Bump the uv group across 1 directory with 4 updates

[dependabot]

Warning

Dependabot will stop supporting python v3.9!

Please upgrade to one of the following versions: v3.9, v3.10, v3.11, v3.12, v3.13, or v3.14.

Bumps the uv group with 3 updates in the / directory: jupyter-server, nbconvert and notebook.

Updates jupyter-server from 1.15.6 to 2.20.0

Release notes

Sourced from jupyter-server's releases.

v2.20.0

2.20.0

(Full Changelog)

Security fixes

• CVE-2026-44727 GHSA-fcw5-x6j4-ccmp

Enhancements made

• Fix confusing terminal output when using ServerApp.ip=0.0.0.0 #1643 (@​Yann-P, @​minrk)
• Add a toggle to enable curve encryption for all kernels that support it #1638 (@​krassowski, @​Carreau, @​ianthomas23, @​minrk)

Bugs fixed

• Grab the port from bind_sockets in case its different #1651 (@​choldgraf, @​krassowski)

Maintenance and upkeep improvements

• Fix test_authorizer having a spurious comma in params #1664 (@​krassowski)
• Add a reminder to merge GHSA before release #1659 (@​Yann-P, @​Carreau)
• Exclude problematic pywinpty 3.0.4 version #1658 (@​krassowski)
• ci: explicitly pass base-setup inputs to fix strict validation failures #1626 (@​Carreau, @​Copilot)

Documentation improvements

• Align docs for curve encryption with latest JEP version #1660 (@​krassowski, @​Carreau)
• Remove PGP key from docs #1653 (@​Yann-P, @​krassowski)

Contributors to this release

The following people contributed discussions, new ideas, code and documentation contributions, and review. See our definition of contributors.

(GitHub contributors page for this release)

@​Carreau (activity) | @​choldgraf (activity) | @​Copilot (activity) | @​ianthomas23 (activity) | @​krassowski (activity) | @​minrk (activity) | @​Yann-P (activity)

v2.19.0

2.19.0

(Full Changelog)

Enhancements made

... (truncated)

Changelog

Sourced from jupyter-server's changelog.

2.20.0

(Full Changelog)

Enhancements made

• Fix confusing terminal output when using ServerApp.ip=0.0.0.0 #1643 (@​Yann-P, @​minrk)
• Add a toggle to enable curve encryption for all kernels that support it #1638 (@​krassowski, @​Carreau, @​ianthomas23, @​minrk)

Bugs fixed

• Grab the port from bind_sockets in case its different #1651 (@​choldgraf, @​krassowski)

Maintenance and upkeep improvements

• Fix test_authorizer having a spurious comma in params #1664 (@​krassowski)
• Add a reminder to merge GHSA before release #1659 (@​Yann-P, @​Carreau)
• Exclude problematic pywinpty 3.0.4 version #1658 (@​krassowski)
• ci: explicitly pass base-setup inputs to fix strict validation failures #1626 (@​Carreau, @​Copilot)

Documentation improvements

• Align docs for curve encryption with latest JEP version #1660 (@​krassowski, @​Carreau)
• Remove PGP key from docs #1653 (@​Yann-P, @​krassowski)

Contributors to this release

The following people contributed discussions, new ideas, code and documentation contributions, and review. See our definition of contributors.

(GitHub contributors page for this release)

@​Carreau (activity) | @​choldgraf (activity) | @​Copilot (activity) | @​ianthomas23 (activity) | @​krassowski (activity) | @​minrk (activity) | @​Yann-P (activity)

2.19.0

(Full Changelog)

Enhancements made

• Return unresolved stanza when kernel scope is unavailable for resolvePath (instead of failing with 404) #1641 (@​MUFFANUJ, @​Carreau, @​krassowski)

Bugs fixed

• Recreate notary store on failure to prevent save deadlock and data loss #1640 (@​krassowski, @​Carreau)

Maintenance and upkeep improvements

... (truncated)

Commits

• 05a78ad Publish 2.20.0
• 6cbee8d Merge commit from fork
• 333e700 Fix test_authorizer having a spurious comma in params (#1664)
• cccd543 Fix CI: explicitly pass base-setup inputs to avoid strict validation failures
• cd16d71 Align docs for curve encryption with latest JEP version (#1660)
• e458061 Add a toggle to enable curve encryption for all kernels that support it (#1638)
• 0ceeb4f Add note in RELEASE.md
• b13f8a2 Markdown does not work.
• e885b10 Add GHSA reminder in prep-release
• 0e28c90 Exclude problematic pywinpty 3.0.4 version (#1658)
• Additional commits viewable in compare view

