V8 related security issues

Hi,

I am using the latest Jupyter Notebook docker image(6.4.12) and found the version of Google V8 JavaScript Engine is still 9.6.180.15. There are two CVEs that may be related to that. One is CVE-2022-0470 and another one is CVE-2022-0457.

Just to confirm, does Google V8 in Jupyter Notebook 6.4.12 will be affected by those two CVEs? If yes, is there a way to mitigate it?

Is there a way that I can upgrade nodejs to the newest version in conda environments? I tried conda install -c conda-forge nodejs but it didn’t upgrade nodejs to the newest version.

Thanks.

install does what it says: it’s already installed, so there’s nothing to do.

Also, mamba is already installed, and generally preferable for a heavy env like the various stacks.

So, perhaps try mamba upgrade?

The deeper question: as I don’t see any reference to nodejs in the docerfiles, it might just be coming along with jupyterhub (as in, the full-fat package for running jupyterhub), and maybe the dependency should be on jupyterhub-singleuser.

Thank you for your reply.

My goal is trying to upgrade v8 from 9.6.180.15 to 10.5.50. In order to do that I have to upgrade nodejs from 17.9.0 to the newest nodejs version through conda to mitigate those two CVEs I mentioned in the past post. I am not sure whether V8 version in Jupyter will be effected by those CVEs or not.

Yes, nodejs is not in the dockerfile, I believe it’s in conda package. If v8 was not used in runtime, can I remove it with conda uninstall --force nodejs command? Does Jupyter Notebok will operate the same without nodejs?

Thanks.

My goal is trying to upgrade

Right. One of

  • mamba upgrade nodejs
  • mamba install 'nodejs>17.9.0'
    would give you want you want.

can I remove it

Well, this is docker, so you should probably just try it. It’s possible that may remove the jupyterhub package as well, so to be sure:

mamba remove nodejs jupyterhub 
mamba install jupyterhub-singleuser

As mentioned in one of the many cross-posts of this: nodejs is not needed for normal operation of any normal end-user jupyter tool, and traefik is generally more robust than the nodejs-based configurable-http-proxy that the “full” jupyterhub package depends on.

The jupyterlab extension manager will use nodejs if available to install “source” extensensions, but it is a fairly poor experience inside a container, as the build can be quite intensive, downloads a lot of data, and generally won’t persist. Guiding users to use prebuilt extensions is generally more fruitful, and doesn’t really change the security posture much in an interactive computing environment.

Thank you for your reply.

Since nodejs is not needed for normal operation of any normal end user jupyter tool, does that mean jupyter can operate normally without nodejs? Nodejs can be removed from Jupyterhub without any issue, correct?

Thanks.