandlinker-args on button elements, while CommandLinker listens for all click events on document.body and executes the named command without checking whether the element came from trusted JupyterLab UI. A notebook with a pre-saved HTML cell output containing a deceptive button can trigger arbitrary JupyterLab commands - including arbitrary code execution - on a single user click, without any code being submitted for execution by the user. This vulnerability is fixed in 4.5.7.

Created: 2025-09-27 Last update: 2026-06-03 17:19

lintian reports 21 warnings high

Lintian reports 21 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2026-05-27 Last update: 2026-06-01 22:30

Does not build reproducibly during testing normal

A package building reproducibly enables third parties to verify that the source matches the distributed binaries. It has been identified that this source package produced different results, failed to build or had other issues in a test environment. Please read about how to improve the situation!

Created: 2026-01-14 Last update: 2026-06-04 11:19

AppStream hints: 1 warning for jupyterlab normal

AppStream found metadata issues for packages:

jupyterlab: 1 warning

You should get rid of them to provide more metadata about this software.

Created: 2025-06-05 Last update: 2025-06-05 23:30

debian/patches: 1 patch to forward upstream low

Among the 16 debian patches available in version 4.0.13+ds1+~2.0.1+~cs1.4.4-1 of the package, we noticed the following issues:

1 patch where the metadata indicates that the patch has not yet been forwarded upstream. You should either forward the patch upstream or update the metadata to document its real status.

Created: 2026-05-22 Last update: 2026-06-01 19:03

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.7.4 instead of 4.7.2).

Created: 2025-12-23 Last update: 2026-06-01 16:30

testing migrations

excuses:
- Migration status for jupyterlab (4.0.11+ds5+~cs11.25.27-1 to 4.0.13+ds1+~2.0.1+~cs1.4.4-1): Waiting for test results or another package, or too young (no action required now - check later)
- Issues preventing migration:
- ∙ ∙ Autopkgtest for ipywidgets/8.1.5-7: amd64: Pass, arm64: Pass, i386: Pass, loong64: Test triggered, ppc64el: Pass, riscv64: Pass, s390x: Pass
- ∙ ∙ Autopkgtest for jupyter-notebook/7.0.0-2: amd64: Pass, arm64: Pass, i386: Pass, loong64: Test triggered, ppc64el: Pass, riscv64: Pass, s390x: Pass
- ∙ ∙ Autopkgtest for jupyterlab/4.0.13+ds1+~2.0.1+~cs1.4.4-1: amd64: No tests, superficial or marked flaky ♻, arm64: No tests, superficial or marked flaky ♻ (reference ♻), i386: No tests, superficial or marked flaky ♻ (reference ♻), loong64: Test triggered, ppc64el: No tests, superficial or marked flaky ♻ (reference ♻), riscv64: No tests, superficial or marked flaky ♻ (reference ♻), s390x: No tests, superficial or marked flaky ♻
- ∙ ∙ Autopkgtest for node-ipydatagrid/1.4.0+~cs14.21.116-1: amd64: Pass, arm64: Pass, i386: Pass, loong64: Test triggered, ppc64el: Pass, riscv64: Pass, s390x: Pass
- ∙ ∙ Too young, only 3 of 5 days old
- Additional info (not blocking):
- ∙ ∙ Piuparts tested OK - https://piuparts.debian.org/sid/source/j/jupyterlab.html
- ∙ ∙ Reproduced on amd64 - info
- ∙ ∙ Reproduced on arm64 - info
- ∙ ∙ Reproduced on armhf - info
- ∙ ∙ Reproduced on i386 - info
- Not considered

news

[rss feed]

