Bump the pip group across 4 directories with 3 updates

[dependabot]

Bumps the pip group with 2 updates in the /mpcontribs-api/requirements directory: jupyter-server and mistune.
Bumps the pip group with 2 updates in the /mpcontribs-kernel-gateway/requirements directory: jupyter-server and mistune.
Bumps the pip group with 1 update in the /mpcontribs-lux/requirements directory: pillow.
Bumps the pip group with 1 update in the /mpcontribs-portal/requirements directory: mistune.

Updates jupyter-server from 2.17.0 to 2.18.0

Release notes

Sourced from jupyter-server's releases.

v2.18.0

2.18.0

(Full Changelog)

Security patches

• CVE-2026-40110 GHSA-24qx-w28j-9m6p
• CVE-2025-61669 GHSA-qh7q-6qm3-653w
• CVE-2026-40934 GHSA-5mrq-x3x5-8v8f
• CVE-2026-35397 GHSA-5789-5fc7-67v3

API and Breaking Changes

• Add query param to sanitize HTML in GET /nbconvert/html #1618 (@​Yann-P, @​Carreau)

Enhancements made

• Update handlers.py to fix ioloop blockers(sync file operations) #1617 (@​zolyfarkas-fb, @​Carreau)
• Add resolvePath API for resolving kernel-relative paths #1331 (@​krassowski, @​Carreau, @​blink1073)

Bugs fixed

• Move check origin into a util function and add it to websocket #1630 (@​Carreau, @​Yann-P)
• Fix flaky test_restart_kernel by unsticking nudge() after port-changing restart #1628 (@​Carreau, @​claude, @​krassowski)
• Try to fix flaky test "test_restart_kernel" #1625 (@​Carreau)
• Fix potential unraisable pytest error #1624 (@​Carreau)
• fix: use %s placeholders in HTTPError to prevent Tornado from doubling % in gateway URLs #1620 (@​terminalchai, @​krassowski, @​ptch314)
• Fix three file descriptor leaks in kernel connection lifecycle (#1506) #1619 (@​tonyx93, @​Carreau)
• Use web.HTTPError for kernel restart failures #1616 (@​YDawn, @​Carreau)
• Handle EADDRINUSE and EACCES in _bind_http_server_tcp #1613 (@​YDawn, @​Zsailer, @​minrk)
• Use st_birthtime for file created timestamp on macOS/BSD #1594 (@​ktaletsk, @​krassowski, @​minrk)
• Fix double write when refusing hidden files in contents handler #1585 (@​Krish-876, @​minrk)
• Close all sockets in _find_http_port explicitly #1584 (@​MaryushSoroka, @​minrk)
• Fix writing on remote file systems with attribute cache #1574 (@​krassowski, @​Zsailer)
• Add IdentityProvider.cookie_secret_hook #1569 (@​emin63, @​minrk)
• fix context pollution #1561 (@​dualc, @​Zsailer)
• Fix gateway cookie handling #1558 (@​kevin-bates, @​RRosio, @​lresende, @​minrk)
• fix connection exception cause high cpu load #1484 (@​dualc, @​lresende, @​minrk)

Maintenance and upkeep improvements

• Start to test on Python 3.13 and 3.14 #1623 (@​Carreau)
• Bump actions/create-github-app-token from 2 to 3 in the actions group across 1 directory #1621 (@​Carreau)
• Bump brace-expansion from 1.1.12 to 1.1.13 #1615 (@​minrk)
• Fix package spec for jupytext #1614 (@​krassowski, @​Zsailer)
• chore: update pre-commit hooks #1607 (@​minrk)
• try to fix ci on windows #1600 (@​minrk, @​krassowski)
• run prerelease tests on 3.14 #1599 (@​minrk)
• Pin sphinx to an older version (<9) to fix docs #1597 (@​krassowski, @​minrk)

... (truncated)

Changelog

Sourced from jupyter-server's changelog.

