6.0.1
- Attempt to re-establish websocket connection to Gateway
- Add missing react-dom js to package data
6.0
This is the first major release of the Jupyter Notebook since version 5.0 (March 2017).
We encourage users to start trying JupyterLab, which has just announced it's 1.0 release in preparation
for a future transition.
- Remove Python 2.x support in favor of Python 3.5 and higher.
- Multiple accessibility enhancements and bug-fixes.
- Multiple translation enhancements and bug-fixes.
- Remove deprecated ANSI CSS styles.
- Native support to forward requests to Jupyter Gateway(s) (Embedded NB2KG).
- Use JavaScript to redirect users to notebook homepage.
- Enhanced SSL/TLS security by using PROTOCOL_TLS which selects the highest ssl/tls
protocol version available that both the client and server support. When PROTOCOL_TLS
is not available use PROTOCOL_SSLv23.
- Add ?no_track_activity=1 argument to allow API requests.
to not be registered as activity (e.g. API calls by external activity monitors).
- Kernels shutting down due to an idle timeout is no longer considered
an activity-updating event.
- Further improve compatibility with tornado 6 with improved
checks for when websockets are closed.
- Launch the browser with a local file which redirects to the server address including
the authentication token. This prevents another logged-in user from stealing the token
from command line arguments and authenticating to the server.
The single-use token previously used to mitigate this has been removed.
Thanks to Dr. Owain Kenway for suggesting the local file approach.
- Respect nbconvert entrypoints as sources for exporters
- Update to CodeMirror to 5.37, which includes f-string syntax for Python 3.6.
- Update jquery-ui to 1.12
- Execute cells by clicking icon in input prompt.
- New "Save as" menu option.
- When serving on a loopback interface, protect against DNS rebinding by
checking the Host header from the browser.
This check can be disabled if necessary by setting
NotebookApp.allow_remote_access.
(Disabled by default while we work out some Mac issues in :ghissue:3754).
- Add kernel_info_timeout traitlet to enable restarting slow kernels.
- Add custom_display_host config option to override displayed URL.
- Add /metrics endpoint for Prometheus Metrics.
- Optimize large file uploads.
- Allow access control headers to be overriden in jupyter_notebook_config.py to support
greater CORS and proxy configuration flexibility.
- Add support for terminals on windows.
- Add a "restart and run all" button to the toolbar.
- Frontend/extension-config: allow default json files in a .d directory.
- Allow setting token via jupyter_token env.
- Cull idle kernels using --MappingKernelManager.cull_idle_timeout.
- Allow read-only notebooks to be trusted.
- Convert JS tests to Selenium.
Security Fixes included in previous minor releases of Jupyter Notebook and also included in version 6.0.
- Fix Open Redirect vulnerability (CVE-2019-10255)
where certain malicious URLs could redirect from the Jupyter login page
to a malicious site after a successful login.
- Contains a security fix for a cross-site inclusion (XSSI) vulnerability (CVE-2019–9644),
where files at a known URL could be included in a page from an unauthorized website if
the user is logged into a Jupyter server. The fix involves setting the
X-Content-Type-Options: nosniff header, and applying CSRF checks previously on all
non-GET API requests to GET requests to API endpoints and the /files/ endpoint.
- Check Host header to more securely protect localhost deployments from DNS rebinding.
This is a pre-emptive measure, not fixing a known vulnerability.
Use .NotebookApp.allow_remote_access and .NotebookApp.local_hostnames to configure
access.
- Upgrade bootstrap to 3.4, fixing an XSS vulnerability, which has been
assigned CVE-2018-14041 <https://nvd.nist.gov/vuln/detail/CVE-2018-14041>_.
- Contains a security fix preventing malicious directory names
from being able to execute javascript.
- Contains a security fix preventing nbconvert endpoints from executing javascript with
access to the server API. CVE request pending.
5.7.8
- Fix regression in restarting kernels in 5.7.5.
The restart handler would return before restart was completed.
- Further improve compatibility with tornado 6 with improved
checks for when websockets are closed.
- Fix regression in 5.7.6 on Windows where .js files could have the wrong mime-type.
- Fix Open Redirect vulnerability (CVE-2019-10255)
where certain malicious URLs could redirect from the Jupyter login page
to a malicious site after a successful login.
5.7.7 contained only a partial fix for this issue.
5.7.6
5.7.6 contains a security fix for a cross-site inclusion (XSSI) vulnerability,
where files at a known URL could be included in a page from an unauthorized website if the user is logged into a Jupyter server.
The fix involves setting the X-Content-Type-Options: nosniff
header, and applying CSRF checks previously on all non-GET
API requests to GET requests to API endpoints and the /files/ endpoint.
The attacking page is able to access some contents of files when using Internet Explorer through script errors,
but this has not been demonstrated with other browsers.
A CVE has been requested for this vulnerability.
5.7.5
- Fix compatibility with tornado 6
- Fix opening integer filedescriptor during startup on Python 2
- Fix compatibility with asynchronous KernelManager.restart_kernel methods
5.7.4 fixes a bug introduced in 5.7.3, in which the list_running_servers()
function attempts to parse HTML files as JSON, and consequently crashes
5.7.3 contains one security improvement and one security fix:
- Launch the browser with a local file which redirects to the server address
including the authentication token
This prevents another logged-in user from stealing the token from command line
arguments and authenticating to the server.
The single-use token previously used to mitigate this has been removed.
Thanks to Dr. Owain Kenway for suggesting the local file approach.
