Jupyter notebook changelog

A summary of changes in the Jupyter notebook. For more detailed information, see GitHub.


Use pip install notebook --upgrade or conda upgrade notebook to upgrade to the latest release.


  • Allow override of output callbacks to redirect output messages. This is used to implement the ipywidgets Output widget, for example.
  • Fix an async bug in message handling by allowing comm message handlers to return a promise which halts message processing until the promise resolves.

See the 4.4 milestone on GitHub for a complete list of issues and pull requests involved in this release.


4.3.2 is a patch release with a bug fix for CodeMirror and improved handling of the “editable” cell metadata field.

  • Monkey-patch for CodeMirror that resolves #2037 without breaking #1967
  • Read-only ("editable": false) cells can be executed but cannot be split, merged, or deleted

See the 4.3.2 milestone on GitHub for a complete list of issues and pull requests involved in this release.


4.3.1 is a patch release with a security patch, a couple bug fixes, and improvements to the newly-released token authentication.

Security fix:

  • CVE-2016-9971. Fix CSRF vulnerability, where malicious forms could create untitled files and start kernels (no remote execution or modification of existing files) for users of certain browsers (Firefox, Internet Explorer / Edge). All previous notebook releases are affected.

Bug fixes:

  • Fix carriage return handling
  • Make the font size more robust against fickle browsers
  • Ignore resize events that bubbled up and didn’t come from window
  • Add Authorization to allowed CORS headers
  • Downgrade CodeMirror to 5.16 while we figure out issues in Safari

Other improvements:

  • Better docs for token-based authentication
  • Further highlight token info in log output when autogenerated

See the 4.3.1 milestone on GitHub for a complete list of issues and pull requests involved in this release.


4.3 is a minor release with many bug fixes and improvements. The biggest user-facing change is the addition of token authentication, which is enabled by default. A token is generated and used when your browser is opened automatically, so you shouldn’t have to enter anything in the default circumstances. If you see a login page (e.g. by switching browsers, or launching on a new port with --no-browser), you get a login URL with the token from the command jupyter notebook list, which you can paste into your browser.


  • API for creating mime-type based renderer extensions using OutputArea.register_mime_type and Notebook.render_cell_output methods. See mimerender-cookiecutter for reference implementations and cookiecutter.
  • Enable token authentication by default. See Security in the Jupyter notebook server for more details.
  • Update security docs to reflect new signature system
  • Switched from term.js to xterm.js

Bug fixes:

  • Ensure variable is set if exc_info is falsey
  • Catch and log handler exceptions in events.trigger
  • Add debug log for static file paths
  • Don’t check origin on token-authenticated requests
  • Remove leftover print statement
  • Fix highlighting of Python code blocks
  • json_errors should be outermost decorator on API handlers
  • Fix remove old nbserver info files
  • Fix notebook mime type on download links
  • Fix carriage symbol bahvior
  • Fix terminal styles
  • Update dead links in docs
  • If kernel is broken, start a new session
  • Include cross-origin check when allowing login URL redirects

Other improvements:

  • Allow JSON output data with mime type “application/*+json”
  • Allow kernelspecs to have spaces in them for backward compat
  • Allow websocket connections from scripts
  • Allow None for post_save_hook
  • Upgrade CodeMirror to 5.21
  • Upgrade xterm to 2.1.0
  • Docs for using comms
  • Set dirty flag when output arrives
  • Set ws-url data attribute when accessing a notebook terminal
  • Add base aliases for nbextensions
  • Include @ operator in CodeMirror IPython mode
  • Extend mathjax_url docstring
  • Load nbextension in predictable order
  • Improve the error messages for nbextensions
  • Include cross-origin check when allowing login URL redirects

See the 4.3 milestone on GitHub for a complete list of issues and pull requests involved in this release.


4.2.3 is a small bugfix release on 4.2.

  • Fix regression in 4.2.2 that delayed loading custom.js until after notebook_loaded and app_initialized events have fired.
  • Fix some outdated docs and links.

See also

4.2.3 on GitHub.


4.2.2 is a small bugfix release on 4.2, with an important security fix. All users are strongly encouraged to upgrade to 4.2.2.

  • Security fix: CVE-2016-6524, where untrusted latex output could be added to the page in a way that could execute javascript.
  • Fix missing POST in OPTIONS responses.
  • Fix for downloading non-ascii filenames.
  • Avoid clobbering ssl_options, so that users can specify more detailed SSL configuration.
  • Fix inverted load order in nbconfig, so user config has highest priority.
  • Improved error messages here and there.

See also

4.2.2 on GitHub.


4.2.1 is a small bugfix release on 4.2. Highlights:

  • Compatibility fixes for some versions of ipywidgets
  • Fix for ignored CSS on Windows
  • Fix specifying destination when installing nbextensions

See also

4.2.1 on GitHub.


Release 4.2 adds a new API for enabling and installing extensions. Extensions can now be enabled at the system-level, rather than just per-user. An API is defined for installing directly from a Python package, as well.

Highlighted changes:

  • Upgrade MathJax to 2.6 to fix vertical-bar appearing on some equations.
  • Restore ability for notebook directory to be root (4.1 regression)
  • Large outputs are now throttled, reducing the ability of output floods to kill the browser.
  • Fix the notebook ignoring cell executions while a kernel is starting by queueing the messages.
  • Fix handling of url prefixes (e.g. JupyterHub) in terminal and edit pages.
  • Support nested SVGs in output.

And various other fixes and improvements.


Bug fixes:

  • Properly reap zombie subprocesses
  • Fix cross-origin problems
  • Fix double-escaping of the base URL prefix
  • Handle invalid unicode filenames more gracefully
  • Fix ANSI color-processing
  • Send keepalive messages for web terminals
  • Fix bugs in the notebook tour

UI changes:

  • Moved the cell toolbar selector into the View menu. Added a button that triggers a “hint” animation to the main toolbar so users can find the new location. (Click here to see a screencast )

  • Added Restart & Run All to the Kernel menu. Users can also bind it to a keyboard shortcut on action restart-kernel-and-run-all-cells.

  • Added multiple-cell selection. Users press Shift-Up/Down or Shift-K/J to extend selection in command mode. Various actions such as cut/copy/paste, execute, and cell type conversions apply to all selected cells.

  • Added a command palette for executing Jupyter actions by name. Users press Cmd/Ctrl-Shift-P or click the new command palette icon on the toolbar.

  • Added a Find and Replace dialog to the Edit menu. Users can also press F in command mode to show the dialog.


Other improvements:

  • Custom KernelManager methods can be Tornado coroutines, allowing async operations.
  • Make clearing output optional when rewriting input with set_next_input(replace=True).
  • Added support for TLS client authentication via --NotebookApp.client-ca.
  • Added tags to jupyter/notebook releases on DockerHub. latest continues to track the master branch.

See the 4.1 milestone on GitHub for a complete list of issues and pull requests handled.



  • fix installation of mathjax support files
  • fix some double-escape regressions in 4.0.5
  • fix a couple of cases where errors could prevent opening a notebook


Security fixes for maliciously crafted files.

Thanks to Jonathan Kamens at Quantopian and Juan Broullón for the reports.


  • Fix inclusion of mathjax-safe extension


  • Fix launching the notebook on Windows
  • Fix the path searched for frontend config


First release of the notebook as a standalone package.