2.18.0

(Full Changelog)

API and Breaking Changes

• Add query param to sanitize HTML in GET /nbconvert/html #1618 (@​Yann-P, @​Carreau)

Enhancements made

• Update handlers.py to fix ioloop blockers(sync file operations) #1617 (@​zolyfarkas-fb, @​Carreau)
• Avoid redundant call to _get_os_path in _dir_model #1547 (@​joeyutong, @​vidartf)
• Allow specifying extra params to scrub from logs #1538 (@​jtpio, @​Zsailer, @​vidartf)
• Add a logger to the ExtensionPoint API #1523 (@​Zsailer, @​vidartf)
• Allow user to update identity values #1518 (@​brichet, @​minrk)
• If ServerApp.ip is ipv6 use [::1] as local_url #1495 (@​manics, @​afshin)
• Better error message when starting kernel for session. #1478 (@​Carreau, @​davidbrochart, @​krassowski, @​minrk)
• Add a traitlet to disable recording HTTP request metrics #1472 (@​yuvipanda, @​Zsailer)
• prometheus: Expose 3 activity metrics #1471 (@​yuvipanda, @​Zsailer)
• Add prometheus info metrics listing server extensions + versions #1470 (@​yuvipanda, @​Zsailer)
• Add prometheus metric with version information #1467 (@​yuvipanda, @​Zsailer)
• Don't hide .so,.dylib files by default #1457 (@​nokados, @​krassowski, @​minrk, @​vidartf)
• Better hash format error message #1442 (@​fcollonval, @​Zsailer)
• Removing excessive logging from reading local files #1420 (@​lresende, @​kevin-bates)
• Add async start hook to ExtensionApp API #1417 (@​Zsailer, @​Darshan808, @​bollwyvl, @​fcollonval, @​krassowski)
• Do not include token in dashboard link, when available #1406 (@​minrk, @​blink1073)
• Add an option to have authentication enabled for all endpoints by default #1392 (@​krassowski, @​Wh1isper, @​blink1073, @​bollwyvl, @​minrk, @​yuvipanda)
• websockets: add configurations for ping interval and timeout #1391 (@​oliver-sanders, @​blink1073)
• log extension import time at debug level unless it's actually slow #1375 (@​minrk, @​Zsailer, @​yuvipanda)
• Add support for async Authorizers (part 2) #1374 (@​Zsailer, @​blink1073)
• Support async Authorizers #1373 (@​Zsailer, @​blink1073)
• Support get file(notebook) md5 #1363 (@​Wh1isper, @​blink1073, @​bollwyvl, @​krassowski)
• Update kernel env to reflect changes in session #1354 (@​blink1073, @​Carreau, @​krassowski)
• Add resolvePath API for resolving kernel-relative paths #1331 (@​krassowski, @​Carreau, @​blink1073)

Bugs fixed

• Move check origin into a util function and add it to websocket #1630 (@​Carreau, @​Yann-P)
• Fix flaky test_restart_kernel by unsticking nudge() after port-changing restart #1628 (@​Carreau, @​claude, @​krassowski)
• Try to fix flaky test "test_restart_kernel" #1625 (@​Carreau)
• Fix potential unraisable pytest error #1624 (@​Carreau)
• fix: use %s placeholders in HTTPError to prevent Tornado from doubling % in gateway URLs #1620 (@​terminalchai, @​krassowski, @​ptch314)
• Fix three file descriptor leaks in kernel connection lifecycle (#1506) #1619 (@​tonyx93, @​Carreau)
• Use web.HTTPError for kernel restart failures #1616 (@​YDawn, @​Carreau)
• Handle EADDRINUSE and EACCES in _bind_http_server_tcp #1613 (@​YDawn, @​Zsailer, @​minrk)
• Use st_birthtime for file created timestamp on macOS/BSD #1594 (@​ktaletsk, @​krassowski, @​minrk)
• Fix double write when refusing hidden files in contents handler #1585 (@​Krish-876, @​minrk)
• Close all sockets in _find_http_port explicitly #1584 (@​MaryushSoroka, @​minrk)
• Fix writing on remote file systems with attribute cache #1574 (@​krassowski, @​Zsailer)
• Add IdentityProvider.cookie_secret_hook #1569 (@​emin63, @​minrk)

