build(deps): bump the pip group across 1 directory with 8 updates

[dependabot]

Bumps the pip group with 7 updates in the / directory:

Package	From	To
pytest	8.3.4	9.0.3
jupyter-server	2.15.0	2.18.0
jupyterlab	4.4.8	4.5.7
nbconvert	7.17.0	7.17.1
pillow	12.1.1	12.2.0
requests	2.32.4	2.33.0
tornado	6.5.1	6.5.5

Updates pytest from 8.3.4 to 9.0.3

Release notes

Sourced from pytest's releases.

9.0.3

pytest 9.0.3 (2026-04-07)

Bug fixes

• #12444: Fixed pytest.approx which now correctly takes into account ~collections.abc.Mapping keys order to compare them.

• #13634: Blocking a conftest.py file using the -p no: option is now explicitly disallowed.

  Previously this resulted in an internal assertion failure during plugin loading.

  Pytest now raises a clear UsageError explaining that conftest files are not plugins and cannot be disabled via -p.

• #13734: Fixed crash when a test raises an exceptiongroup with __tracebackhide__ = True.

• #14195: Fixed an issue where non-string messages passed to unittest.TestCase.subTest() were not printed.

• #14343: Fixed use of insecure temporary directory (CVE-2025-71176).

Improved documentation

• #13388: Clarified documentation for -p vs PYTEST_PLUGINS plugin loading and fixed an incorrect -p example.
• #13731: Clarified that capture fixtures (e.g. capsys and capfd) take precedence over the -s / --capture=no command-line options in Accessing captured output from a test function <accessing-captured-output>.
• #14088: Clarified that the default pytest_collection hook sets session.items before it calls pytest_collection_finish, not after.
• #14255: TOML integer log levels must be quoted: Updating reference documentation.

Contributor-facing changes

• #12689: The test reports are now published to Codecov from GitHub Actions. The test statistics is visible on the web interface.

  -- by aleguy02

9.0.2

pytest 9.0.2 (2025-12-06)

Bug fixes

• #13896: The terminal progress feature added in pytest 9.0.0 has been disabled by default, except on Windows, due to compatibility issues with some terminal emulators.

  You may enable it again by passing -p terminalprogress. We may enable it by default again once compatibility improves in the future.

  Additionally, when the environment variable TERM is dumb, the escape codes are no longer emitted, even if the plugin is enabled.

• #13904: Fixed the TOML type of the tmp_path_retention_count settings in the API reference from number to string.

• #13946: The private config.inicfg attribute was changed in a breaking manner in pytest 9.0.0. Due to its usage in the ecosystem, it is now restored to working order using a compatibility shim. It will be deprecated in pytest 9.1 and removed in pytest 10.

... (truncated)

Commits

• a7d58d7 Prepare release version 9.0.3
• 089d981 Merge pull request #14366 from bluetech/revert-14193-backport
• 8127eaf Revert "Fix: assertrepr_compare respects dict insertion order (#14050) (#14193)"
• 99a7e60 Merge pull request #14363 from pytest-dev/patchback/backports/9.0.x/95d8423bd...
• ddee02a Merge pull request #14343 from bluetech/cve-2025-71176-simple
• 74eac69 doc: Update training info (#14298) (#14301)
• f92dee7 Merge pull request #14267 from pytest-dev/patchback/backports/9.0.x/d6fa26c62...
• 7ee58ac Merge pull request #12378 from Pierre-Sassoulas/fix-implicit-str-concat-and-d...
• 37da870 Merge pull request #14259 from mitre88/patch-4 (#14268)
• c34bfa3 Add explanation for string context diffs (#14257) (#14266)
• Additional commits viewable in compare view

Updates jupyter-server from 2.15.0 to 2.18.0

Release notes

Sourced from jupyter-server's releases.

v2.18.0

2.18.0

(Full Changelog)

Security patches

• CVE-2026-40110 GHSA-24qx-w28j-9m6p
• CVE-2025-61669 GHSA-qh7q-6qm3-653w
• CVE-2026-40934 GHSA-5mrq-x3x5-8v8f
• CVE-2026-35397 GHSA-5789-5fc7-67v3

API and Breaking Changes

• Add query param to sanitize HTML in GET /nbconvert/html #1618 (@​Yann-P, @​Carreau)

