Summary
The software inventory is inconsistent across the parent chart, the pinned subchart, and the two custom images, and no workflow gates on advisory analysis, image scanning, SBOM policy, or a subchart/image compatibility matrix. The recent appVersion change did not resolve the underlying mismatch.
Severity: Medium · CWE-1104 (Use of Unmaintained Third-Party Components)
Validation: Confirmed against HEAD f932d80 on 2026-07-14 (partially changed since 69c84f7, see below).
Evidence
Version spread (all verified at HEAD):
- Parent
Chart.yaml:7 appVersion: "5.4.3" (was 1.0.0 at the assessed commit; commit 878db54 changed it). The deployed hub is the custom image, which pins JupyterHub ==5.1.0 (images/jupyterhub/pixi.toml:14), so appVersion: 5.4.3 still does not match the JupyterHub that actually runs.
- Locked z2jh subchart
4.3.2 (Chart.yaml:11, Chart.lock:4).
- Hub image: JupyterHub
5.1.0, KubeSpawner 6.2.0, jhub-apps pre-release 2026.5.1rc1 (images/jupyterhub/pixi.toml:14,15,32).
- User image: JupyterLab
4.2.5, JupyterHub 5.1.0, and a different jhub-apps release 2025.11.1 (images/jupyterlab/pixi.toml:18,21,81).
- The two jhub-apps releases force divergent transitive pins: hub sets
pyjwt >=2.10 while the user image sets pyjwt <2.10.0, each justified by its own jhub-apps version.
No workflow performs Python advisory analysis, final-image vulnerability scanning, SBOM generation, or subchart/image compatibility gating (same grep as H-06 returns nothing). test.yaml:27-29 pin-tests the hub contract but validates behavior, not advisories.
Impact
Without one authoritative bill of materials and a scan gate, unmaintained or vulnerable components can ship undetected, and the pre-release jhub-apps plus mismatched hub/user versions raise the chance of an untested combination reaching production.
Remediation
- Publish one exact bill of materials and define
appVersion semantics.
- Avoid pre-release components in production profiles.
- Run source and final-image scans and publish SBOMs and compatibility-test results.
- Define a maximum patch latency.
Acceptance criteria
Source: data-science-pack 0.1.0 security assessment (pinned commit 69c84f72df259ec755ed40bfc83f20158c550d55), finding M-06.
Summary
The software inventory is inconsistent across the parent chart, the pinned subchart, and the two custom images, and no workflow gates on advisory analysis, image scanning, SBOM policy, or a subchart/image compatibility matrix. The recent
appVersionchange did not resolve the underlying mismatch.Severity: Medium · CWE-1104 (Use of Unmaintained Third-Party Components)
Validation: Confirmed against HEAD
f932d80on 2026-07-14 (partially changed since69c84f7, see below).Evidence
Version spread (all verified at HEAD):
Chart.yaml:7appVersion: "5.4.3"(was1.0.0at the assessed commit; commit878db54changed it). The deployed hub is the custom image, which pins JupyterHub==5.1.0(images/jupyterhub/pixi.toml:14), soappVersion: 5.4.3still does not match the JupyterHub that actually runs.4.3.2(Chart.yaml:11,Chart.lock:4).5.1.0, KubeSpawner6.2.0, jhub-apps pre-release2026.5.1rc1(images/jupyterhub/pixi.toml:14,15,32).4.2.5, JupyterHub5.1.0, and a different jhub-apps release2025.11.1(images/jupyterlab/pixi.toml:18,21,81).pyjwt >=2.10while the user image setspyjwt <2.10.0, each justified by its own jhub-apps version.No workflow performs Python advisory analysis, final-image vulnerability scanning, SBOM generation, or subchart/image compatibility gating (same grep as H-06 returns nothing).
test.yaml:27-29pin-tests the hub contract but validates behavior, not advisories.Impact
Without one authoritative bill of materials and a scan gate, unmaintained or vulnerable components can ship undetected, and the pre-release jhub-apps plus mismatched hub/user versions raise the chance of an untested combination reaching production.
Remediation
appVersionsemantics.Acceptance criteria
Source: data-science-pack 0.1.0 security assessment (pinned commit
69c84f72df259ec755ed40bfc83f20158c550d55), finding M-06.