Bump jupyter-server to 2.18.0 and pin root_dir#286
Conversation
Bumps the pip group with 1 update in the /template directory: [jupyter-server](https://github.com/jupyter-server/jupyter_server). Updates `jupyter-server` from 2.16.0 to 2.18.0 - [Release notes](https://github.com/jupyter-server/jupyter_server/releases) - [Changelog](https://github.com/jupyter-server/jupyter_server/blob/main/CHANGELOG.md) - [Commits](jupyter-server/jupyter_server@v2.16.0...v2.18.0) --- updated-dependencies: - dependency-name: jupyter-server dependency-version: 2.18.0 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com>
jupyter-server 2.18.0 (CVE-2026-35397) rejects session creation when the contents root resolves to "/", which is the systemd process cwd. Pin root_dir to /home/user so POST /api/sessions succeeds. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
PR SummaryMedium Risk Overview Without an explicit root, the server uses Includes a patch changeset for Reviewed by Cursor Bugbot for commit b6b644e. Bugbot is set up for automated code reviews on this repo. Configure here. |
![claude[bot]](https://avatars.githubusercontent.com/in/1236702?s=60&v=4){kind=small}
There was a problem hiding this comment.
LGTM — straightforward dep bump with a well-justified root_dir pin to /home/user (the established sandbox cwd).
Extended reasoning...
Overview
This PR bumps jupyter-server from 2.16.0 to 2.18.0 in template/requirements.txt and adds c.ServerApp.root_dir = "/home/user" to template/jupyter_server_config.py. The PR description explains the motivation clearly: 2.18.0 ships path-traversal hardening (CVE-2026-35397) that rejects session creation when the contents root resolves to /, which is the cwd of the systemd-launched process. Without the explicit pin, every POST /api/sessions would fail.
Security risks
None of concern. The change moves in the safer direction by picking up upstream security hardening. The pinned root_dir of /home/user is the well-established sandbox working directory — it is the user owned via chown -R user:user /home/user in template/template.py, the default cwd in template/server/api/models/create_context.py, and the cwd used throughout template/server/main.py and the test suite (python/tests/*/test_cwd.py, js/tests/cwd.test.ts).
Level of scrutiny
Low. The changes total two small edits in template/build configuration. The root_dir value matches the existing convention everywhere else in the codebase, and the dependency bump is a minor version update carrying a security fix. The detailed inline comment makes the intent obvious to future readers.
Other factors
No bugs were found by the bug hunting system. The PR supersedes a dependabot bump (#274) and explains why the straight bump alone is insufficient. No outstanding reviewer comments require addressing.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2 participants
Supersedes #274 (dependabot bump of jupyter-server 2.16.0 → 2.18.0).
The straight dependency bump breaks the sandbox: jupyter-server 2.18.0 ships path-traversal hardening (CVE-2026-35397) that rejects session creation when the contents root resolves to
/— which is the cwd of the systemd-launched process (jupyter.servicehas noWorkingDirectory). EveryPOST /api/sessionsthen fails with<uuid> is outside root contents directoryand the server never serves.This PR carries the same bump plus pins
c.ServerApp.root_dir = "/home/user"intemplate/jupyter_server_config.pyso sessions are created relative to the execution cwd.Changes
jupyter-server2.16.0 → 2.18.0 (template/requirements.txt)root_dirto/home/user(template/jupyter_server_config.py)🤖 Generated with Claude Code