A summary of changes in the Jupyter notebook. For more detailed information, see GitHub.

Tip Use pip install notebook --upgrade or conda upgrade notebook to upgrade to the latest release.

We strongly recommend that you upgrade pip to version 9+ of pip before upgrading notebook .

Tip Use pip install pip --upgrade to upgrade pip. Check pip version with pip --version .

6.1.4¶ Fix broken links to jupyter documentation (PR #5686)

Add additional entries to troubleshooting section (PR #5695)

Revert change in page alignment (PR #5703)

Bug fix: remove double encoding in download files (PR #5720)

Fix typo for Check in zh_CN (PR #5730)

Require a file name in the “Save As” dialog (PR #5733) Thank you to all the contributors: bdbai

Jaipreet Singh

Kevin Bates

Pavel Panchekha

Zach Sailer

6.1.3¶ Title new buttons with label if action undefined (PR #5676) Thank you to all the contributors: Kyle Kelley

6.1.2¶ Fix russian message format for delete/duplicate actions (PR #5662)

Remove unnecessary import of bind_unix_socket (PR #5666)

Tooltip style scope fix (PR #5672) Thank you to all the contributors: Dmitry Akatov

Kevin Bates

Magda Stenius

6.1.1¶ Prevent inclusion of requests_unixsocket on Windows (PR #5650) Thank you to all the contributors: Kevin Bates

6.0.3¶ Dependency updates to fix startup issues on Windows platform

Add support for nbconvert 6.x

Creation of recent tab Thanks for all the contributors: Luciano Resende

Kevin Bates

ahangsleben

Zachary Sailer

Pallavi Bharadwaj

Thomas Kluyver

Min RK

forest0

Bibo Hao

Michal Charemza

Sergey Shevelev

Shuichiro MAKIGAKI

krinsman

TPartida

Landen McDonald

Tres DuBiel

6.0.2¶ Update JQuery dependency to version 3.4.1 to fix security vulnerability (CVE-2019-11358)

Update CodeMirror to version 5.48.4 to fix Python formatting issues

Continue removing obsolete Python 2.x code/dependencies

Multiple documentation updates Thanks for all the contributors: David Robles

Jason Grout

Kerwin Sun

Kevin Bates

Kyle Kelley

Luciano Resende

Marcus D Sherman

Sasaki Takeru

Tom Jarosz

Vidar Tonaas Fauske

Wes Turner

Zachary Sailer

6.0.1¶ Attempt to re-establish websocket connection to Gateway (PR #4777)

Add missing react-dom js to package data (PR #4772) Thanks for all the contributors: Eunsoo Park

Min RK

6.0¶ This is the first major release of the Jupyter Notebook since version 5.0 (March 2017). We encourage users to start trying JupyterLab, which has just announced it’s 1.0 release in preparation for a future transition. Remove Python 2.x support in favor of Python 3.5 and higher.

Multiple accessibility enhancements and bug-fixes.

Multiple translation enhancements and bug-fixes.

Remove deprecated ANSI CSS styles.

Native support to forward requests to Jupyter Gateway(s) (Embedded NB2KG).

Use JavaScript to redirect users to notebook homepage.

Enhanced SSL/TLS security by using PROTOCOL_TLS which selects the highest ssl/tls protocol version available that both the client and server support. When PROTOCOL_TLS is not available use PROTOCOL_SSLv23.

Add ?no_track_activity=1 argument to allow API requests. to not be registered as activity (e.g. API calls by external activity monitors).

Kernels shutting down due to an idle timeout is no longer considered an activity-updating event.

Further improve compatibility with tornado 6 with improved checks for when websockets are closed.

Launch the browser with a local file which redirects to the server address including the authentication token. This prevents another logged-in user from stealing the token from command line arguments and authenticating to the server. The single-use token previously used to mitigate this has been removed. Thanks to Dr. Owain Kenway for suggesting the local file approach.

Respect nbconvert entrypoints as sources for exporters

Update to CodeMirror to 5.37, which includes f-string syntax for Python 3.6.

Update jquery-ui to 1.12

Execute cells by clicking icon in input prompt.

New “Save as” menu option.

When serving on a loopback interface, protect against DNS rebinding by checking the Host header from the browser. This check can be disabled if necessary by setting NotebookApp.allow_remote_access . (Disabled by default while we work out some Mac issues in #3754).

Add kernel_info_timeout traitlet to enable restarting slow kernels.

Add custom_display_host config option to override displayed URL.

Add /metrics endpoint for Prometheus Metrics.

