Merge pull request #2 from jupyterhub/main

update

.github/workflows/linkcheck.yaml

@@ -24,7 +24,7 @@ jobs:
       - uses: actions/checkout@v4
       - uses: actions/setup-python@v5
         with:
-          python-version: "3.11"
+          python-version: "3.12"
 
       - name: Install deps
         run: pip install -r docs/requirements.txt

.github/workflows/publish.yaml

@@ -36,7 +36,7 @@ jobs:
 
       - uses: actions/setup-python@v5
         with:
-          python-version: "3.11"
+          python-version: "3.12"
 
       - uses: actions/setup-node@v4
         with:
@@ -68,16 +68,16 @@ jobs:
           sha256sum * | tee SHA256SUMS
 
       - name: Upload Python artifact
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
         with:
-          name: dist
+          name: dist-${{ github.run_attempt }}
           path: dist
           if-no-files-found: error
 
       - name: Upload Javascript artifact
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
         with:
-          name: jsdist
+          name: jsdist-${{ github.run_attempt }}
           path: jsdist
           if-no-files-found: error
 
@@ -90,12 +90,12 @@ jobs:
     steps:
       - uses: actions/setup-python@v5
         with:
-          python-version: "3.11"
+          python-version: "3.12"
 
       - name: Download artifacts from build
-        uses: actions/download-artifact@v3
+        uses: actions/download-artifact@v4
         with:
-          name: dist
+          name: dist-${{ github.run_attempt }}
           path: dist
 
       # The PyPI publishing action will try to publish this checksum file as if
@@ -125,9 +125,9 @@ jobs:
           registry-url: https://registry.npmjs.org
 
       - name: Download artifacts from build
-        uses: actions/download-artifact@v3
+        uses: actions/download-artifact@v4
         with:
-          name: jsdist
+          name: jsdist-${{ github.run_attempt }}
           path: jsdist
 
       - run: |

.github/workflows/test.yaml

@@ -21,6 +21,9 @@ on:
     branches-ignore:
       - "dependabot/**"
       - "pre-commit-ci-update-config"
+  schedule:
+    # Run at 05:00 on monday and thursday, ref: https://crontab.guru/#0_5_*_*_1,4
+    - cron: "0 5 * * 1,4"
   workflow_dispatch:
 
 env:
@@ -37,7 +40,7 @@ jobs:
 
       - uses: actions/setup-python@v5
         with:
-          python-version: "3.11"
+          python-version: "3.12"
 
       - uses: actions/setup-node@v4
         with:
@@ -53,13 +56,13 @@ jobs:
         run: pyproject-build
 
       - name: Upload built artifacts
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
         with:
-          name: dist-${{ github.run_number }}
+          name: dist-${{ github.run_attempt }}
           path: ./dist
 
   test:
-    name: ${{ matrix.os }} ${{ matrix.python-version }} ${{ matrix.pip-extras }}
+    name: ${{ matrix.os }} ${{ matrix.python-version }} ${{ matrix.pip-extras }} ${{ (matrix.pip-install-constraints != '' && '(oldest deps)') || '' }}
     needs: [build]
     timeout-minutes: 30
     runs-on: ${{ matrix.os }}
@@ -71,18 +74,43 @@ jobs:
       fail-fast: false
       matrix:
         os: [ubuntu-22.04, windows-2022]
-        python-version: ["3.8", "3.11"]
-        pip-extras: ["lab", "classic"]
+        python-version: ["3.8", "3.12"]
+        pip-extras: [lab, classic]
+        pip-install-constraints: [""]
         exclude:
           # windows should work for all test variations, but a limited selection
           # is run to avoid doubling the amount of test runs
           - os: windows-2022
-            python-version: "3.11"
+            python-version: "3.12"
             pip-extras: classic
           - os: windows-2022
             python-version: "3.8"
             pip-extras: lab
 
