Vulnerability Scanning and Remediation Before Official Release

[ianpittwood]

Task: Before transitioning this product from public preview to official release, perform comprehensive vulnerability scanning and remediation of all CRITICAL and HIGH level vulnerabilities found.

• Run the latest vulnerability scans against all relevant images and dependencies
• Prioritize remediation of all CRITICAL and HIGH findings
• Document all remediation steps and validate effectiveness
• Confirm no CRITICAL/HIGH vulnerabilities remain (or document and justify any exceptions)
• Indicate readiness for production release after remediation

This is a release-blocking requirement to ensure the security posture of the software.

[ianpittwood]

As of 04/15/2026, all vulnerabilities in workbench-session-init are related to either the session init binaries or extensions of VS Code and Positron. We should advise the team to upgrade the Go version used to build the init binaries as it would resolve a majority of the critical vulnerabilities.

[ianpittwood]

As of 04/15/2026, several vulnerabilities in Workbench are from image additions:

• Jupyter
  • CVE-2024-29415 (part of staging)
  • CVE-2017-18214 (part of tests)
  • CVE-2025-59840 (part of staging)
  • CVE-2025-64756 (part of staging)
  • CVE-2026-26996 (part of staging)
  • CVE-2024-21538 (part of tests)
  • CVE-2026-4800 (part of tests)
  • CVE-2026-26996 (part of tests)
  • CVE-2026-27903 (part of tests)
  • CVE-2024-29415 (pwb_jupyterlab)
  • CVE-2025-66648 (part of staging)

All of the above are related to either test modules or are from vulnerable Node JS packages that JupyterLab uses. We'll need to search for whether they have been noticed or patched upstream yet.

All remaining CRITICAL and HIGH vulnerabilities are related to Workbench binaries, Quarto, Positron, VS Code, or their extensions.

[ianpittwood]

As of 04/21/2026, all vulnerabilities in workbench-positron-init are related to session init binaries or extensions of VS Code and Positron.

[ianpittwood]

As of 04/21/2026, several vulnerabilities in workbench-session are from image additions:

• Jupyter
  • CVE-2024-29415 (part of staging)
  • CVE-2017-18214 (part of tests)
  • CVE-2025-59840 (part of staging)
  • CVE-2025-64756 (part of staging)
  • CVE-2026-26996 (part of staging)
  • CVE-2024-21538 (part of tests)
  • CVE-2026-4800 (part of tests)
  • CVE-2026-26996 (part of tests)
  • CVE-2026-27903 (part of tests)
  • CVE-2026-27904 (part of staging)
  • CVE-2024-29415 (pwb_jupyterlab)
  • CVE-2025-66648 (part of staging)
  • CVE-2025-12758 (pwb_jupyterlab -> jupyterlab/buildutils where patch is still in alpha)
  • CVE-2022-21680 (part of tests)
  • CVE-2022-21681 (part of tests)
  • CVE-2026-33937 (part of staging)
  • CVE-2026-24842 (part of staging)
  • CVE-2022-25887 (part of tests)
  • CVE-2026-33671 (part of staging)

All other vulnerabilities are related to Quarto.

[ianpittwood]

A large majority of JupyterLab related CVEs should be resolved by #80.

Marking blocked until we receive further updates from Security on Wiz scanning configuration changes.