Skip to content

Bump jupyter-server to 2.18.0 and pin root_dir#286

Merged
mishushakov merged 3 commits into
mainfrom
fix/jupyter-server-2.18-root-dir
Jun 3, 2026
Merged

Bump jupyter-server to 2.18.0 and pin root_dir#286
mishushakov merged 3 commits into
mainfrom
fix/jupyter-server-2.18-root-dir

Conversation

@mishushakov
Copy link
Copy Markdown
Member

@mishushakov mishushakov commented Jun 3, 2026

Supersedes #274 (dependabot bump of jupyter-server 2.16.0 → 2.18.0).

The straight dependency bump breaks the sandbox: jupyter-server 2.18.0 ships path-traversal hardening (CVE-2026-35397) that rejects session creation when the contents root resolves to / — which is the cwd of the systemd-launched process (jupyter.service has no WorkingDirectory). Every POST /api/sessions then fails with <uuid> is outside root contents directory and the server never serves.

This PR carries the same bump plus pins c.ServerApp.root_dir = "/home/user" in template/jupyter_server_config.py so sessions are created relative to the execution cwd.

Changes

  • Bump jupyter-server 2.16.0 → 2.18.0 (template/requirements.txt)
  • Pin root_dir to /home/user (template/jupyter_server_config.py)

🤖 Generated with Claude Code

dependabot Bot and others added 2 commits June 2, 2026 11:01
@dependabot
Bump jupyter-server in /template in the pip group across 1 directory
d156aee 
Bumps the pip group with 1 update in the /template directory: [jupyter-server](https://github.com/jupyter-server/jupyter_server).


Updates `jupyter-server` from 2.16.0 to 2.18.0
- [Release notes](https://github.com/jupyter-server/jupyter_server/releases)
- [Changelog](https://github.com/jupyter-server/jupyter_server/blob/main/CHANGELOG.md)
- [Commits](jupyter-server/jupyter_server@v2.16.0...v2.18.0)

---
updated-dependencies:
- dependency-name: jupyter-server
  dependency-version: 2.18.0
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
@mishushakov @claude
Pin jupyter-server root_dir for 2.18.0 path-traversal hardening
0ca1967 
jupyter-server 2.18.0 (CVE-2026-35397) rejects session creation when the
contents root resolves to "/", which is the systemd process cwd. Pin
root_dir to /home/user so POST /api/sessions succeeds.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@cla-bot cla-bot Bot added the cla-signed label Jun 3, 2026
@cursor
Copy link
Copy Markdown

cursor Bot commented Jun 3, 2026
edited
Loading

PR Summary

Medium Risk
Dependency upgrade plus a config fix on the Jupyter entrypoint; wrong root_dir would break all sessions, but the change is narrow and documented.

Overview
Upgrades jupyter-server from 2.16.0 to 2.18.0 and sets c.ServerApp.root_dir = "/home/user" in jupyter_server_config.py so sandbox session creation still works after 2.18.0’s path-traversal checks (CVE-2026-35397).

Without an explicit root, the server uses / as contents root under systemd (no WorkingDirectory), so relative session paths are rejected and POST /api/sessions fails. Pinning the root to /home/user aligns with where code runs.

Includes a patch changeset for @e2b/code-interpreter-template.

Reviewed by Cursor Bugbot for commit b6b644e. Bugbot is set up for automated code reviews on this repo. Configure here.

@mishushakov mishushakov mentioned this pull request Jun 3, 2026
Closed
claude[bot]
claude Bot reviewed Jun 3, 2026
View reviewed changes
Copy link
Copy Markdown

@claude claude Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM — straightforward dep bump with a well-justified root_dir pin to /home/user (the established sandbox cwd).

Extended reasoning...

Overview

This PR bumps jupyter-server from 2.16.0 to 2.18.0 in template/requirements.txt and adds c.ServerApp.root_dir = "/home/user" to template/jupyter_server_config.py. The PR description explains the motivation clearly: 2.18.0 ships path-traversal hardening (CVE-2026-35397) that rejects session creation when the contents root resolves to /, which is the cwd of the systemd-launched process. Without the explicit pin, every POST /api/sessions would fail.

Security risks

None of concern. The change moves in the safer direction by picking up upstream security hardening. The pinned root_dir of /home/user is the well-established sandbox working directory — it is the user owned via chown -R user:user /home/user in template/template.py, the default cwd in template/server/api/models/create_context.py, and the cwd used throughout template/server/main.py and the test suite (python/tests/*/test_cwd.py, js/tests/cwd.test.ts).

Level of scrutiny

Low. The changes total two small edits in template/build configuration. The root_dir value matches the existing convention everywhere else in the codebase, and the dependency bump is a minor version update carrying a security fix. The detailed inline comment makes the intent obvious to future readers.

Other factors

No bugs were found by the bug hunting system. The PR supersedes a dependabot bump (#274) and explains why the straight bump alone is insufficient. No outstanding reviewer comments require addressing.

@mishushakov @claude
Add changeset for jupyter-server root_dir pin
b6b644e 
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@mishushakov mishushakov enabled auto-merge (squash) June 3, 2026 14:54
@mishushakov mishushakov merged commit 6f7af58 into main Jun 3, 2026
16 checks passed
@mishushakov mishushakov deleted the fix/jupyter-server-2.18-root-dir branch June 3, 2026 15:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@claude claude[bot] claude[bot] left review comments

@jakubno jakubno jakubno approved these changes

@ValentaTomas ValentaTomas Awaiting requested review from ValentaTomas ValentaTomas is a code owner

Assignees

No one assigned

Labels

cla-signed

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@mishushakov @jakubno