+          # FIXME: If https://github.com/jupyter/notebook/pull/7305 gets merged
+          #        and released, we can test "classic" with python 3.12 as well,
+          #        but until then we exclude it from being run as a Python 3.12
+          #        test and include it as a Python 3.11 test.
+          - os: ubuntu-22.04
+            python-version: "3.12"
+            pip-extras: classic
+        include:
+          # this test is manually updated to reflect the lower bounds of
+          # versions from dependencies
+          - os: ubuntu-22.04
+            python-version: "3.8"
+            pip-extras: classic
+            pip-install-constraints: >-
+              jupyter-server==1.24.0
+              simpervisor==1.0.0
+              tornado==6.1.0
+              traitlets==5.1.0
+
+          # Workaround for excluded 3.12 test mentioned in a FIXME above
+          - os: ubuntu-22.04
+            python-version: "3.11"
+            pip-extras: classic
+
     steps:
       - uses: actions/checkout@v4
 
@@ -94,9 +122,9 @@ jobs:
         run: pip install --upgrade pip
 
       - name: Download built artifacts
-        uses: actions/download-artifact@v3
+        uses: actions/download-artifact@v4
         with:
-          name: dist-${{ github.run_number }}
+          name: dist-${{ github.run_attempt }}
           path: ./dist
 
       - name: Install Python package
@@ -105,7 +133,7 @@ jobs:
         #
         #       Pytest options are set in `pyproject.toml`.
         run: |
-          pip install -vv $(ls ./dist/*.whl)\[acceptance,${{ matrix.pip-extras }}\]
+          pip install -vv $(ls ./dist/*.whl)\[acceptance,${{ matrix.pip-extras }}\] ${{ matrix.pip-install-constraints }}
 
       - name: List Python packages
         run: |
@@ -152,16 +180,14 @@ jobs:
 
       - name: Upload test reports
         if: always()
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
         with:
           name: |-
-            tests-${{ matrix.os }}-${{ matrix.python-version }}-${{ matrix.pip-extras }}-${{ github.run_number }}
+            tests-${{ matrix.os }}-${{ matrix.python-version }}-${{ matrix.pip-extras }}-${{ (matrix.pip-install-constraints != '' && 'oldest-') || '' }}${{ github.run_attempt }}
           path: |
             ./build/pytest
             ./build/coverage
             ./build/robot
 
       # GitHub action reference: https://github.com/codecov/codecov-action
-      - uses: codecov/codecov-action@v3
-        with:
-          directory: build/.coverage
+      - uses: codecov/codecov-action@v4

CONTRIBUTING.md

@@ -25,7 +25,7 @@ For example, after installing [`mambaforge`](https://conda-forge.org/miniforge),
 create a new environment with all heavy development and test dependencies:
 
 ```yaml
-mamba create --name=jupyter-server-proxy --channel=conda-forge "python=3.11" "nodejs=20" pip git geckodriver firefox
+mamba create --name=jupyter-server-proxy --channel=conda-forge "python=3.12" "nodejs=20" pip git geckodriver firefox
 mamba activate jupyter-server-proxy
 ```
 

docs/source/changelog.md

@@ -1,7 +1,71 @@
 # Changelog
 
+## 4.2
+
+### v4.2.0 - 2024-06-11
+
+This release includes an important security patch for
+[CVE-2024-35225 ](https://github.com/jupyterhub/jupyter-server-proxy/security/advisories/GHSA-fvcq-4x64-hqxr).
+
+([full changelog](https://github.com/jupyterhub/jupyter-server-proxy/compare/v4.1.2...v4.2.0))
+
+#### Maintenance and upkeep improvements
+
+- Require jupyter_server 1.24+, tornado 6.1+, traitlets 5.1+ [#467](https://github.com/jupyterhub/jupyter-server-proxy/pull/467) ([@consideRatio](https://github.com/consideRatio))
+- Test against Python 3.12 [#450](https://github.com/jupyterhub/jupyter-server-proxy/pull/450) ([@consideRatio](https://github.com/consideRatio))
+
+#### Documentation improvements
+
+- Document the correct default value for new_browser_tab. [#470](https://github.com/jupyterhub/jupyter-server-proxy/pull/470) ([@ryanlovett](https://github.com/ryanlovett))
+
+#### Contributors to this release
+
+([GitHub contributors page for this release](https://github.com/jupyterhub/jupyter-server-proxy/graphs/contributors?from=2024-03-19&to=2024-06-08&type=c))
+
+[@consideRatio](https://github.com/search?q=repo%3Ajupyterhub%2Fjupyter-server-proxy+involves%3AconsideRatio+updated%3A2024-03-19..2024-06-08&type=Issues) | [@ryanlovett](https://github.com/search?q=repo%3Ajupyterhub%2Fjupyter-server-proxy+involves%3Aryanlovett+updated%3A2024-03-19..2024-06-08&type=Issues) | [@welcome](https://github.com/search?q=repo%3Ajupyterhub%2Fjupyter-server-proxy+involves%3Awelcome+updated%3A2024-03-19..2024-06-08&type=Issues)
+
 ## 4.1
 
