pkgsrc/www/py-notebook/distinfo
adam dafbf9de71 py-notebook: updated to 6.0.1
6.0.1

- Attempt to re-establish websocket connection to Gateway
- Add missing react-dom js to package data

6.0

This is the first major release of the Jupyter Notebook since version 5.0 (March 2017).

We encourage users to start trying JupyterLab, which has just announced it's 1.0 release in preparation
for a future transition.

- Remove Python 2.x support in favor of Python 3.5 and higher.
- Multiple accessibility enhancements and bug-fixes.
- Multiple translation enhancements and bug-fixes.
- Remove deprecated ANSI CSS styles.
- Native support to forward requests to Jupyter Gateway(s) (Embedded NB2KG).
- Use JavaScript to redirect users to notebook homepage.
- Enhanced SSL/TLS security by using PROTOCOL_TLS which selects the highest ssl/tls
  protocol version available that both the client and server support. When PROTOCOL_TLS
  is not available use PROTOCOL_SSLv23.
- Add ?no_track_activity=1 argument to allow API requests.
  to not be registered as activity (e.g. API calls by external activity monitors).
- Kernels shutting down due to an idle timeout is no longer considered
  an activity-updating event.
- Further improve compatibility with tornado 6 with improved
  checks for when websockets are closed.
- Launch the browser with a local file which redirects to the server address including
  the authentication token. This prevents another logged-in user from stealing the token
  from command line arguments and authenticating to the server.
  The single-use token previously used to mitigate this has been removed.
  Thanks to Dr. Owain Kenway for suggesting the local file approach.
- Respect nbconvert entrypoints as sources for exporters
- Update to CodeMirror to 5.37, which includes f-string syntax for Python 3.6.
- Update jquery-ui to 1.12
- Execute cells by clicking icon in input prompt.
- New "Save as" menu option.
- When serving on a loopback interface, protect against DNS rebinding by
  checking the Host header from the browser.
  This check can be disabled if necessary by setting
  NotebookApp.allow_remote_access.
  (Disabled by default while we work out some Mac issues in :ghissue:3754).
- Add kernel_info_timeout traitlet to enable restarting slow kernels.
- Add custom_display_host config option to override displayed URL.
- Add /metrics endpoint for Prometheus Metrics.
- Optimize large file uploads.
- Allow access control headers to be overriden in jupyter_notebook_config.py to support
  greater CORS and proxy configuration flexibility.
- Add support for terminals on windows.
- Add a "restart and run all" button to the toolbar.
- Frontend/extension-config: allow default json files in a .d directory.
- Allow setting token via jupyter_token env.
- Cull idle kernels using --MappingKernelManager.cull_idle_timeout.
- Allow read-only notebooks to be trusted.
- Convert JS tests to Selenium.


Security Fixes included in previous minor releases of Jupyter Notebook and also included in version 6.0.

- Fix Open Redirect vulnerability (CVE-2019-10255)
  where certain malicious URLs could redirect from the Jupyter login page
  to a malicious site after a successful login.

- Contains a security fix for a cross-site inclusion (XSSI) vulnerability (CVE-2019–9644),
  where files at a known URL could be included in a page from an unauthorized website if
  the user is logged into a Jupyter server. The fix involves setting the
  X-Content-Type-Options: nosniff header, and applying CSRF checks previously on all
  non-GET API requests to GET requests to API endpoints and the /files/ endpoint.

- Check Host header to more securely protect localhost deployments from DNS rebinding.
  This is a pre-emptive measure, not fixing a known vulnerability.
  Use .NotebookApp.allow_remote_access and .NotebookApp.local_hostnames to configure
  access.

- Upgrade bootstrap to 3.4, fixing an XSS vulnerability, which has been
  assigned CVE-2018-14041 <https://nvd.nist.gov/vuln/detail/CVE-2018-14041>_.

- Contains a security fix preventing malicious directory names
  from being able to execute javascript.

- Contains a security fix preventing nbconvert endpoints from executing javascript with
  access to the server API. CVE request pending.
2019-08-22 08:23:27 +00:00

6 lines
411 B
Text

$NetBSD: distinfo,v 1.11 2019/08/22 08:23:27 adam Exp $
SHA1 (notebook-6.0.1.tar.gz) = b9e62e669c28c318e0fec6c7ea4cb52de7e06232
RMD160 (notebook-6.0.1.tar.gz) = 9c661bb817d2186e37bd27ca2acb8ec5c4699935
SHA512 (notebook-6.0.1.tar.gz) = d159bd95148661ca1a1063eff8c51047a0024bc320dacf00d88cc01f90cb1e6e607ea4ae41ed6938f770b294e9bcae0b24387d48c5c005822443979f88378aa9
Size (notebook-6.0.1.tar.gz) = 13419800 bytes