Updates jupyterlab from 3.3.4 to 2.3.2

Commits

• 4e21b13 New version
• c0022ab update canvas version to allow build
• 7546105 Merge pull request from GHSA-4952-p58q-6crx
• b991019 Backport PR #10353: Fix codemirror options updating (#10362)
• 77f544f Merge pull request #10229 from goanpeca/fix/css
• 0f52afe test
• d0a2775 test
• c49e49f Revert display block back to flex to fix cell width and input prompt location
• 238ae64 Use getattr for optional attributes (#10064)
• 8291cc1 Publish 2.3.1
• Additional commits viewable in compare view

Updates nbconvert from 4.3.0 to 7.17.1

Release notes

Sourced from nbconvert's releases.

v7.17.1

7.17.1

This is a security release, fixing two CVEs:

• CVE-2026-39377
• CVE-2026-39378

(full advisories will be published seven days after release, on 2026-04-14).

(Full Changelog)

Enhancements made

• Allow configureable WebPDF JavaScript processing timeout #2250 (@​timkpaine, @​Carreau)

Bugs fixed

• Fix PermissionError when checking template paths on shared filesystems #2252 (@​ctcjab, @​krassowski)
• Tweak webpdf template logic to fix duplicate extension problem #2249 (@​timkpaine, @​Carreau)

Maintenance and upkeep improvements

• specify python version for pre #2276 (@​minrk, @​krassowski)

Contributors to this release

The following people contributed discussions, new ideas, code and documentation contributions, and review. See our definition of contributors.

(GitHub contributors page for this release)

@​akhmerov (activity) | @​bollwyvl (activity) | @​Carreau (activity) | @​ctcjab (activity) | @​davidbrochart (activity) | @​Ken-B (activity) | @​krassowski (activity) | @​mgeier (activity) | @​minrk (activity) | @​mpacer (activity) | @​MSeal (activity) | @​SylvainCorlay (activity) | @​takluyver (activity) | @​timkpaine (activity)

v7.17.0

7.17.0

(Full Changelog)

Enhancements made

• Add support for arbitrary browser arguments #2227 (@​shreve, @​Carreau, @​krassowski)

Bugs fixed

• Fix QtPNGExporter returning empty bytes on macOS #2264 (@​h3pdesign, @​Carreau, @​QuLogic)

... (truncated)

Changelog

Sourced from nbconvert's changelog.

7.17.1

This is a security release, fixing two CVEs:

• CVE-2026-39377
• CVE-2026-39378

(full advisories will be published seven days after release, on 2026-04-14).

(Full Changelog)

Enhancements made

• Allow configureable WebPDF JavaScript processing timeout #2250 (@​timkpaine, @​Carreau)

Bugs fixed

• Fix PermissionError when checking template paths on shared filesystems #2252 (@​ctcjab, @​krassowski)
• Tweak webpdf template logic to fix duplicate extension problem #2249 (@​timkpaine, @​Carreau)

Maintenance and upkeep improvements

• specify python version for pre #2276 (@​minrk, @​krassowski)

Contributors to this release

The following people contributed discussions, new ideas, code and documentation contributions, and review. See our definition of contributors.

(GitHub contributors page for this release)

@​akhmerov (activity) | @​bollwyvl (activity) | @​Carreau (activity) | @​ctcjab (activity) | @​davidbrochart (activity) | @​Ken-B (activity) | @​krassowski (activity) | @​mgeier (activity) | @​minrk (activity) | @​mpacer (activity) | @​MSeal (activity) | @​SylvainCorlay (activity) | @​takluyver (activity) | @​timkpaine (activity)

7.17.0

(Full Changelog)

Enhancements made

• Add support for arbitrary browser arguments #2227 (@​shreve, @​Carreau, @​krassowski)

Bugs fixed

• Fix QtPNGExporter returning empty bytes on macOS #2264 (@​h3pdesign, @​Carreau, @​QuLogic)
• Fix CVE-2025-53000: Secure Inkscape Windows path (registry first + block CWD) #2261 (@​h3pdesign, @​krassowski, @​mberlanda, @​minrk, @​salmankadaya, @​th3gowtham)
• Fix get_export_names and get_exporter default args #2228 (@​shreve, @​krassowski)
• PyPA-Compliant Summary #2226 (@​hackowitz-af, @​Carreau)

