From 39371e4fcd623d3c3eac2771da72c63a76d12744 Mon Sep 17 00:00:00 2001
From: Jonas Bardino <bardino@science.ku.dk>
Date: Thu, 25 Jun 2026 19:57:52 +0200
Subject: [PATCH] Make the installation of `nbconvert` and friends depend on
 `ENABLE_WORKFLOWS` to avoid including it on sites where workflows aren't
 enabled. With `nbconvert` depending on the `bleach` library, which is
 abandoned and now has a couple of security issues we can't patch on python
 3.9, it becomes problematic to have in deployment.

---
 Dockerfile.rocky9 | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/Dockerfile.rocky9 b/Dockerfile.rocky9
index 245cf768..49b74a87 100755
--- a/Dockerfile.rocky9
+++ b/Dockerfile.rocky9
@@ -746,6 +746,7 @@ ARG MODERN_WSGIDAV
 ARG UPGRADE_PARAMIKO
 ARG ENABLE_CLOUD
 ARG ENABLE_PYTEST
+ARG ENABLE_WORKFLOWS
 ARG OPENSTACKSDK_VERSION_OVERRIDE
 ARG TRAC_ADMIN_PATH
 
@@ -885,7 +886,10 @@ RUN if [ -n "${TRAC_ADMIN_PATH}" ]; then \
     fi;
 
 # Modules required for workflows
-RUN if [ "${WITH_PY3}" = "True" ]; then \
+# NOTE: the bleach library used by nbconvert is abandoned
+#       https://github.com/jupyter/nbconvert/issues/2289
+#       and has security issues, too, so only install if explicitly requested.
+RUN if [ "${ENABLE_WORKFLOWS}" = "True" ]; then \
       pip3 install --no-cache-dir nbformat nbconvert papermill; \
     fi;