Optimize large file uploads.

Allow access control headers to be overriden in jupyter_notebook_config.py to support greater CORS and proxy configuration flexibility.

Add support for terminals on windows.

Add a “restart and run all” button to the toolbar.

Frontend/extension-config: allow default json files in a .d directory.

Allow setting token via jupyter_token env.

Cull idle kernels using --MappingKernelManager.cull_idle_timeout .

Allow read-only notebooks to be trusted.

Convert JS tests to Selenium. Security Fixes included in previous minor releases of Jupyter Notebook and also included in version 6.0. Fix Open Redirect vulnerability (CVE-2019-10255) where certain malicious URLs could redirect from the Jupyter login page to a malicious site after a successful login.

Contains a security fix for a cross-site inclusion (XSSI) vulnerability (CVE-2019–9644), where files at a known URL could be included in a page from an unauthorized website if the user is logged into a Jupyter server. The fix involves setting the X-Content-Type-Options: nosniff header, and applying CSRF checks previously on all non-GET API requests to GET requests to API endpoints and the /files/ endpoint.

Check Host header to more securely protect localhost deployments from DNS rebinding. This is a pre-emptive measure, not fixing a known vulnerability. Use .NotebookApp.allow_remote_access and .NotebookApp.local_hostnames to configure access.

Upgrade bootstrap to 3.4, fixing an XSS vulnerability, which has been assigned CVE-2018-14041.

Contains a security fix preventing malicious directory names from being able to execute javascript.

Contains a security fix preventing nbconvert endpoints from executing javascript with access to the server API. CVE request pending. Thanks for all the contributors: AAYUSH SINHA

Aaron Hall, MBA

Abhinav Sagar

Adam Rule

Adeel Ahmad

Alex Rothberg

Amy Skerry-Ryan

Anastasis Germanidis

Andrés Sánchez

Arjun Radhakrishna

Arovit Narula

Benda Xu

Björn Grüning

Brian E. Granger

Carol Willing

Celina Kilcrease

Chris Holdgraf

Chris Miller

Ciaran Langton

Damian Avila

Dana Lee

Daniel Farrell

Daniel Nicolai

Darío Hereñú

Dave Aitken

Dave Foster

Dave Hirschfeld

Denis Ledoux

Dmitry Mikushin

Dominic Kuang

Douglas Hanley

Elliott Sales de Andrade

Emilio Talamante Lugo

Eric Perry

Ethan T. Hendrix

Evan Van Dam

Francesco Franchina

Frédéric Chapoton

Félix-Antoine Fortin

Gabriel

Gabriel Nützi

Gabriel Ruiz

Gestalt LUR

Grant Nestor

Gustavo Efeiche

Harsh Vardhan

Heng GAO

Hisham Elsheshtawy

Hong Xu

Ian Rose

Ivan Ogasawara

J Forde

Jason Grout

Jessica B. Hamrick

Jiaqi Liu

John Emmons

Josh Barnes

Karthik Balakrishnan

Kevin Bates

Kirit Thadaka

Kristian Gregorius Hustad

Kyle Kelley

Leo Gallucci

Lilian Besson

Lucas Seiki Oshiro

Luciano Resende

Luis Angel Rodriguez Guerrero

M Pacer

Maarten Breddels

Mac Knight

Madicken Munk

Maitiú Ó Ciaráin

Marc Udoff

Mathis HAMMEL

Mathis Rosenhauer

Matthias Bussonnier

Matthias Geier

Max Vovshin

Maxime Mouchet

Michael Chirico

Michael Droettboom

Michael Heilman

Michael Scott Cuthbert

Michal Charemza

Mike Boyle

Milos Miljkovic

Min RK

Miro Hrončok

Nicholas Bollweg

Nitesh Sawant

Ondrej Jariabka

Park Hae Jin

Paul Ivanov

Paul Masson

Peter Parente

Pierre Tholoniat

Remco Verhoef

Roland Weber

Roman Kornev

Rosa Swaby

Roy Hyunjin Han

Sally

Sam Lau

Samar Sultan

Shiti Saxena

Simon Biggs

Spencer Park

Stephen Ward

Steve (Gadget) Barnes

Steven Silvester

Surya Prakash Susarla

Syed Shah

Sylvain Corlay

Thomas Aarholt

Thomas Kluyver

Tim

Tim Head

Tim Klever

Tim Metzler

Todd

Tom Jorquera

Tyler Makaro

Vaibhav Sagar

Victor

Vidar Tonaas Fauske

Vu Minh Tam

Vít Tuček

Will Costello

Will Starms

William Hosford

Xiaohan Li

Yuvi Panda

ashley teoh

nullptr

5.7.8¶ Fix regression in restarting kernels in 5.7.5. The restart handler would return before restart was completed.