Enhancements made

• Update handlers.py to fix ioloop blockers(sync file operations) #1617 (@​zolyfarkas-fb, @​Carreau)
• Add resolvePath API for resolving kernel-relative paths #1331 (@​krassowski, @​Carreau, @​blink1073)

Bugs fixed

• Move check origin into a util function and add it to websocket #1630 (@​Carreau, @​Yann-P)
• Fix flaky test_restart_kernel by unsticking nudge() after port-changing restart #1628 (@​Carreau, @​claude, @​krassowski)
• Try to fix flaky test "test_restart_kernel" #1625 (@​Carreau)
• Fix potential unraisable pytest error #1624 (@​Carreau)
• fix: use %s placeholders in HTTPError to prevent Tornado from doubling % in gateway URLs #1620 (@​terminalchai, @​krassowski, @​ptch314)
• Fix three file descriptor leaks in kernel connection lifecycle (#1506) #1619 (@​tonyx93, @​Carreau)
• Use web.HTTPError for kernel restart failures #1616 (@​YDawn, @​Carreau)
• Handle EADDRINUSE and EACCES in _bind_http_server_tcp #1613 (@​YDawn, @​Zsailer, @​minrk)
• Use st_birthtime for file created timestamp on macOS/BSD #1594 (@​ktaletsk, @​krassowski, @​minrk)
• Fix double write when refusing hidden files in contents handler #1585 (@​Krish-876, @​minrk)
• Close all sockets in _find_http_port explicitly #1584 (@​MaryushSoroka, @​minrk)
• Fix writing on remote file systems with attribute cache #1574 (@​krassowski, @​Zsailer)
• Add IdentityProvider.cookie_secret_hook #1569 (@​emin63, @​minrk)
• fix context pollution #1561 (@​dualc, @​Zsailer)
• Fix gateway cookie handling #1558 (@​kevin-bates, @​RRosio, @​lresende, @​minrk)
• fix connection exception cause high cpu load #1484 (@​dualc, @​lresende, @​minrk)

Maintenance and upkeep improvements

• Start to test on Python 3.13 and 3.14 #1623 (@​Carreau)
• Bump actions/create-github-app-token from 2 to 3 in the actions group across 1 directory #1621 (@​Carreau)
• Bump brace-expansion from 1.1.12 to 1.1.13 #1615 (@​minrk)
• Fix package spec for jupytext #1614 (@​krassowski, @​Zsailer)
• chore: update pre-commit hooks #1607 (@​minrk)
• try to fix ci on windows #1600 (@​minrk, @​krassowski)
• run prerelease tests on 3.14 #1599 (@​minrk)
• Pin sphinx to an older version (<9) to fix docs #1597 (@​krassowski, @​minrk)

... (truncated)

Changelog

Sourced from jupyter-server's changelog.

2.18.0

(Full Changelog)

API and Breaking Changes

• Add query param to sanitize HTML in GET /nbconvert/html #1618 (@​Yann-P, @​Carreau)

Enhancements made

• Update handlers.py to fix ioloop blockers(sync file operations) #1617 (@​zolyfarkas-fb, @​Carreau)
• Avoid redundant call to _get_os_path in _dir_model #1547 (@​joeyutong, @​vidartf)
• Allow specifying extra params to scrub from logs #1538 (@​jtpio, @​Zsailer, @​vidartf)
• Add a logger to the ExtensionPoint API #1523 (@​Zsailer, @​vidartf)
• Allow user to update identity values #1518 (@​brichet, @​minrk)
• If ServerApp.ip is ipv6 use [::1] as local_url #1495 (@​manics, @​afshin)
• Better error message when starting kernel for session. #1478 (@​Carreau, @​davidbrochart, @​krassowski, @​minrk)
• Add a traitlet to disable recording HTTP request metrics #1472 (@​yuvipanda, @​Zsailer)
• prometheus: Expose 3 activity metrics #1471 (@​yuvipanda, @​Zsailer)
• Add prometheus info metrics listing server extensions + versions #1470 (@​yuvipanda, @​Zsailer)
• Add prometheus metric with version information #1467 (@​yuvipanda, @​Zsailer)
• Don't hide .so,.dylib files by default #1457 (@​nokados, @​krassowski, @​minrk, @​vidartf)
• Better hash format error message #1442 (@​fcollonval, @​Zsailer)
• Removing excessive logging from reading local files #1420 (@​lresende, @​kevin-bates)
• Add async start hook to ExtensionApp API #1417 (@​Zsailer, @​Darshan808, @​bollwyvl, @​fcollonval, @​krassowski)
• Do not include token in dashboard link, when available #1406 (@​minrk, @​blink1073)
• Add an option to have authentication enabled for all endpoints by default #1392 (@​krassowski, @​Wh1isper, @​blink1073, @​bollwyvl, @​minrk, @​yuvipanda)
• websockets: add configurations for ping interval and timeout #1391 (@​oliver-sanders, @​blink1073)
• log extension import time at debug level unless it's actually slow #1375 (@​minrk, @​Zsailer, @​yuvipanda)
• Add support for async Authorizers (part 2) #1374 (@​Zsailer, @​blink1073)
• Support async Authorizers #1373 (@​Zsailer, @​blink1073)
• Support get file(notebook) md5 #1363 (@​Wh1isper, @​blink1073, @​bollwyvl, @​krassowski)
• Update kernel env to reflect changes in session #1354 (@​blink1073, @​Carreau, @​krassowski)
• Add resolvePath API for resolving kernel-relative paths #1331 (@​krassowski, @​Carreau, @​blink1073)

