Skip to content

chore(deps): bump notebook from 7.5.5 to 7.5.6#614

Closed
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/uv/notebook-7.5.6
Closed

chore(deps): bump notebook from 7.5.5 to 7.5.6#614
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/uv/notebook-7.5.6

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github Apr 30, 2026
edited
Loading

Bumps notebook from 7.5.5 to 7.5.6.

Release notes

Sourced from notebook's releases.

v7.5.6

7.5.6

(Full Changelog)

Security patches

Maintenance and upkeep improvements

Documentation improvements

Contributors to this release

The following people contributed discussions, new ideas, code and documentation contributions, and review. See our definition of contributors.

(GitHub contributors page for this release)

@​jtpio (activity) | @​RamiNoodle733 (activity)

Changelog

Sourced from notebook's changelog.

7.5.6

(Full Changelog)

Maintenance and upkeep improvements

Documentation improvements

Contributors to this release

The following people contributed discussions, new ideas, code and documentation contributions, and review. See our definition of contributors.

(GitHub contributors page for this release)

@​jtpio (activity) | @​RamiNoodle733 (activity)

Commits

@dependabot dependabot Bot added the dependencies Pull requests that update a dependency file label Apr 30, 2026
@dependabot dependabot Bot added the python:uv Pull requests that update python:uv code label Apr 30, 2026
@dependabot dependabot Bot requested a review from a team as a code owner April 30, 2026 18:06
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file python:uv Pull requests that update python:uv code labels Apr 30, 2026
@dependabot
chore(deps): bump notebook from 7.5.5 to 7.5.6
85d9b79 
Bumps [notebook](https://github.com/jupyter/notebook) from 7.5.5 to 7.5.6.
- [Release notes](https://github.com/jupyter/notebook/releases)
- [Changelog](https://github.com/jupyter/notebook/blob/@jupyter-notebook/tree@7.5.6/CHANGELOG.md)
- [Commits](https://github.com/jupyter/notebook/compare/@jupyter-notebook/tree@7.5.5...@jupyter-notebook/tree@7.5.6)

---
updated-dependencies:
- dependency-name: notebook
  dependency-version: 7.5.6
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/uv/notebook-7.5.6 branch from 0cc9a0c to 85d9b79 Compare May 5, 2026 08:10
@helmut-hoffer-von-ankershoffen
Copy link
Copy Markdown
Contributor

helmut-hoffer-von-ankershoffen commented May 6, 2026
edited by atlassian Bot
Loading

🛡️ Cross-link from supply-chain audit routine

The pysdk-audit-daily cloud routine ran today (2026-05-06) and tracked this PR — plus #628 (jupyter-server bump) — in PYSDK-124.

Why this PR matters for downstream consumers: the notebook 7.5.5 → 7.5.6 bump closes CVE-2026-40171 (High, CVSS 8.4 — stored XSS / token theft via CommandLinker) reaching consumers via the aignostics[jupyter] extra. Until this lands, a pip install aignostics[jupyter] resolves a vulnerable notebook.

Current blocker: sonarcloud is the only failing required check (audit / lint / tests are green here). Once #628 also lands, the next audit-daily run will follow up by raising the matching pyproject.toml lower bounds (notebook>=7.5.6, jupyter-server>=2.18.0, jupyterlab>=4.5.7) so consumer resolvers can no longer pick up the vulnerable versions.

Note: the routine deliberately did not rebase this PR or recreate it — per the audit-vulnerabilities skill, autonomous routines don't trigger dependency upgrades; that decision stays with a human. PYSDK-124 documents the full picture and recommended remediation path.

Generated by Claude Opus 4.7 (cloud routine pysdk-audit-daily) for helmut@aignostics.com

@helmut-hoffer-von-ankershoffen helmut-hoffer-von-ankershoffen mentioned this pull request May 6, 2026
Closed
@olivermeyer
Copy link
Copy Markdown
Collaborator

olivermeyer commented May 6, 2026

@dependabot rebase

@dependabot @github
Copy link
Copy Markdown
Contributor Author

dependabot Bot commented on behalf of github May 6, 2026

Looks like notebook is up-to-date now, so this is no longer needed.

@dependabot dependabot Bot closed this May 6, 2026
@dependabot dependabot Bot deleted the dependabot/uv/notebook-7.5.6 branch May 6, 2026 13:27
@helmut-hoffer-von-ankershoffen helmut-hoffer-von-ankershoffen mentioned this pull request May 7, 2026
Open
6 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@olivermeyer olivermeyer olivermeyer approved these changes

@helmut-hoffer-von-ankershoffen helmut-hoffer-von-ankershoffen Awaiting requested review from helmut-hoffer-von-ankershoffen helmut-hoffer-von-ankershoffen is a code owner

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file python:uv Pull requests that update python:uv code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@helmut-hoffer-von-ankershoffen @olivermeyer