Python: Bump nbconvert from 7.17.0 to 7.17.1 in /python

[dependabot]

Bumps nbconvert from 7.17.0 to 7.17.1.

Release notes

Sourced from nbconvert's releases.

v7.17.1

7.17.1

This is a security release, fixing two CVEs:

• CVE-2026-39377
• CVE-2026-39378

(full advisories will be published seven days after release, on 2026-04-14).

(Full Changelog)

Enhancements made

• Allow configureable WebPDF JavaScript processing timeout #2250 (@​timkpaine, @​Carreau)

Bugs fixed

• Fix PermissionError when checking template paths on shared filesystems #2252 (@​ctcjab, @​krassowski)
• Tweak webpdf template logic to fix duplicate extension problem #2249 (@​timkpaine, @​Carreau)

Maintenance and upkeep improvements

• specify python version for pre #2276 (@​minrk, @​krassowski)

Contributors to this release

The following people contributed discussions, new ideas, code and documentation contributions, and review. See our definition of contributors.

(GitHub contributors page for this release)

@​akhmerov (activity) | @​bollwyvl (activity) | @​Carreau (activity) | @​ctcjab (activity) | @​davidbrochart (activity) | @​Ken-B (activity) | @​krassowski (activity) | @​mgeier (activity) | @​minrk (activity) | @​mpacer (activity) | @​MSeal (activity) | @​SylvainCorlay (activity) | @​takluyver (activity) | @​timkpaine (activity)

Changelog

Sourced from nbconvert's changelog.

7.17.1

This is a security release, fixing two CVEs:

• CVE-2026-39377
• CVE-2026-39378

(full advisories will be published seven days after release, on 2026-04-14).

(Full Changelog)

Enhancements made

• Allow configureable WebPDF JavaScript processing timeout #2250 (@​timkpaine, @​Carreau)

Bugs fixed

• Fix PermissionError when checking template paths on shared filesystems #2252 (@​ctcjab, @​krassowski)
• Tweak webpdf template logic to fix duplicate extension problem #2249 (@​timkpaine, @​Carreau)

Maintenance and upkeep improvements

• specify python version for pre #2276 (@​minrk, @​krassowski)

Contributors to this release

The following people contributed discussions, new ideas, code and documentation contributions, and review. See our definition of contributors.

(GitHub contributors page for this release)

@​akhmerov (activity) | @​bollwyvl (activity) | @​Carreau (activity) | @​ctcjab (activity) | @​davidbrochart (activity) | @​Ken-B (activity) | @​krassowski (activity) | @​mgeier (activity) | @​minrk (activity) | @​mpacer (activity) | @​MSeal (activity) | @​SylvainCorlay (activity) | @​takluyver (activity) | @​timkpaine (activity)

Commits

• 78ed308 Publish 7.17.1
• f090a64 ruff format
• b3b6ec0 chore: update pre-commit hooks (#2277)
• be4841f ignore silly security lint in tests
• 26d57b2 fix type annotation on Lexer
• 0e6b8cc Merge commit from fork
• ba5e5cd Merge commit from fork
• 1db0c88 Specify python version for pre (#2276)
• 7473fc3 chore: update pre-commit hooks (#2242)
• 4322f7f Bump the actions group across 1 directory with 2 updates (#2273)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[github-actions]

Automated Code Review

Reviewers: 4 | Confidence: 92%

✓ Correctness

This is a straightforward lockfile update (uv.lock) reflecting widened version bounds for several dependencies: nbconvert patch bump (7.17.0→7.17.1), chromadb (<1.1→<1.4), ipykernel (=6.29→>=6.29,<8.0), pydantic (<2.12→<2.13), pymongo (<4.15→<4.16), and redis (=6.0→>=6,<8). All changes in the lockfile are consistent with the specifiers in pyproject.toml. No correctness issues found.

✓ Security Reliability

This diff updates the auto-generated uv.lock file with routine dependency version bumps and constraint relaxations. Changes include: nbconvert 7.17.0→7.17.1 (patch fix), and widened upper bounds for chromadb (<1.1→<1.4), ipykernel (=6.29→>=6.29,<8.0), pydantic (<2.12→<2.13), pymongo (<4.15→<4.16), and redis (=6.0→>=6,<8). All hashes are updated correspondingly. These are standard dependency maintenance changes with no security or reliability concerns — the lockfile is machine-generated by uv and the integrity hashes ensure supply-chain safety.

✓ Test Coverage

This PR only modifies python/uv.lock to bump dependency version ranges (nbconvert 7.17.0→7.17.1, chromadb <1.1→<1.4, ipykernel ~=6.29→>=6.29<8.0, pydantic <2.12→<2.13, pymongo <4.15→<4.16, redis ~=6.0→>=6<8). These are lock file updates reflecting already-present pyproject.toml constraint changes. No new code behavior is introduced, so no new tests are needed. The existing test suite serves as the compatibility validation for these wider version ranges.

✓ Design Approach

This PR relaxes upper version bounds for several dependencies: redis (=6.0 → >=6,<8), ipykernel (=6.29 → >=6.29,<8.0), chromadb (<1.1 → <1.4), pydantic (<2.12 → <2.13), pymongo (<4.15 → <4.16), and updates nbconvert to 7.17.1. The design approach is sound: loosening upper bounds to track compatible releases while using the lock file for reproducible pining. The redis expansion is the most significant change. Verified that the primary redis connector (redis.py) already uses the modern snake_case index_definition module path, which works in both redis 6.x and 7.x. Note that in practice redisvl 0.15.0 (the resolved version) declares redis < 7.2, so the effective resolved redis ceiling is 6.4.0 — the < 8 bound in pyproject.toml is forward-looking but not currently reachable without a redisvl upgrade. There is a pre-existing (not introduced here) broken import in the legacy redis_memory_store.py that uses the old camelCase indexDefinition module path which doesn't exist in redis ≥ 6, but that issue predates this PR. No blocking design problems found.

Suggestions

• The redis upper bound is expanded to <8 but the co-declared redisvl ~= 0.4 dependency resolves to redisvl 0.15.0 whose own constraint is redis < 7.2, silently capping the effective redis ceiling at 6.x/early-7.x in the lock file. If the intent is to actually adopt redis 7.x, consider also updating the redisvl pin so the resolver can pick redisvl 0.18.0 (which allows redis < 8.0). Otherwise the redis <8 bound is aspirational but not currently active.

---

Automated review by dependabot[bot]'s agents