Further improve compatibility with tornado 6 with improved checks for when websockets are closed.

Fix regression in 5.7.6 on Windows where .js files could have the wrong mime-type.

Fix Open Redirect vulnerability (CVE-2019-10255) where certain malicious URLs could redirect from the Jupyter login page to a malicious site after a successful login. 5.7.7 contained only a partial fix for this issue.

5.7.6¶ 5.7.6 contains a security fix for a cross-site inclusion (XSSI) vulnerability (CVE-2019–9644), where files at a known URL could be included in a page from an unauthorized website if the user is logged into a Jupyter server. The fix involves setting the X-Content-Type-Options: nosniff header, and applying CSRF checks previously on all non-GET API requests to GET requests to API endpoints and the /files/ endpoint. The attacking page is able to access some contents of files when using Internet Explorer through script errors, but this has not been demonstrated with other browsers.

5.7.4¶ 5.7.4 fixes a bug introduced in 5.7.3, in which the list_running_servers() function attempts to parse HTML files as JSON, and consequently crashes (PR #4284).

5.7.3¶ 5.7.3 contains one security improvement and one security fix: Launch the browser with a local file which redirects to the server address including the authentication token (PR #4260). This prevents another logged-in user from stealing the token from command line arguments and authenticating to the server. The single-use token previously used to mitigate this has been removed. Thanks to Dr. Owain Kenway for suggesting the local file approach.

Upgrade bootstrap to 3.4, fixing an XSS vulnerability, which has been assigned CVE-2018-14041 (PR #4271).

5.7.2¶ 5.7.2 contains a security fix preventing malicious directory names from being able to execute javascript. CVE request pending.

5.7.1¶ 5.7.1 contains a security fix preventing nbconvert endpoints from executing javascript with access to the server API. CVE request pending.

5.4.1¶ A security release to fix CVE-2018-8768. Thanks to Alex for identifying this bug, and Jonathan Kamens and Scott Sanderson at Quantopian for verifying it and bringing it to our attention.

5.3.1¶ Replaced a symlink in the repository with a copy, to fix issues installing on Windows (PR #3220).

4.4.0¶ Allow override of output callbacks to redirect output messages. This is used to implement the ipywidgets Output widget, for example.

Fix an async bug in message handling by allowing comm message handlers to return a promise which halts message processing until the promise resolves. See the 4.4 milestone on GitHub for a complete list of issues and pull requests involved in this release.

4.3.2¶ 4.3.2 is a patch release with a bug fix for CodeMirror and improved handling of the “editable” cell metadata field. Monkey-patch for CodeMirror that resolves #2037 without breaking #1967

Read-only ( "editable": false ) cells can be executed but cannot be split, merged, or deleted See the 4.3.2 milestone on GitHub for a complete list of issues and pull requests involved in this release.

4.3.1¶ 4.3.1 is a patch release with a security patch, a couple bug fixes, and improvements to the newly-released token authentication. Security fix: CVE-2016-9971. Fix CSRF vulnerability, where malicious forms could create untitled files and start kernels (no remote execution or modification of existing files) for users of certain browsers (Firefox, Internet Explorer / Edge). All previous notebook releases are affected. Bug fixes: Fix carriage return handling

Make the font size more robust against fickle browsers

Ignore resize events that bubbled up and didn’t come from window

Add Authorization to allowed CORS headers

Downgrade CodeMirror to 5.16 while we figure out issues in Safari Other improvements: Better docs for token-based authentication

Further highlight token info in log output when autogenerated See the 4.3.1 milestone on GitHub for a complete list of issues and pull requests involved in this release.

4.3.0¶ 4.3 is a minor release with many bug fixes and improvements. The biggest user-facing change is the addition of token authentication, which is enabled by default. A token is generated and used when your browser is opened automatically, so you shouldn’t have to enter anything in the default circumstances. If you see a login page (e.g. by switching browsers, or launching on a new port with --no-browser ), you get a login URL with the token from the command jupyter notebook list , which you can paste into your browser. Highlights: API for creating mime-type based renderer extensions using OutputArea.register_mime_type and Notebook.render_cell_output methods. See mimerender-cookiecutter for reference implementations and cookiecutter.