... (truncated)

Commits

• 78ed308 Publish 7.17.1
• f090a64 ruff format
• b3b6ec0 chore: update pre-commit hooks (#2277)
• be4841f ignore silly security lint in tests
• 26d57b2 fix type annotation on Lexer
• 0e6b8cc Merge commit from fork
• ba5e5cd Merge commit from fork
• 1db0c88 Specify python version for pre (#2276)
• 7473fc3 chore: update pre-commit hooks (#2242)
• 4322f7f Bump the actions group across 1 directory with 2 updates (#2273)
• Additional commits viewable in compare view

Updates notebook from 6.4.8 to 6.4.12

Changelog

Sourced from notebook's changelog.

Changelog

A summary of changes in the Jupyter notebook. For more detailed information, see GitHub.

Use pip install notebook --upgrade or conda upgrade notebook to upgrade to the latest release.

We strongly recommend that you upgrade pip to version 9+ of pip before upgrading notebook.

Use pip install pip --upgrade to upgrade pip. Check pip version with pip --version.

7.6

Jupyter Notebook 7.6 is based on JupyterLab 4.6, and includes a number of new features, bug fixes, and enhancements for extension developers. This release is compatible with extensions supporting JupyterLab 4.0. Extension authors are recommended to consult the Extension Migration Guide which lists deprecations and changes to the public API.

Below are a few highlights for this new release. Most of the new features and improvements come from the update to JupyterLab 4.6, although they may not all be supported in Notebook 7.6.

For reference you may have a look at the JupyterLab 4.6 changelog to learn more.

Scratchpad console

A scratchpad console can now be opened next to a notebook, sharing the same kernel. This makes it easy to run quick experiments or inspect variables without modifying the notebook itself.

The scratchpad console can be opened from the File -> New -> Scratchpad console menu, from the command palette, or with the Ctrl + B (or Cmd + B on macOS) keyboard shortcut, which toggles the console panel.

Confirmation dialog when closing and shutting down a notebook

The "Close and Shut Down Notebook" command now asks for confirmation before closing the browser tab and shutting down the kernel. The confirmation prompt can be disabled in the Settings Editor with the "Prompt for confirmation before closing and shutting down" setting.

Notebook improvements

• The cell toolbar delete button now shows a confirmation dialog to prevent accidental deletion. The "Do not ask me again" preference is persisted in the Cell Toolbar settings. The D, D keyboard shortcut is unaffected.
• A new "Paste code cells without output" setting strips outputs and execution counts from code cells when pasting, producing clean cells without outputs which may be stale or untrusted.
• Copy, cut, and paste text commands have been added to the notebook context menu. This feature requires permission to access the clipboard and may not work in Firefox depending on version and additional restrictions.
• Two new navigation commands, "Select Last Modified Cell" and "Select Next Modified Cell", allow jumping back and forward through recently edited cells. They are available from the command palette and as buttons in the Table of Contents toolbar.
• Pressing Ctrl + B (or Cmd + B on macOS) while editing a Markdown cell wraps the selected text in bold formatting.
• When exporting a notebook as HTML via File -> Save and Export Notebook As -> HTML, a dialog now asks whether to sanitize the HTML output before download.

File browser enhancements

... (truncated)

Commits

• aee4535 Release 6.4.12
• a161ffa Merge pull request from GHSA-v7vq-3x77-87vg
• b79702c updated error messages to not mention hidden files
• cb3dc22 Update notebook/services/contents/filemanager.py
• 1c3d7a6 added hidden checks on handlers.py and accompanying tests
• f69eb96 added hidden checks on FileContentsManager and accompanying tests
• 2a76184 add checks for hidden file or path on file get
• 920c5cc Merge pull request #6421 from RRosio/update-version
• d4eb85d updating version to show dev
• 8109251 Publish 6.4.11
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[github-actions]

This PR is auto-generated by
actions/github-script

[github-actions]

Package	Line Rate	Health
.	94%	✔
commands	56%	❌
Summary	88% (287 / 327)	✔

[github-actions]

Package	Line Rate	Health
.	94%	✔
commands	56%	❌
Summary	88% (287 / 327)	✔

[github-actions]

Package	Line Rate	Health
.	94%	✔
commands	56%	❌
Summary	88% (285 / 325)	✔