Hi Ludo,

> #2 should be quite easy to address: we could arrange to have that
> feature disabled by default, so that users don’t find themselves
> unknowingly downloading arbitrary code from npm.
it’s “disabled” by default, because it is considered experimental in this
version of JupyterLab. But a user can re-enable it. And the last part is
entirely client-side, so we cannot disable it completely until we fix #1.

> #1 is a showstopper.  :-/  I suppose that’s a lot of code that would
> need to be imported from npm, right?
`jupyter build` downloads about 600 NPM packages, as far as I remember.

> I’ve pushed the first two patches of the series (python-json5 and
> python-pytest-check-links).
Thank you!

> That said, it’s a big patch, so it would be even better if we didn’t
> have to carry it.  Will the next version of ‘notebook’ include it?
Does not look like it. The pull request[1] has been open for a few months now.
It’s vital to our use-case and (probably) everyone hosting notebooks, but not
very useful to the casual home user. So, executive decision: Do you want it in
guix proper? I’ll just maintain it in my channel[2] otherwise.

Lars

[1] https://github.com/jupyter/notebook/pull/4835
[2] https://github.com/leibniz-psychology/guix-zpid