+### 4.1.2 - 2024-03-13
+
+#### Bugs fixed
+
+- Keep proxying all requested subprotocols [#462](https://github.com/jupyterhub/jupyter-server-proxy/pull/462) ([@consideRatio](https://github.com/consideRatio))
+
+### 4.1.1 - 2024-03-13
+
+This release includes an important security patch for the critical vulnerability
+[GHSA-w3vc-fx9p-wp4v](https://github.com/jupyterhub/jupyter-server-proxy/security/advisories/GHSA-w3vc-fx9p-wp4v).
+The security patch is also available in version 3.2.3.
+
+#### Bugs fixed
+
+- Ensure no blank `Sec-Websocket-Protocol` headers and warn if websocket subprotocol edge case occur [#458](https://github.com/jupyterhub/jupyter-server-proxy/pull/458) ([@consideRatio](https://github.com/consideRatio), [@duytnguyendtn](https://github.com/duytnguyendtn), [@minrk](https://github.com/minrk), [@benz0li](https://github.com/benz0li))
+- Fix double formatting of callables (`command`, `environment`, `request_headers_override`) [#437](https://github.com/jupyterhub/jupyter-server-proxy/pull/437) ([@diocas](https://github.com/diocas), [@consideRatio](https://github.com/consideRatio))
+
+#### Maintenance and upkeep improvements
+
+- labextension: refreeze yarn.lock [#461](https://github.com/jupyterhub/jupyter-server-proxy/pull/461) ([@consideRatio](https://github.com/consideRatio))
+- List tornado and traitlets as dependencies explicitly, and cleanup unreachable code [#457](https://github.com/jupyterhub/jupyter-server-proxy/pull/457) ([@consideRatio](https://github.com/consideRatio), [@minrk](https://github.com/minrk))
+- Fix failure to upload code coverage reports [#454](https://github.com/jupyterhub/jupyter-server-proxy/pull/454) ([@consideRatio](https://github.com/consideRatio))
+- Update tests for notebook 7.1 [#451](https://github.com/jupyterhub/jupyter-server-proxy/pull/451) ([@consideRatio](https://github.com/consideRatio))
+- tests: fix failure to log error after all retries failed [#441](https://github.com/jupyterhub/jupyter-server-proxy/pull/441) ([@consideRatio](https://github.com/consideRatio))
+- Declare metadata in pyproject.toml, remove hatch-nodejs-version plugin [#427](https://github.com/jupyterhub/jupyter-server-proxy/pull/427) ([@consideRatio](https://github.com/consideRatio), [@bollwyvl](https://github.com/bollwyvl), [@manics](https://github.com/manics))
+
+#### Continuous integration improvements
+
+- ci: upgrade to v4 of upload/download-artifact actions [#455](https://github.com/jupyterhub/jupyter-server-proxy/pull/455) ([@consideRatio](https://github.com/consideRatio))
+- ci: schedule test runs twice a week [#452](https://github.com/jupyterhub/jupyter-server-proxy/pull/452) ([@consideRatio](https://github.com/consideRatio))
+
+#### Contributors to this release
+
+The following people contributed discussions, new ideas, code and documentation contributions, and review.
+See [our definition of contributors](https://github-activity.readthedocs.io/en/latest/#how-does-this-tool-define-contributions-in-the-reports).
+
