Jupyter broken in 22.05?

keysmashes · August 19, 2022, 9:24pm

I just updated my system’s flake’s inputs, and now I’m getting a build failure due to mistune:

error: Package ‘python3.9-mistune-0.8.4’ in /nix/store/dxa8c2j2ifgzjj0pjwl35qzgcayjhg88-source/pkgs/development/python-modules/mistune/common.nix:23 is marked as insecure, refusing to evaluate.


       Known issues:
        - CVE-2022-34749

As far as I can tell this is because I’ve turned on services.jupyter.enable (if I comment out the import that does that, it seems to start building ok). Unfortunately I happen to like having Jupyter available so that’s not a good long-term solution.

I see a lot of recent issues and PRs about some CVE in mistune (including one or two that seem like they might make Jupyter transitively depend on mistune 2.x rather than 0.8). Is there something pending that will unbreak Jupyter on stable or am I SOL until November?

nappa · August 19, 2022, 9:44pm

You can use export NIXPKGS_ALLOW_INSECURE=1 as workaround (although probably not recommended).

Not sure how hard it would be to backport mistune 2.x.

dotlambda · August 20, 2022, 7:18am

Will be fixed by [Backport release-22.05] python310Packages.nbconvert: use mistune 2.x by github-actions[bot] · Pull Request #187550 · NixOS/nixpkgs · GitHub

keysmashes · August 24, 2022, 2:59pm

aiui, once [22.05] Revert "python3Packages.mistune_0_8: mark knownVulnerabilities CVE-2022-34749" by sersorrel · Pull Request #188031 · NixOS/nixpkgs · GitHub lands jupyter should no longer require permittedInsecurePackages.