... (truncated)

Commits

• 0ceed45 Publish 2.18.0
• 49b3439 Move check origin into a util function and add it to websocket (#1630)
• e2e08c8 Add test case for bad next URL format
• 624d6c0 Delete outdated patch code
• d825b93 Apply suggestion from @​minrk
• 789fed0 patch open redirect in /login
• 2ee51ec fix(CVE-2026-35397): path traversal when target dir starts with root dir
• 057869a Fix allow_origin_pat to do full matching instead of prefix matching
• 4862199 Add resolvePath API for resolving kernel-relative paths
• e31d514 Bump actions/create-github-app-token from 2 to 3 in the actions group across ...
• Additional commits viewable in compare view

Updates mistune from 3.2.0 to 3.2.1

Release notes

Sourced from mistune's releases.

v3.2.1

   🐞 Bug Fixes

• Resolve Windows compatibility issues in file inclusion and tests  -  by @​Yuki9814 (25471)
• Escape html text  -  by @​lepture (a3cb6)
• Update link reference  -  by @​lepture (85eb5)
• Handle escaped dollar signs in inline math  -  by @​saschabuehrle in lepture/mistune#370 (7bd57)
• Escape id of toc  -  by @​lepture (04880)
• Escape id of headings  -  by @​lepture (28556)
• Remove double-encoding of image alt text  -  by @​lawrence3699 (0d6f3)
• Escape xml for math plugin  -  by @​lepture (5fa09)
• Use strict regex for image's height and width  -  by @​lepture (8d0cb)

    View changes on GitHub

Changelog

Sourced from mistune's changelog.

Version 3.2.1

Released on May 3, 2026

• Escape link in render_toc_ul.
• Escape text in math plugin.
• Fix regex for math plugin.
• Escape heading's ID attribute.
• Fix LINK_TITLE_RE to prevent DoS.
• Escape class attribute for admonition directive.
• Remove double-encoding of image alt text.
• Escape class attribute for image directive.
• Fix width/height attribute for image directive.

Commits

• 067f908 chore: release 3.2.1
• bf55030 Merge pull request #438 from saschabuehrle/fix/issue-370
• 8d0cb75 fix: use strict regex for image's height and width
• 5fa092e fix: escape xml for math plugin
• 71ec947 Merge pull request #440 from lawrence3699/fix/image-alt-double-encoding
• 0d6f3d8 fix: remove double-encoding of image alt text
• 2855622 fix: escape id of headings
• 04880a0 fix: escape id of toc
• 7bd5709 fix: handle escaped dollar signs in inline math (fixes #370)
• 85eb54f fix: update link reference
• Additional commits viewable in compare view

Updates jupyter-server from 2.17.0 to 2.18.0

Release notes

Sourced from jupyter-server's releases.

v2.18.0

2.18.0

(Full Changelog)

Security patches

• CVE-2026-40110 GHSA-24qx-w28j-9m6p
• CVE-2025-61669 GHSA-qh7q-6qm3-653w
• CVE-2026-40934 GHSA-5mrq-x3x5-8v8f
• CVE-2026-35397 GHSA-5789-5fc7-67v3

API and Breaking Changes

• Add query param to sanitize HTML in GET /nbconvert/html #1618 (@​Yann-P, @​Carreau)

Enhancements made

• Update handlers.py to fix ioloop blockers(sync file operations) #1617 (@​zolyfarkas-fb, @​Carreau)
• Add resolvePath API for resolving kernel-relative paths #1331 (@​krassowski, @​Carreau, @​blink1073)