+([GitHub contributors page for this release](https://github.com/jupyterhub/jupyter-server-proxy/graphs/contributors?from=2023-09-25&to=2024-03-13&type=c))
+
+@benz0li ([activity](https://github.com/search?q=repo%3Ajupyterhub%2Fjupyter-server-proxy+involves%3Abenz0li+updated%3A2023-09-25..2024-03-13&type=Issues)) | @bollwyvl ([activity](https://github.com/search?q=repo%3Ajupyterhub%2Fjupyter-server-proxy+involves%3Abollwyvl+updated%3A2023-09-25..2024-03-13&type=Issues)) | @consideRatio ([activity](https://github.com/search?q=repo%3Ajupyterhub%2Fjupyter-server-proxy+involves%3AconsideRatio+updated%3A2023-09-25..2024-03-13&type=Issues)) | @diocas ([activity](https://github.com/search?q=repo%3Ajupyterhub%2Fjupyter-server-proxy+involves%3Adiocas+updated%3A2023-09-25..2024-03-13&type=Issues)) | @duytnguyendtn ([activity](https://github.com/search?q=repo%3Ajupyterhub%2Fjupyter-server-proxy+involves%3Aduytnguyendtn+updated%3A2023-09-25..2024-03-13&type=Issues)) | @goekce ([activity](https://github.com/search?q=repo%3Ajupyterhub%2Fjupyter-server-proxy+involves%3Agoekce+updated%3A2023-09-25..2024-03-13&type=Issues)) | @manics ([activity](https://github.com/search?q=repo%3Ajupyterhub%2Fjupyter-server-proxy+involves%3Amanics+updated%3A2023-09-25..2024-03-13&type=Issues)) | @minrk ([activity](https://github.com/search?q=repo%3Ajupyterhub%2Fjupyter-server-proxy+involves%3Aminrk+updated%3A2023-09-25..2024-03-13&type=Issues)) | @rcthomas ([activity](https://github.com/search?q=repo%3Ajupyterhub%2Fjupyter-server-proxy+involves%3Arcthomas+updated%3A2023-09-25..2024-03-13&type=Issues)) | @sk1p ([activity](https://github.com/search?q=repo%3Ajupyterhub%2Fjupyter-server-proxy+involves%3Ask1p+updated%3A2023-09-25..2024-03-13&type=Issues)) | @steverweber ([activity](https://github.com/search?q=repo%3Ajupyterhub%2Fjupyter-server-proxy+involves%3Asteverweber+updated%3A2023-09-25..2024-03-13&type=Issues)) | @yuvipanda ([activity](https://github.com/search?q=repo%3Ajupyterhub%2Fjupyter-server-proxy+involves%3Ayuvipanda+updated%3A2023-09-25..2024-03-13&type=Issues))
+
 ### 4.1.0 - 2023-09-25
 
 #### New features added
@@ -98,6 +162,10 @@ See [our definition of contributors](https://github-activity.readthedocs.io/en/l
 
 ## 3.2
 
+### 3.2.3 - 2024-03-13
+
+This is a security release for [GHSA-w3vc-fx9p-wp4v](https://github.com/jupyterhub/jupyter-server-proxy/security/advisories/GHSA-w3vc-fx9p-wp4v).
+
 ### 3.2.2 - 2022-09-08
 
 #### Bugs fixed

docs/source/server-process.md

@@ -129,8 +129,8 @@ the following keys:
 
 ### `new_browser_tab`
 
-_JupyterLab only_ - _True_ if the proxied server URL should be opened in a new browser tab.
-_False_ (default) if the proxied server URL should be opened in a new JupyterLab tab.
+_JupyterLab only_ - _True_ (default) if the proxied server URL should be opened in a new browser tab.
+_False_ if the proxied server URL should be opened in a new JupyterLab tab.
 
 If _False_, the proxied server needs to allow its pages to be rendered in an iframe. This
 is generally done by configuring the web server `X-Frame-Options` to `SAMEORIGIN`.