From d156aee9b4e794cca1eadb96cacf45558b17a071 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 2 Jun 2026 11:01:18 +0000 Subject: [PATCH 1/3] Bump jupyter-server in /template in the pip group across 1 directory Bumps the pip group with 1 update in the /template directory: [jupyter-server](https://github.com/jupyter-server/jupyter_server). Updates `jupyter-server` from 2.16.0 to 2.18.0 - [Release notes](https://github.com/jupyter-server/jupyter_server/releases) - [Changelog](https://github.com/jupyter-server/jupyter_server/blob/main/CHANGELOG.md) - [Commits](https://github.com/jupyter-server/jupyter_server/compare/v2.16.0...v2.18.0) --- updated-dependencies: - dependency-name: jupyter-server dependency-version: 2.18.0 dependency-type: direct:production ... Signed-off-by: dependabot[bot] --- template/requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/template/requirements.txt b/template/requirements.txt index 7e7e47ea..3fbb9865 100644 --- a/template/requirements.txt +++ b/template/requirements.txt @@ -1,5 +1,5 @@ # Jupyter server requirements -jupyter-server==2.16.0 +jupyter-server==2.18.0 ipykernel==6.31.0 ipython==9.14.0 From 0ca1967537f6ac30a226632f37ceaee14d1affb3 Mon Sep 17 00:00:00 2001 From: Mish Ushakov <10400064+mishushakov@users.noreply.github.com> Date: Wed, 3 Jun 2026 16:39:29 +0200 Subject: [PATCH 2/3] Pin jupyter-server root_dir for 2.18.0 path-traversal hardening jupyter-server 2.18.0 (CVE-2026-35397) rejects session creation when the contents root resolves to "/", which is the systemd process cwd. Pin root_dir to /home/user so POST /api/sessions succeeds. Co-Authored-By: Claude Opus 4.8 --- template/jupyter_server_config.py | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/template/jupyter_server_config.py b/template/jupyter_server_config.py index 5400d8fe..663682cc 100644 --- a/template/jupyter_server_config.py +++ b/template/jupyter_server_config.py @@ -3,6 +3,19 @@ c = get_config() # noqa +# Pin the contents root directory. +# +# Sessions are created with a relative path (a bare uuid, see +# server/contexts.py). Without an explicit root_dir, jupyter-server +# inherits the process working directory as its root — which is "/" +# under systemd (jupyter.service has no WorkingDirectory). Since +# jupyter-server 2.18.0 (CVE-2026-35397 path-traversal hardening), a +# root_dir of "/" makes every POST /api/sessions fail with +# " is outside root contents directory", so the server never +# starts. Pinning it to /home/user matches the execution cwd. +c.ServerApp.root_dir = "/home/user" + + # Set the Access-Control-Allow-Origin header # # Use '*' to allow any origin to access your server. From b6b644e3fd769564f273dfcbd3ed6cef9df8a887 Mon Sep 17 00:00:00 2001 From: Mish Ushakov <10400064+mishushakov@users.noreply.github.com> Date: Wed, 3 Jun 2026 16:53:07 +0200 Subject: [PATCH 3/3] Add changeset for jupyter-server root_dir pin Co-Authored-By: Claude Opus 4.8 --- .changeset/cold-pillows-grow.md | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 .changeset/cold-pillows-grow.md diff --git a/.changeset/cold-pillows-grow.md b/.changeset/cold-pillows-grow.md new file mode 100644 index 00000000..a60c8b88 --- /dev/null +++ b/.changeset/cold-pillows-grow.md @@ -0,0 +1,5 @@ +--- +"@e2b/code-interpreter-template": patch +--- + +Pin `jupyter-server` `root_dir` to `/home/user` so session creation keeps working with jupyter-server 2.18.0's path-traversal hardening