Hi everyone,
We’ve identified CVE‑2025‑45768 affecting the jupyterhub/k8s-hub image. As far as we can tell, the fix is not included in any stable release, but is present in a dev build (4.3.3).
Before deciding what to deploy, we’d really appreciate input from the community:
-
How reliable are the dev images of
k8s-hubin practice? -
Do security fixes typically land in dev first and later get included in a stable release?
-
If the fix is only in a dev build, is it safer to use the
devtag or to pin a specific commit SHA? -
And finally, can we know if there is any expectation of a stable 4.3.3 release soon, or is further work instead happening towards 5.0.0 (we also see that one in dev)?
Thanks for any insights or experiences you can share!