jupyterhub-systemdspawner is vulnerable to information disclosure. User API tokens that are issued to single-user servers are specified in the environment of systemd units and are accessible to all users.
github.com/advisories/GHSA-cg54-gpgr-4rm6
github.com/jupyterhub/systemdspawner/blob/master/CHANGELOG.md#v015
github.com/jupyterhub/systemdspawner/commit/a4d08fd2ade1cfd0ef2c29dc221e649345f23580
github.com/jupyterhub/systemdspawner/security/advisories/GHSA-cg54-gpgr-4rm6
pypi.org/project/jupyterhub-systemdspawner/