Multiple CVEs on jupyter-server package that comes as a dependency with JEG

[Poojitha-R-Rao]

Summary
The recent version of jupyter enterprise gateway (JEG - 3.2.3) has a dependency on the vulnerable jupyter server version - 1.24.0 (please find CVE below)

Details
The recent version of jupyter enterprise gateway has a dependency on the vulnerable jupyter server version - 1.24.0 (please find CVEs below). Trying to upgrade the jupyter-server to the recent version is giving compatibility issues with JEG. It is giving the error - jupyter-enterprise-gateway 3.2.3 requires jupyter-server<2.0,>=1.7, but you have jupyter-server 2.14.1 which is incompatible.
Please help upgrade the jeg version to work with the recent version on jupyter server.

CVE	Score	Pub_Date	Severity	Exploitability	Exploit Type	Package	Package Version	Fixed Version	Package Path
CVE-2024-35178	7.5	2024-06-06	high			jupyter-server	1.24.0	2.14.1	/usr/local/python3/lib/python3.11/site-packages/jupyter_server
CVE-2023-39968	6.1	2023-08-28	medium			jupyter-server	1.24.0	2.7.2	/usr/local/python3/lib/python3.11/site-packages/jupyter_server
CVE-2023-40170	6.1	2023-08-28	medium			jupyter-server	1.24.0	2.7.2	/usr/local/python3/lib/python3.11/site-packages/jupyter_server
CVE-2023-49080	4.3	2023-12-04	medium			jupyter-server	1.24.0	2.11.2	/usr/local/python3/lib/python3.11/site-packages/jupyter_server