Security fix in nbgitpuller and BinderHub

If you manage a deployment of BinderHub and/or use nbgitpuller in your JupyterHub deployments, a critical security vulnerability has been indentified and fixed. You are encouraged to upgrade immediately.

  • For nbgitpuller, that means upgrading to 0.10.2 or later
  • For BinderHub, that means chart version 0.2.0-n653.h195caac or later

See security advisories GHSA-9jjr-qqfp-ppwx for BinderHub and GHSA-mq5p-2mcr-m52j for nbgitpuller for more details.

Thanks to Jose Carlos Luna Duran (CERN) and Riccardo Castellotti (CERN) for reporting the vulnerability and providing a fix.

If you believe you’ve found a security vulnerability in a Jupyter project, please report it to