Bugs fixed

• Move check origin into a util function and add it to websocket #1630 (@​Carreau, @​Yann-P)
• Fix flaky test_restart_kernel by unsticking nudge() after port-changing restart #1628 (@​Carreau, @​claude, @​krassowski)
• Try to fix flaky test "test_restart_kernel" #1625 (@​Carreau)
• Fix potential unraisable pytest error #1624 (@​Carreau)
• fix: use %s placeholders in HTTPError to prevent Tornado from doubling % in gateway URLs #1620 (@​terminalchai, @​krassowski, @​ptch314)
• Fix three file descriptor leaks in kernel connection lifecycle (#1506) #1619 (@​tonyx93, @​Carreau)
• Use web.HTTPError for kernel restart failures #1616 (@​YDawn, @​Carreau)
• Handle EADDRINUSE and EACCES in _bind_http_server_tcp #1613 (@​YDawn, @​Zsailer, @​minrk)
• Use st_birthtime for file created timestamp on macOS/BSD #1594 (@​ktaletsk, @​krassowski, @​minrk)
• Fix double write when refusing hidden files in contents handler #1585 (@​Krish-876, @​minrk)
• Close all sockets in _find_http_port explicitly #1584 (@​MaryushSoroka, @​minrk)
• Fix writing on remote file systems with attribute cache #1574 (@​krassowski, @​Zsailer)
• Add IdentityProvider.cookie_secret_hook #1569 (@​emin63, @​minrk)
• fix context pollution #1561 (@​dualc, @​Zsailer)
• Fix gateway cookie handling #1558 (@​kevin-bates, @​RRosio, @​lresende, @​minrk)
• fix connection exception cause high cpu load #1484 (@​dualc, @​lresende, @​minrk)

Maintenance and upkeep improvements

• Start to test on Python 3.13 and 3.14 #1623 (@​Carreau)
• Bump actions/create-github-app-token from 2 to 3 in the actions group across 1 directory #1621 (@​Carreau)
• Bump brace-expansion from 1.1.12 to 1.1.13 #1615 (@​minrk)
• Fix package spec for jupytext #1614 (@​krassowski, @​Zsailer)
• chore: update pre-commit hooks #1607 (@​minrk)
• try to fix ci on windows #1600 (@​minrk, @​krassowski)
• run prerelease tests on 3.14 #1599 (@​minrk)
• Pin sphinx to an older version (<9) to fix docs #1597 (@​krassowski, @​minrk)

... (truncated)

Changelog

Sourced from jupyter-server's changelog.

2.18.0

(Full Changelog)

API and Breaking Changes

• Add query param to sanitize HTML in GET /nbconvert/html #1618 (@​Yann-P, @​Carreau)