Enable token authentication by default. See Security in the Jupyter notebook server for more details.

Update security docs to reflect new signature system

Switched from term.js to xterm.js Bug fixes: Ensure variable is set if exc_info is falsey

Catch and log handler exceptions in events.trigger

Add debug log for static file paths

Don’t check origin on token-authenticated requests

Remove leftover print statement

Fix highlighting of Python code blocks

json_errors should be outermost decorator on API handlers

Fix remove old nbserver info files

Fix notebook mime type on download links

Fix carriage symbol behavior

Fix terminal styles

Update dead links in docs

If kernel is broken, start a new session

Include cross-origin check when allowing login URL redirects Other improvements: Allow JSON output data with mime type application/*+json

Allow kernelspecs to have spaces in them for backward compat

Allow websocket connections from scripts

Allow None for post_save_hook

Upgrade CodeMirror to 5.21

Upgrade xterm to 2.1.0

Docs for using comms

Set dirty flag when output arrives

Set ws-url data attribute when accessing a notebook terminal

Add base aliases for nbextensions

Include @ operator in CodeMirror IPython mode

Extend mathjax_url docstring

Load nbextension in predictable order

Improve the error messages for nbextensions

Include cross-origin check when allowing login URL redirects See the 4.3 milestone on GitHub for a complete list of issues and pull requests involved in this release.

4.2.3¶ 4.2.3 is a small bugfix release on 4.2. Highlights: Fix regression in 4.2.2 that delayed loading custom.js until after notebook_loaded and app_initialized events have fired.

Fix some outdated docs and links. See also 4.2.3 on GitHub.

4.2.2¶ 4.2.2 is a small bugfix release on 4.2, with an important security fix. All users are strongly encouraged to upgrade to 4.2.2. Highlights: Security fix : CVE-2016-6524, where untrusted latex output could be added to the page in a way that could execute javascript.

Fix missing POST in OPTIONS responses.

Fix for downloading non-ascii filenames.

Avoid clobbering ssl_options, so that users can specify more detailed SSL configuration.

Fix inverted load order in nbconfig, so user config has highest priority.

Improved error messages here and there. See also 4.2.2 on GitHub.

4.2.1¶ 4.2.1 is a small bugfix release on 4.2. Highlights: Compatibility fixes for some versions of ipywidgets

Fix for ignored CSS on Windows

Fix specifying destination when installing nbextensions See also 4.2.1 on GitHub.

4.2.0¶ Release 4.2 adds a new API for enabling and installing extensions. Extensions can now be enabled at the system-level, rather than just per-user. An API is defined for installing directly from a Python package, as well. See also Distributing Jupyter Extensions as Python Packages Highlighted changes: Upgrade MathJax to 2.6 to fix vertical-bar appearing on some equations.

Restore ability for notebook directory to be root (4.1 regression)

Large outputs are now throttled, reducing the ability of output floods to kill the browser.

Fix the notebook ignoring cell executions while a kernel is starting by queueing the messages.

Fix handling of url prefixes (e.g. JupyterHub) in terminal and edit pages.

Support nested SVGs in output. And various other fixes and improvements.

4.1.0¶ Bug fixes: Properly reap zombie subprocesses

Fix cross-origin problems

Fix double-escaping of the base URL prefix

Handle invalid unicode filenames more gracefully

Fix ANSI color-processing

Send keepalive messages for web terminals

Fix bugs in the notebook tour UI changes: Moved the cell toolbar selector into the View menu. Added a button that triggers a “hint” animation to the main toolbar so users can find the new location. (Click here to see a screencast )

Added Restart & Run All to the Kernel menu. Users can also bind it to a keyboard shortcut on action restart-kernel-and-run-all-cells .

Added multiple-cell selection. Users press Shift-Up/Down or Shift-K/J to extend selection in command mode. Various actions such as cut/copy/paste, execute, and cell type conversions apply to all selected cells.

Added a command palette for executing Jupyter actions by name. Users press Cmd/Ctrl-Shift-P or click the new command palette icon on the toolbar.

Added a Find and Replace dialog to the Edit menu. Users can also press F in command mode to show the dialog. Other improvements: Custom KernelManager methods can be Tornado coroutines, allowing async operations.

Make clearing output optional when rewriting input with set_next_input(replace=True) .

Added support for TLS client authentication via --NotebookApp.client-ca .

Added tags to jupyter/notebook releases on DockerHub. latest continues to track the master branch. See the 4.1 milestone on GitHub for a complete list of issues and pull requests handled.