Bugs fixed

• Move check origin into a util function and add it to websocket #1630 (@​Carreau, @​Yann-P)
• Fix flaky test_restart_kernel by unsticking nudge() after port-changing restart #1628 (@​Carreau, @​claude, @​krassowski)
• Try to fix flaky test "test_restart_kernel" #1625 (@​Carreau)
• Fix potential unraisable pytest error #1624 (@​Carreau)
• fix: use %s placeholders in HTTPError to prevent Tornado from doubling % in gateway URLs #1620 (@​terminalchai, @​krassowski, @​ptch314)
• Fix three file descriptor leaks in kernel connection lifecycle (#1506) #1619 (@​tonyx93, @​Carreau)
• Use web.HTTPError for kernel restart failures #1616 (@​YDawn, @​Carreau)
• Handle EADDRINUSE and EACCES in _bind_http_server_tcp #1613 (@​YDawn, @​Zsailer, @​minrk)
• Use st_birthtime for file created timestamp on macOS/BSD #1594 (@​ktaletsk, @​krassowski, @​minrk)
• Fix double write when refusing hidden files in contents handler #1585 (@​Krish-876, @​minrk)
• Close all sockets in _find_http_port explicitly #1584 (@​MaryushSoroka, @​minrk)
• Fix writing on remote file systems with attribute cache #1574 (@​krassowski, @​Zsailer)
• Add IdentityProvider.cookie_secret_hook #1569 (@​emin63, @​minrk)

... (truncated)

Commits

• 0ceed45 Publish 2.18.0
• 49b3439 Move check origin into a util function and add it to websocket (#1630)
• e2e08c8 Add test case for bad next URL format
• 624d6c0 Delete outdated patch code
• d825b93 Apply suggestion from @​minrk
• 789fed0 patch open redirect in /login
• 2ee51ec fix(CVE-2026-35397): path traversal when target dir starts with root dir
• 057869a Fix allow_origin_pat to do full matching instead of prefix matching
• 4862199 Add resolvePath API for resolving kernel-relative paths
• e31d514 Bump actions/create-github-app-token from 2 to 3 in the actions group across ...
• Additional commits viewable in compare view

Updates jupyterlab from 4.4.8 to 4.5.7

Release notes

Sourced from jupyterlab's releases.

v4.5.7

4.5.7

(Full Changelog)

Security patches

• CVE-2026-42557 GHSA-mqcg-5x36-vfcg
• CVE-2026-42266 GHSA-37w4-hwhx-4rc4
• CVE-2026-40171 GHSA-rch3-82jr-f9w9

Bugs fixed

• Video and Audio Content Providers: Fix JupyterLite support #18652 (@​martinRenou)
• Fix notebook hang when dropping cells #18808 (@​MUFFANUJ)
• Fix Contextual Help keyboard shortcut reliability and menu Help functionality #18747 (@​itsmejay80)
• Fix focusing input element when opening a dialog from Command Palette #18735 (@​Carreau)
• Fix native context menu blocked even when context menu is suppressed #18753 (@​utsav-develops)
• Fix flaky toolbar item placement in popup #18618 (@​filipeoliveira05)
• Update terminal default font family to honor macOS system-wide ui-monospace #18647 (@​flaviomartins)

