Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package python-nbclassic for
openSUSE:Factory checked in at 2026-03-26 21:10:13
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/python-nbclassic (Old)
and /work/SRC/openSUSE:Factory/.python-nbclassic.new.8177 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "python-nbclassic"
Thu Mar 26 21:10:13 2026 rev:27 rq:1342836 version:1.3.3
Changes:
--------
--- /work/SRC/openSUSE:Factory/python-nbclassic/python-nbclassic.changes
2025-06-12 15:55:55.763822493 +0200
+++
/work/SRC/openSUSE:Factory/.python-nbclassic.new.8177/python-nbclassic.changes
2026-03-27 06:48:23.967234277 +0100
@@ -1,0 +2,44 @@
+Thu Mar 26 12:19:35 UTC 2026 - Daniel Garcia <[email protected]>
+
+- Add CVE-2026-27601.patch to force usage of underscore >= 1.13.8 and
+ revendor node_modules.tar.xz
+
+ (CVE-2026-27601, bsc#1259165)
+
+-------------------------------------------------------------------
+Thu Feb 12 10:56:31 UTC 2026 - Daniel Garcia <[email protected]>
+
+- Update to 1.3.3:
+ - Copy static assets to legacy paths for notebook 6 compatibility
+ ### Maintenance and upkeep improvements
+ - Bump actions/create-github-app-token from 2.1.1 to 2.1.4
+ - Copy static assets to legacy paths for notebook 6 compatibility
+ - Bump actions/setup-node from 4.4.0 to 5.0.0
+ - Bump actions/setup-python from 5.6.0 to 6.0.0
+- 1.3.2
+ - Bump actions/create-github-app-token from 2.1.0 to 2.1.1
+ - Bump actions/checkout from 4.2.2 to 5.0.0
+ - Bump actions/download-artifact from 4.3.0 to 5.0.0
+ - Bump actions/create-github-app-token from 2.0.6 to 2.1.0
+ - Bump actions/cache from 4.2.3 to 4.2.4
+ - Migrate google-caja to npm
+ - Migrate react and react-dom to npm
+ - Migrate codemirror to npm
+ - Migrate requirejs dependencies to npm
+ - Migrate es6-promise
+ - Migrate marked to npm
+ - Fix jquery npm migration
+ - Migrate MathJax to npm
+ - Migration of jquery, jquery-ui and jquery-typeahead to npm
+ - Partial migration of JS dependencies to npm
+ - Migrate font-awesome dependency to npm
+ - Bump pandoc/actions from 1.1.0 to 1.1.1
+ - Bump jupyter-server/jupyter_releaser from
+ 45ee32c387085d5f1df41da443ade8b952a9dac6 to
+ 6accaa3c07b69acaa1e14e00ba138133d8cbe879
+ - Bump jupyterlab/maintainer-tools from 0.28.0 to 0.28.1
+ - Bump actions/setup-python from 5.3.0 to 5.6.0
+ - Improve GitHub Action security
+ - Update release process in to steps
+
+-------------------------------------------------------------------
Old:
----
nbclassic-1.3.1-gh.tar.gz
New:
----
CVE-2026-27601.patch
nbclassic-1.3.3-gh.tar.gz
----------(New B)----------
New:
- Add CVE-2026-27601.patch to force usage of underscore >= 1.13.8 and
revendor node_modules.tar.xz
----------(New E)----------
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ python-nbclassic.spec ++++++
--- /var/tmp/diff_new_pack.gOGAJB/_old 2026-03-27 06:48:24.711264915 +0100
+++ /var/tmp/diff_new_pack.gOGAJB/_new 2026-03-27 06:48:24.715265081 +0100
@@ -1,7 +1,7 @@
#
# spec file for package python-nbclassic
#
-# Copyright (c) 2025 SUSE LLC
+# Copyright (c) 2026 SUSE LLC and contributors
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -27,9 +27,9 @@
# this conditional is used in the python-rpm-macros, but `osc build --without
libalternatives` won't work
%bcond_without libalternatives
# 1.1.0 gets abbreviated by pythondistdeps
-%define shortversion 1.3.1
+%define shortversion 1.3.3
Name: python-nbclassic%{psuffix}
-Version: 1.3.1
+Version: 1.3.3
Release: 0
Summary: Jupyter Notebook as a Jupyter Server Extension
License: BSD-3-Clause
@@ -39,6 +39,9 @@
# Contains high vulnerability issues according to npm audit. Nothing of it
lands in the built packages.