- Upgrade bootstrap to 3.4, fixing an XSS vulnerability, which has been
assigned CVE-2018-14041
5.7.2
5.7.2 contains a security fix preventing malicious directory names
from being able to execute javascript. CVE request pending.
5.7.1
5.7.1 contains a security fix preventing nbconvert endpoints from executing javascript with access to the server API. CVE request pending.
5.7.0
New features:
- Update to CodeMirror to 5.37, which includes f-string sytax for Python 3.6
- Update jquery-ui to 1.12
- Check Host header to more securely protect localhost deployments from DNS rebinding.
This is a pre-emptive measure, not fixing a known vulnerability
Use .NotebookApp.allow_remote_access and .NotebookApp.local_hostnames to configure
access.
- Allow access-control-allow-headers to be overridden
- Allow configuring max_body_size and max_buffer_size
- Allow configuring get_secure_cookie keyword-args
- Respect nbconvert entrypoints as sources for exporters
- Include translation sources in source distributions
- Various improvements to documentation
Fixing problems:
- Fix breadcrumb link when running with a base url
- Fix possible type error when closing activity stream
- Disable metadata editing for non-editable cells
- Fix some styling and alignment of prompts caused by regressions in 5.6.0.
- Enter causing page reload in shortcuts editor
- Fix uploading to the same file twice
5.5.0
New features:
The files list now shows file sizes
Add a quit button in the dashboard
Display hostname in the terminal when running remotely
Add slides exportation/download to the menu
Add any extra installed nbconvert exporters to the “Download as” menu
Editor: warning when overwriting a file that is modified on disk
Display a warning message if cookies are not enabled
Basic __version__ reporting for extensions
Add NotebookApp.terminals_enabled config option
Make buffer time between last modified on disk and last modified on last save configurable
Allow binding custom shortcuts for ‘close and halt’
Add description for ‘Trusted’ notification
Add settings['activity_sources']
Add an output_updated.OutputArea event
Fixing problems:
Fixes to improve web accessibility
Fixed color contrast issue in tree.less
Allow cancelling upload of large files
Don’t clear login cookie on requests without cookie
Don’t trash files on different device to home dir on Linux
Clear waiting asterisks when restarting kernel
Fix output prompt when execution_count missing
Make the ‘changed on disk’ dialog work when displayed twice
Fix going back to root directory with history in notebook list
Allow defining keyboard shortcuts for missing actions
Prevent default on pageup/pagedown when completer is active
Prevent default event handling on new terminal
ConfigManager should not write out default values found in the .d directory
Fix leak of iopub object in activity monitoring
Javascript lint in notebooklist.js
Some Javascript syntax fixes
Convert native for loop to Array.forEach()
Disable cache when downloading nbconvert output
Add missing digestmod arg to HMAC
Log OSErrors failing to create less-critical files during startup
Use powershell on Windows
API spec improvements, API handler improvements
Set notebook to dirty state after change to kernel metadata
Use CSP header to treat served files as belonging to a separate origin
Don’t install gettext into builtins
Add missing import _
Write notebook.json file atomically
Fix clicking with modifiers, page title updates
Upgrade jQuery to version 2.2
Upgrade xterm.js to 3.1.0
Upgrade moment.js to 2.19.3
Upgrade CodeMirror to 5.35
“Require” pyzmq>=17
5.4.1
A security release to fix CVE-2018-8768.
5.4.0
Fix creating files and folders after navigating directories in the dashboard
Enable printing notebooks in colour, removing the CSS that made everything black and white
Limit the completion options displayed in the notebook to 1000, to avoid performance issues with very long lists
Accessibility improvements in tree.html
Added alt-text to the kernel logo image in the notebook UI
Added a test on Travis CI to flag if symlinks are accidentally introduced in the future. This should prevent the issue that necessitated :ref:release-5.3.1
Use lowercase letters for random IDs generated in our Javascript
Removed duplicate code setting TextCell.notebook
5.2.1
Add more border width to codemirror cursor.
Fix nbconvert handler.
Fix the prompt_area argument of the output area constructor.
Handle a compound extension in new_untitled.
Allow disabling offline message buffering
5.2.0
Allow setting token via jupyter_token env.
Fix some errors caused by raising 403 in get_current_user.
Register contents_manager.files_handler_class directly.
Ensure that keyboard shortcuts are disabled when editing them.
Make all files in the dashboard editable by default and provide a whitelist of viewable file extensions.
The root directory of the notebook server should never be hidden.
Fix notebook require config to match tools/build-main.
Give page constructor default arguments.
Fix codemirror.less to match codemirror's expected padding layout.
Addx-xsrftoken to access-control-allow-headers.
Buffer messages when websocket connection is interrupted.
Load locale dynamically only when not en-us.
Changed key strength to 2048 bits.
Resyncjsversion with python version.
Allow copy operation on modified, read-only notebook.
Update error handling on apihandlers.
Test python 3.6 on travis, drop 3.3.
Avoid base64-literals in image tests.
Upgrade xterm.js to 2.9.2.
Changed all python variables named file to file_name to not override built_in file.
Add more doc tests.
Typos fix.
Rename and update license.
Travis builds doc.
Pull request i18n.
Factor out output_prompt_function, as is done with input prompt.
Use rfc5987 encoding for filenames.
Added path to the resources metadata, the same as in from_filename(...) in nbconvert.exporters.py.
Make "extrakeys" consistent for notebook and editor.
Bidi support.
The Jupyter Notebook is a web application that allows you to create
and share documents that contain live code, equations, visualizations,
and explanatory text. The Notebook has support for multiple
programming languages, sharing, and interactive widgets.