Maintenance and upkeep improvements

• Fix linting issue #18819 (@​krassowski)
• Fix syntax for Python 3.9 on 4.5.x branch #18817 (@​krassowski)
• Remove unused CodeMirror v5 CSS rule #18785 (@​Carreau)
• Remove unused CSS rule forgotten after CodeMirror migration #18763 (@​Carreau)
• Remove unused progress bar CSS rule in execution indicator #18759 (@​Carreau)
• Remove dead .jp-VariableRenderer-TrustButton CSS rule #18762 (@​Carreau)
• Remove used .jp-Cell-Placeholder CSS rules #18761 (@​Carreau)

Documentation improvements

• Fix name of option for extension manager implementation in docs #18788 (@​krassowski)
• Remove 4.5.0 announcement from docs #18740 (@​krassowski)

Contributors to this release

The following people contributed discussions, new ideas, code and documentation contributions, and review. See our definition of contributors.

(GitHub contributors page for this release)

@​Carreau (activity) | @​filipeoliveira05 (activity) | @​flaviomartins (activity) | @​itsmejay80 (activity) | @​jtpio (activity) | @​krassowski (activity) | @​martinRenou (activity) | @​MUFFANUJ (activity) | @​utsav-develops (activity)

v4.5.6

4.5.6

... (truncated)

Commits

• f514041 [ci skip] Publish 4.5.7
• 66fe9ad Backport PR #18652 on branch 4.5.x (Video and Audio Content Providers: Fix Ju...
• f4455fa Fix syntax for Python 3.9 on 4.5.x branch (#18817)
• d2322b5 Backport PR #18819 on branch 4.5.x (Fix linting issue) (#18820)
• 5d9cb8c Merge commit from fork
• 1de120b Merge commit from fork
• 6926100 Backport PR #18808 on branch 4.5.x (Fix notebook hang when dropping cells) (#...
• 67e6e88 Backport PR #18647 on branch 4.5.x (Update default font family to honor macOS...
• bf21eb9 Backport PR #18747 on branch 4.5.x (Fix Contextual Help keyboard shortcut rel...
• 73cafa5 Backport PR #18788 on branch 4.5.x (Fix name of option for extension manager ...
• Additional commits viewable in compare view

Updates nbconvert from 7.17.0 to 7.17.1

Release notes

Sourced from nbconvert's releases.

v7.17.1

7.17.1

This is a security release, fixing two CVEs:

• CVE-2026-39377
• CVE-2026-39378

(full advisories will be published seven days after release, on 2026-04-14).

(Full Changelog)

Enhancements made

• Allow configureable WebPDF JavaScript processing timeout #2250 (@​timkpaine, @​Carreau)

Bugs fixed

• Fix PermissionError when checking template paths on shared filesystems #2252 (@​ctcjab, @​krassowski)
• Tweak webpdf template logic to fix duplicate extension problem #2249 (@​timkpaine, @​Carreau)

Maintenance and upkeep improvements

• specify python version for pre #2276 (@​minrk, @​krassowski)

Contributors to this release

The following people contributed discussions, new ideas, code and documentation contributions, and review. See our definition of contributors.

(GitHub contributors page for this release)

@​akhmerov (activity) | @​bollwyvl (activity) | @​Carreau (activity) | @​ctcjab (activity) | @​davidbrochart (activity) | @​Ken-B (activity) | @​krassowski (activity) | @​mgeier (activity) | @​minrk (activity) | @​mpacer (activity) | @​MSeal (activity) | @​SylvainCorlay (activity) | @​takluyver (activity) | @​timkpaine (activity)

Changelog

Sourced from nbconvert's changelog.

7.17.1

This is a security release, fixing two CVEs:

• CVE-2026-39377
• CVE-2026-39378

(full advisories will be published seven days after release, on 2026-04-14).

(Full Changelog)

Enhancements made

• Allow configureable WebPDF JavaScript processing timeout #2250 (@​timkpaine, @​Carreau)

Bugs fixed

• Fix PermissionError when checking template paths on shared filesystems #2252 (@​ctcjab, @​krassowski)
• Tweak webpdf template logic to fix duplicate extension problem #2249 (@​timkpaine, @​Carreau)

Maintenance and upkeep improvements

• specify python version for pre #2276 (@​minrk, @​krassowski)

Contributors to this release

The following people contributed discussions, new ideas, code and documentation contributions, and review. See our definition of contributors.

