Jupyter broken in 22.05?

I just updated my system’s flake’s inputs, and now I’m getting a build failure due to mistune:

error: Package ‘python3.9-mistune-0.8.4’ in /nix/store/dxa8c2j2ifgzjj0pjwl35qzgcayjhg88-source/pkgs/development/python-modules/mistune/common.nix:23 is marked as insecure, refusing to evaluate.

       Known issues:
        - CVE-2022-34749

As far as I can tell this is because I’ve turned on services.jupyter.enable (if I comment out the import that does that, it seems to start building ok). Unfortunately I happen to like having Jupyter available so that’s not a good long-term solution.

I see a lot of recent issues and PRs about some CVE in mistune (including one or two that seem like they might make Jupyter transitively depend on mistune 2.x rather than 0.8). Is there something pending that will unbreak Jupyter on stable or am I SOL until November?

1 Like

You can use export NIXPKGS_ALLOW_INSECURE=1 as workaround (although probably not recommended).

Not sure how hard it would be to backport mistune 2.x.

Will be fixed by https://github.com/NixOS/nixpkgs/pull/187550

1 Like

aiui, once https://github.com/NixOS/nixpkgs/pull/188031 lands jupyter should no longer require permittedInsecurePackages.