Enhancements made

• Update handlers.py to fix ioloop blockers(sync file operations) #1617 (@​zolyfarkas-fb, @​Carreau)
• Avoid redundant call to _get_os_path in _dir_model #1547 (@​joeyutong, @​vidartf)
• Allow specifying extra params to scrub from logs #1538 (@​jtpio, @​Zsailer, @​vidartf)
• Add a logger to the ExtensionPoint API #1523 (@​Zsailer, @​vidartf)
• Allow user to update identity values #1518 (@​brichet, @​minrk)
• If ServerApp.ip is ipv6 use [::1] as local_url #1495 (@​manics, @​afshin)
• Better error message when starting kernel for session. #1478 (@​Carreau, @​davidbrochart, @​krassowski, @​minrk)
• Add a traitlet to disable recording HTTP request metrics #1472 (@​yuvipanda, @​Zsailer)
• prometheus: Expose 3 activity metrics #1471 (@​yuvipanda, @​Zsailer)
• Add prometheus info metrics listing server extensions + versions #1470 (@​yuvipanda, @​Zsailer)
• Add prometheus metric with version information #1467 (@​yuvipanda, @​Zsailer)
• Don't hide .so,.dylib files by default #1457 (@​nokados, @​krassowski, @​minrk, @​vidartf)
• Better hash format error message #1442 (@​fcollonval, @​Zsailer)
• Removing excessive logging from reading local files #1420 (@​lresende, @​kevin-bates)
• Add async start hook to ExtensionApp API #1417 (@​Zsailer, @​Darshan808, @​bollwyvl, @​fcollonval, @​krassowski)
• Do not include token in dashboard link, when available #1406 (@​minrk, @​blink1073)
• Add an option to have authentication enabled for all endpoints by default #1392 (@​krassowski, @​Wh1isper, @​blink1073, @​bollwyvl, @​minrk, @​yuvipanda)
• websockets: add configurations for ping interval and timeout #1391 (@​oliver-sanders, @​blink1073)
• log extension import time at debug level unless it's actually slow #1375 (@​minrk, @​Zsailer, @​yuvipanda)
• Add support for async Authorizers (part 2) #1374 (@​Zsailer, @​blink1073)
• Support async Authorizers #1373 (@​Zsailer, @​blink1073)
• Support get file(notebook) md5 #1363 (@​Wh1isper, @​blink1073, @​bollwyvl, @​krassowski)
• Update kernel env to reflect changes in session #1354 (@​blink1073, @​Carreau, @​krassowski)
• Add resolvePath API for resolving kernel-relative paths #1331 (@​krassowski, @​Carreau, @​blink1073)

Bugs fixed

• Move check origin into a util function and add it to websocket #1630 (@​Carreau, @​Yann-P)
• Fix flaky test_restart_kernel by unsticking nudge() after port-changing restart #1628 (@​Carreau, @​claude, @​krassowski)
• Try to fix flaky test "test_restart_kernel" #1625 (@​Carreau)
• Fix potential unraisable pytest error #1624 (@​Carreau)
• fix: use %s placeholders in HTTPError to prevent Tornado from doubling % in gateway URLs #1620 (@​terminalchai, @​krassowski, @​ptch314)
• Fix three file descriptor leaks in kernel connection lifecycle (#1506) #1619 (@​tonyx93, @​Carreau)
• Use web.HTTPError for kernel restart failures #1616 (@​YDawn, @​Carreau)
• Handle EADDRINUSE and EACCES in _bind_http_server_tcp #1613 (@​YDawn, @​Zsailer, @​minrk)
• Use st_birthtime for file created timestamp on macOS/BSD #1594 (@​ktaletsk, @​krassowski, @​minrk)
• Fix double write when refusing hidden files in contents handler #1585 (@​Krish-876, @​minrk)
• Close all sockets in _find_http_port explicitly #1584 (@​MaryushSoroka, @​minrk)
• Fix writing on remote file systems with attribute cache #1574 (@​krassowski, @​Zsailer)
• Add IdentityProvider.cookie_secret_hook #1569 (@​emin63, @​minrk)

... (truncated)

Commits

• 0ceed45 Publish 2.18.0
• 49b3439 Move check origin into a util function and add it to websocket (#1630)
• e2e08c8 Add test case for bad next URL format
• 624d6c0 Delete outdated patch code
• d825b93 Apply suggestion from @​minrk
• 789fed0 patch open redirect in /login
• 2ee51ec fix(CVE-2026-35397): path traversal when target dir starts with root dir
• 057869a Fix allow_origin_pat to do full matching instead of prefix matching
• 4862199 Add resolvePath API for resolving kernel-relative paths
• e31d514 Bump actions/create-github-app-token from 2 to 3 in the actions group across ...
• Additional commits viewable in compare view

Updates mistune from 3.2.0 to 3.2.1

Release notes

Sourced from mistune's releases.

