Skip to content

Fix high-severity Dependabot security alerts in requirements.txt#5

Merged
ehabets merged 2 commits intomasterfrom
copilot/resolve-dependabot-alerts
Feb 25, 2026
Merged

Fix high-severity Dependabot security alerts in requirements.txt#5
ehabets merged 2 commits intomasterfrom
copilot/resolve-dependabot-alerts

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented Feb 25, 2026
edited
Loading

Two HIGH-severity vulnerabilities affecting Windows users were flagged in pinned dependencies. Both involve unintended information/code exposure via path handling on Windows.

Changes

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • api.osv.dev
    • Triggering command: `/usr/bin/python3 python3 -c
      import json, urllib.request

packages = [
('anyio', '3.7.0'),
('notebook', '6.5.4'),
('Jinja2', '3.1.6'),
('tornado', '6.5.1'),
('jupyter_server', '2.6.0'),
('nbconvert', '7.6.0'),
('idna', '3.7'),
('numpy', '1.25.0'),` (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

Original prompt

Resolve depenabot alerts and prepare PRs.

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

@ehabets ehabets requested a review from Copilot February 25, 2026 08:02
Copilot AI reviewed Feb 25, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot wasn't able to review any files in this pull request.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@ehabets
Fix dependabot security alerts: update jupyter_server and nbconvert
51e596d 
- Update jupyter_server from 2.6.0 to 2.14.1 to fix GHSA-hrw6-wg82-cm62
  (CVE-2024-35178): Jupyter server on Windows discloses Windows user
  password hash (HIGH severity)
- Update nbconvert from 7.6.0 to 7.17.0 to fix GHSA-xm59-rqc7-hhvf
  (CVE-2025-53000): nbconvert has an uncontrolled search path that leads
  to unauthorized code execution on Windows (HIGH severity)

Co-authored-by: ehabets <16623921+ehabets@users.noreply.github.com>
Copilot AI changed the title [WIP] Resolve Dependabot alerts and prepare pull requests Fix high-severity Dependabot security alerts in requirements.txt Feb 25, 2026
Copilot AI requested a review from ehabets February 25, 2026 08:06
@ehabets ehabets marked this pull request as ready for review February 25, 2026 14:08
@ehabets ehabets merged commit dcb9158 into master Feb 25, 2026
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

+1 more reviewer

@ehabets ehabets ehabets approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@ehabets ehabets

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@ehabets