(GitHub contributors page for this release)

@​akhmerov (activity) | @​bollwyvl (activity) | @​Carreau (activity) | @​ctcjab (activity) | @​davidbrochart (activity) | @​Ken-B (activity) | @​krassowski (activity) | @​mgeier (activity) | @​minrk (activity) | @​mpacer (activity) | @​MSeal (activity) | @​SylvainCorlay (activity) | @​takluyver (activity) | @​timkpaine (activity)

Commits

• 78ed308 Publish 7.17.1
• f090a64 ruff format
• b3b6ec0 chore: update pre-commit hooks (#2277)
• be4841f ignore silly security lint in tests
• 26d57b2 fix type annotation on Lexer
• 0e6b8cc Merge commit from fork
• ba5e5cd Merge commit from fork
• 1db0c88 Specify python version for pre (#2276)
• 7473fc3 chore: update pre-commit hooks (#2242)
• 4322f7f Bump the actions group across 1 directory with 2 updates (#2273)
• Additional commits viewable in compare view

Updates notebook from 7.4.6 to 7.5.6

Release notes

Sourced from notebook's releases.

v7.5.6

7.5.6

(Full Changelog)

Security patches

• CVE-2026-42557 GHSA-mqcg-5x36-vfcg
• CVE-2026-40171 GHSA-rch3-82jr-f9w9

Maintenance and upkeep improvements

• Update to JupyterLab v4.5.7 #7902 (@​jtpio)

Documentation improvements

• docs: Fix broken links in troubleshooting and migration docs #7824 (@​RamiNoodle733)

Contributors to this release

The following people contributed discussions, new ideas, code and documentation contributions, and review. See our definition of contributors.

(GitHub contributors page for this release)

@​jtpio (activity) | @​RamiNoodle733 (activity)

v7.5.5

7.5.5

(Full Changelog)

Maintenance and upkeep improvements

• Update to JupyterLab v4.5.6 #7861 (@​jtpio)
• [7.5.x] Drop Python 3.9 on CI #7860 (@​jtpio)
• Fix check links #7857 (@​jtpio)

Contributors to this release

The following people contributed discussions, new ideas, code and documentation contributions, and review. See our definition of contributors.

(GitHub contributors page for this release)

@​jtpio (activity)

... (truncated)

Changelog

Sourced from notebook's changelog.

7.5.6

(Full Changelog)

Maintenance and upkeep improvements

• Update to JupyterLab v4.5.7 #7902 (@​jtpio)

Documentation improvements

• docs: Fix broken links in troubleshooting and migration docs #7824 (@​RamiNoodle733)

Contributors to this release

The following people contributed discussions, new ideas, code and documentation contributions, and review. See our definition of contributors.

(GitHub contributors page for this release)

@​jtpio (activity) | @​RamiNoodle733 (activity)

7.5.5

(Full Changelog)

Maintenance and upkeep improvements

• Update to JupyterLab v4.5.6 #7861 (@​jtpio)
• [7.5.x] Drop Python 3.9 on CI #7860 (@​jtpio)
• Fix check links #7857 (@​jtpio)

Contributors to this release

The following people contributed discussions, new ideas, code and documentation contributions, and review. See our definition of contributors.

(GitHub contributors page for this release)

@​jtpio (activity)

7.5.4

(Full Changelog)

Maintenance and upkeep improvements

• Update to JupyterLab v4.5.5 #7842 (@​jtpio)
• Fix PyO3 CI failure with Python 3.15 #7836 (@​jtpio)

... (truncated)

Commits

• 1ab2d2b Publish 7.5.6
• 50e5222 Merge commit from fork
• 2e642f0 Update to JupyterLab v4.5.7 (#7902)
• 4b93f98 Backport PR #7824: docs: Fix broken links in troubleshooting and migration do...
• 9a2c88f Publish 7.5.5
• 4f8438b Update to JupyterLab v4.5.6 (#7861)
• f78fcfa Backport PR #7857: Fix check links (#7858)
• 9e4cf2a [7.5.x] Drop Python 3.9 on CI (#7860)
• ecc3aaf Publish 7.5.4
• e5d8418 Update to JupyterLab v4.5.5 (#7842)
• Additional commits viewable in compare view

Updates pillow from 12.1.1 to 1...

Description has been truncated