[rhoai-2.25] fix(cve): CVE-2026-32274 - black

[crackcodecamp]

• Update black from 25.12.0 to 26.3.1
• Addresses arbitrary file writes from unsanitized user input in cache file name
• Added override-dependencies entry for black>=26.3.1 in all affected pyproject.toml
• Updated pylock.toml with new version hashes for all 7 affected workbench images
• Affected images: datascience, trustyai, tensorflow, rocm/tensorflow, rocm/pytorch, pytorch, pytorch+llmcompressor
• CVSS 8.7 (High)

Resolves: RHOAIENG-53183, RHOAIENG-53184, RHOAIENG-53185, RHOAIENG-53186, RHOAIENG-53187, RHOAIENG-53188, RHOAIENG-53189

Summary by CodeRabbit

• Chores
  • Updated Black code formatter to version 26.3.1 across all Jupyter environment configurations (datascience, PyTorch, TensorFlow, ROCm, and TrustyAI).

[github-actions]

@crackcodecamp — This PR is from a fork.
The build-rhoai CI job was skipped because subscription
builds (RHEL, AIPCC) need secrets unavailable to forks.
ODH builds and code quality checks still ran.

Recommended: Push your branch to the main repo for full CI:

git remote add upstream https://github.com/red-hat-data-services/notebooks.git
git push upstream HEAD:crackcodecamp/your-branch-name

Then open a new PR from that branch.

No push access? A maintainer will cherry-pick and test your changes.

See CONTRIBUTING.md for details.

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR upgrades the black code formatter from version 25.12.0 to 26.3.1 across all UBI9-Python-3.12 Docker image configurations by updating both lock files with new artifact hashes and project configuration files with updated version overrides.

Changes

Cohort / File(s)	Summary
Lock File Updates jupyter/*/ubi9-python-3.12/pylock.toml	Updated black package entries from version 25.12.0 to 26.3.1, replacing sdist metadata (URL, upload time, size, SHA256) and all wheel artifacts (across CPython/ABI/platform targets including py3-none-any) with new 26.3.1 wheel URLs and hashes.
Dependency Override Configuration jupyter/*/ubi9-python-3.12/pyproject.toml	Extended [tool.uv].override-dependencies list to include black>=26.3.1 across all image configurations (datascience, pytorch+llmcompressor, pytorch, rocm/pytorch, rocm/tensorflow, tensorflow, trustyai).

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Possibly related PRs

• [rhoai-3.4-ea.2] lockfile refresh with protobuf pinned to keep IBM arch wheels #2053: Performs the same direct code-level change—updating the pinned "black" dependency to 26.3.1 in lockfiles and override lists.

Suggested labels

review-requested

Suggested reviewers

• dibryant
• daniellutz

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description check	✅ Passed	The description comprehensively covers the key aspects: what was changed (black upgrade), why (CVE details), how (override-dependencies and pylock updates), which images were affected, and references linked issues.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Title check	✅ Passed	The title clearly and specifically identifies the main change: upgrading Black to address CVE-2026-32274, which is the primary purpose across all modified files.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[jiridanek]

/build-konflux

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: jiridanek

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [jiridanek]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment