Vulnerability issues

[viniciusdc]

Greetings, recently we ran a security check (Trivy) in our installed Jupyter image (jupyterhub==1.5.0 )and spotted the following vulnerability issue, and looking over the discussion on #9 I thought it was worth mentioning those here:

CVE-2022-24785 High Package: moment Installed Version: 2.29.1 Vulnerability CVE-2022-24785 Severity: HIGH Fixed Version: 2.29.2 Link: CVE-2022-24785

maybe relevant https://github.com/moment/moment/security/advisories/GHSA-8hfj-j24r-96c4 found in opt/conda/share/jupyterhub/static/components/moment/package.json:1 Thanks in advance.

[Carreau]

Hi there, as far as I can tell this should not be an issue for JupyterHub as moment JS is used only on the client side.

CVE-2022-24785 says:

This vulnerability impacts npm (server) users of moment.js,

and you can see this is not used on the server as the path where this is found is .../static/... and JupyterHub is (mostly) written in Python.

We can still open an issue on jupyterHub to make sure they bump the minimal version.

Also in general, if you have doubt or want to talk about security issue you want to write to security@ipython.org that we monitor more closely and discussions there will be private.

[viniciusdc]

Thanks, @Carreau for the details, I had this in mind as well but wanted to at least have this reported to confirm what exactly this would (or would not) affect. Thanks for opening the issue for bumping the version, feel free to close this as well if needed.