[2026-06-01] Accepted jupyterlab 4.0.13+ds1+~2.0.1+~cs1.4.4-1 (source) into unstable (Bastien Roucariès) (signed by: Bastien ROUCARIÈS)
[2026-05-30] jupyterlab 4.0.11+ds5+~cs11.25.27-1 MIGRATED to testing (Debian testing watch)
[2026-05-27] Accepted jupyterlab 4.0.11+ds5+~cs11.25.27-1 (source) into unstable (Bastien Roucariès) (signed by: Bastien ROUCARIÈS)
[2026-05-26] Accepted jupyterlab 4.0.11+ds4+~cs11.25.27-4 (source) into unstable (Bastien Roucariès) (signed by: Bastien ROUCARIÈS)
[2026-05-26] Accepted jupyterlab 4.0.11+ds4+~cs11.25.27-3 (source) into unstable (Bastien Roucariès) (signed by: Bastien ROUCARIÈS)
[2026-05-25] Accepted jupyterlab 4.0.11+ds4+~cs11.25.27-2 (source all) into unstable (Bastien Roucariès) (signed by: Bastien ROUCARIÈS)
[2026-05-25] Accepted jupyterlab 4.0.11+ds4+~cs11.25.27-1 (source) into unstable (Bastien Roucariès) (signed by: Bastien ROUCARIÈS)
[2026-05-25] Accepted jupyterlab 4.0.11+ds3+~cs11.25.27-1 (source) into unstable (Bastien Roucariès) (signed by: Bastien ROUCARIÈS)
[2026-05-22] Accepted jupyterlab 4.0.11+ds2+~cs11.25.27-3 (source) into unstable (Bastien Roucariès) (signed by: Bastien ROUCARIÈS)
[2026-03-13] jupyterlab 4.0.11+ds2+~cs11.25.27-1 MIGRATED to testing (Debian testing watch)
[2026-03-08] Accepted jupyterlab 4.0.11+ds2+~cs11.25.27-1 (source) into unstable (Bastien Roucariès) (signed by: Bastien ROUCARIÈS)
[2025-12-09] jupyterlab 4.0.11+ds1+~cs11.25.27-9 MIGRATED to testing (Debian testing watch)
[2025-12-03] Accepted jupyterlab 4.0.11+ds1+~cs11.25.27-9 (source) into unstable (Bastien Roucariès) (signed by: Bastien ROUCARIÈS)
[2025-11-13] jupyterlab 4.0.11+ds1+~cs11.25.27-8 MIGRATED to testing (Debian testing watch)
[2025-11-07] Accepted jupyterlab 4.0.11+ds1+~cs11.25.27-8 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2025-06-26] jupyterlab 4.0.11+ds1+~cs11.25.27-7 MIGRATED to testing (Debian testing watch)
[2025-06-05] Accepted jupyterlab 4.0.11+ds1+~cs11.25.27-7 (source) into unstable (Picca Frédéric-Emmanuel)
[2025-04-08] jupyterlab 4.0.11+ds1+~cs11.25.27-6 MIGRATED to testing (Debian testing watch)
[2025-04-02] Accepted jupyterlab 4.0.11+ds1+~cs11.25.27-6 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2025-03-28] jupyterlab 4.0.11+ds1+~cs11.25.27-5 MIGRATED to testing (Debian testing watch)
[2025-03-22] Accepted jupyterlab 4.0.11+ds1+~cs11.25.27-5 (source) into unstable (Roland Mas)
[2024-12-31] jupyterlab 4.0.11+ds1+~cs11.25.27-4 MIGRATED to testing (Debian testing watch)
[2024-12-26] Accepted jupyterlab 4.0.11+ds1+~cs11.25.27-4 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2024-12-01] jupyterlab 4.0.11+ds1+~cs11.25.27-3 MIGRATED to testing (Debian testing watch)
[2024-11-25] Accepted jupyterlab 4.0.11+ds1+~cs11.25.27-3 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2024-09-03] jupyterlab 4.0.11+ds1+~cs11.25.27-2 MIGRATED to testing (Debian testing watch)
[2024-08-27] Accepted jupyterlab 4.0.11+ds1+~cs11.25.27-2 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2024-08-12] Accepted jupyterlab 4.0.11+ds1+~cs11.25.27-1 (source all) into unstable (Debian FTP Masters) (signed by: Xavier Guimard)
[2024-05-14] jupyterlab REMOVED from testing (Debian testing watch)
[2024-04-07] jupyterlab 4.0.11+ds1-2 MIGRATED to testing (Debian testing watch)

bugs [bug history graph]

all: 4
RC: 0
I&N: 3
M&W: 1
F&P: 0
patch: 0

links

homepage
lintian (0, 21)
buildd: logs, reproducibility
popcon
browse source code
other distros
security tracker
debian patches
debci

ubuntu

[Information about Ubuntu for Debian Developers]

version: 4.0.11+ds1+~cs11.25.27-9