Source1: node_modules.tar.xz
Source2: create_node_modules.sh
+# PATCH-FIX-UPSTREAM CVE-2026-27601.patch bsc#1259165
+# Update underscore dep in package.json
+Patch0: CVE-2026-27601.patch
BuildRequires: %{python_module Babel}
BuildRequires: %{python_module base >= 3.10}
BuildRequires: %{python_module hatch-jupyter-builder}
@@ -100,11 +103,18 @@
%prep
%autosetup -p1 -n nbclassic-%{version} -a1
-sed -i "s/npm run yarn && //" package.json
-ln -s $PWD/node_modules/@bower_components/ nbclassic/static/components
%build
+sed -i "s/npm run yarn && //" package.json
export HATCH_JUPYTER_BUILDER_SKIP_NPM=1
+
+# Link components
+mkdir -p nbclassic/static/components
+for c in $(cat node_modules/components.txt)
+do
+ LOWER=$(echo "$c" | tr '[:upper:]' '[:lower:]')
+ ln -s $PWD/node_modules/$LOWER nbclassic/static/components/$c
+done
%pyproject_wheel
%if !%{with test}
++++++ CVE-2026-27601.patch ++++++
Index: nbclassic-1.3.3/package.json
===================================================================
--- nbclassic-1.3.3.orig/package.json
+++ nbclassic-1.3.3/package.json
@@ -77,7 +77,12 @@
"requirejs-plugins": "~1.0.2",
"requirejs-text": "~2.0.16",
"text-encoding": "~0.1",
- "underscore": "~1.13.7"
+ "underscore": "~1.13"
+ },
+ "overrides": {
+ "backbone": {
+ "underscore": "$underscore"
+ }
},
"engines": {
"yarn": "^1.22.22",
++++++ create_node_modules.sh ++++++
--- /var/tmp/diff_new_pack.gOGAJB/_old 2026-03-27 06:48:24.799268539 +0100
+++ /var/tmp/diff_new_pack.gOGAJB/_new 2026-03-27 06:48:24.803268704 +0100
@@ -2,8 +2,26 @@
#
# Script to create node_modules.tar.xz
# needs bower, webpack and webpack-cli installed
+# Make sure to apply all patches before running this script
+#
+# quilt setup python-nbclassic.spec
+# cd python-nbclassic-1.3.3-build/nbclassic-1.3.3
+# quilt push -a
+# bash ../../create_node_modules.sh
+
+export PATH="node_modules/.bin:$PATH"
+rm yarn.lock
yarn install
yarn run build
+# Copy components
+pushd nbclassic/static/components/
+for i in $(find . -type d)
+do
+ cp -rf $i ../../../node_modules
+done
+ls > ../../../node_modules/components.txt
+popd
+
tar cJf node_modules.tar.xz node_modules
++++++ nbclassic-1.3.1-gh.tar.gz -> nbclassic-1.3.3-gh.tar.gz ++++++
/work/SRC/openSUSE:Factory/python-nbclassic/nbclassic-1.3.1-gh.tar.gz
/work/SRC/openSUSE:Factory/.python-nbclassic.new.8177/nbclassic-1.3.3-gh.tar.gz
differ: char 12, line 1
++++++ node_modules.tar.xz ++++++
/work/SRC/openSUSE:Factory/python-nbclassic/node_modules.tar.xz
/work/SRC/openSUSE:Factory/.python-nbclassic.new.8177/node_modules.tar.xz
differ: char 15, line 1
