The GitHub Security Lab discovered sixteen ways to exploit a cross-site scripting vulnerability in nbconvert. When using nbconvert to generate an HTML version of a user-controllable notebook, it is possible to inject arbitrary HTML which may lead to cross-site scripting (XSS) vulnerabilities if these HTML notebooks are served by a web server (eg: nbviewer).
This advisory says this is fixed in 6.3 but it also says only 5.5.0
was tested. Commits between 6.2.0 and 6.3.0 also don't seem relevant.
The current smallest version of nbconvert is 6.5.0-r1, so I don't think there is a need for an action?
I couldn't verify the fixes were in the release that the advisory alleges, so we need to verify the advisory is correct.