v3.2.1

   🐞 Bug Fixes

• Resolve Windows compatibility issues in file inclusion and tests  -  by @​Yuki9814 (25471)
• Escape html text  -  by @​lepture (a3cb6)
• Update link reference  -  by @​lepture (85eb5)
• Handle escaped dollar signs in inline math  -  by @​saschabuehrle in lepture/mistune#370 (7bd57)
• Escape id of toc  -  by @​lepture (04880)
• Escape id of headings  -  by @​lepture (28556)
• Remove double-encoding of image alt text  -  by @​lawrence3699 (0d6f3)
• Escape xml for math plugin  -  by @​lepture (5fa09)
• Use strict regex for image's height and width  -  by @​lepture (8d0cb)

    View changes on GitHub

Changelog

Sourced from mistune's changelog.

Version 3.2.1

Released on May 3, 2026

• Escape link in render_toc_ul.
• Escape text in math plugin.
• Fix regex for math plugin.
• Escape heading's ID attribute.
• Fix LINK_TITLE_RE to prevent DoS.
• Escape class attribute for admonition directive.
• Remove double-encoding of image alt text.
• Escape class attribute for image directive.
• Fix width/height attribute for image directive.

Commits

• 067f908 chore: release 3.2.1
• bf55030 Merge pull request #438 from saschabuehrle/fix/issue-370
• 8d0cb75 fix: use strict regex for image's height and width
• 5fa092e fix: escape xml for math plugin
• 71ec947 Merge pull request #440 from lawrence3699/fix/image-alt-double-encoding
• 0d6f3d8 fix: remove double-encoding of image alt text
• 2855622 fix: escape id of headings
• 04880a0 fix: escape id of toc
• 7bd5709 fix: handle escaped dollar signs in inline math (fixes #370)
• 85eb54f fix: update link reference
• Additional commits viewable in compare view

Updates mistune from 3.2.0 to 3.2.1

Release notes

Sourced from mistune's releases.

v3.2.1

   🐞 Bug Fixes

• Resolve Windows compatibility issues in file inclusion and tests  -  by @​Yuki9814 (25471)
• Escape html text  -  by @​lepture (a3cb6)
• Update link reference  -  by @​lepture (85eb5)
• Handle escaped dollar signs in inline math  -  by @​saschabuehrle in lepture/mistune#370 (7bd57)
• Escape id of toc  -  by @​lepture (04880)
• Escape id of headings  -  by @​lepture (28556)
• Remove double-encoding of image alt text  -  by @​lawrence3699 (0d6f3)
• Escape xml for math plugin  -  by @​lepture (5fa09)
• Use strict regex for image's height and width  -  by @​lepture (8d0cb)

    View changes on GitHub

Changelog

Sourced from mistune's changelog.

Version 3.2.1

Released on May 3, 2026

• Escape link in render_toc_ul.
• Escape text in math plugin.
• Fix regex for math plugin.
• Escape heading's ID attribute.
• Fix LINK_TITLE_RE to prevent DoS.
• Escape class attribute for admonition directive.
• Remove double-encoding of image alt text.
• Escape class attribute for image directive.
• Fix width/height attribute for image directive.

Commits

• 067f908 chore: release 3.2.1
• bf55030 Merge pull request #438 from saschabuehrle/fix/issue-370
• 8d0cb75 fix: use strict regex for image's height and width
• 5fa092e fix: escape xml for math plugin
• 71ec947 Merge pull request #440 from lawrence3699/fix/image-alt-double-encoding
• 0d6f3d8 fix: remove double-encoding of image alt text
• 2855622 fix: escape id of headings
• 04880a0 fix: escape id of toc
• 7bd5709 fix: handle escaped dollar signs in inline math (fixes #370)
• 85eb54f fix: update link reference
• Additional commits viewable in compare view

Updates jupyter-server from 2.17.0 to 2.18.0

Release notes

Sourced from Description has been truncated

[dependabot]

Superseded by #2046.