This repository has been archived by the owner on Jul 16, 2023. It is now read-only.

fix(deps): update dependency gatsby to v4 [security] #250

Open

renovate wants to merge 1 commit into develop from renovate/npm-gatsby-vulnerability

renovate bot commented Jun 9, 2023 •

edited

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
gatsby (source, changelog)	`2.24.43` -> `4.25.7`

GitHub Vulnerability Alerts

CVE-2023-34238

Impact

The Gatsby framework prior to versions 4.25.7 and 5.9.1 contain a Local File Inclusion vulnerability in the __file-code-frame and __original-stack-frame paths, exposed when running the Gatsby develop server (gatsby develop).

The following steps can be used to reproduce the vulnerability:


# Create a new Gatsby project
$ npm init gatsby
$ cd my-gatsby-site

# Start the Gatsby develop server
$ gatsby develop

# Execute the Local File Inclusion vulnerability in __file-code-frame
$ curl "http://127.0.0.1:8000/__file-code-frame?filePath=/etc/passwd&lineNumber=1"

# Execute the Local File Inclusion vulnerability in __original-stack-frame
$ curl "http://127.0.0.1:8000/__original-stack-frame?moduleId=/etc/hosts&lineNumber=1&skipSourceMap=1"

It should be noted that by default gatsby develop is only accessible via the localhost 127.0.0.1, and one would need to intentionally expose the server to other interfaces to exploit this vulnerability by using server options such as --host 0.0.0.0, -H 0.0.0.0, or the GATSBY_HOST=0.0.0.0 environment variable.

Patches

A patch has been introduced in gatsby@5.9.1 and gatsby@4.25.7 which mitigates the issue.

Workarounds

As stated above, by default gatsby develop is only exposed to the localhost 127.0.0.1. For those using the develop server in the default configuration no risk is posed. If other ranges are required, preventing the develop server from being exposed to untrusted interfaces or IP address ranges would mitigate the risk from this vulnerability.

We encourage projects to upgrade to the latest major release branch for all Gatsby plugins to ensure the latest security updates and bug fixes are received in a timely manner.

Credits

We would like to thank Maxwell Garrett of Assetnote for bringing the __file-code-frame issue to our attention.

For more information

Email us at security@gatsbyjs.com.

Release Notes

gatsbyjs/gatsby (gatsby)

`v4.25.7`

`v4.25.6`

`v4.25.5`

`v4.25.4`

`v4.25.3`

`v4.25.2`

`v4.25.1`

`v4.25.0`

`v4.24.8`

`v4.24.7`

`v4.24.6`

`v4.24.5`

`v4.24.4`

`v4.24.3`

`v4.24.2`

`v4.24.1`

`v4.24.0`

`v4.23.1`

`v4.23.0`

`v4.22.1`

`v4.22.0`

`v4.21.1`

`v4.21.0`

`v4.20.0`

`v4.19.2`

`v4.19.1`

`v4.19.0`

`v4.18.2`

`v4.18.1`

`v4.18.0`

`v4.17.2`

`v4.17.1`

`v4.17.0`

`v4.16.0`

`v4.15.2`

`v4.15.1`

`v4.15.0`

`v4.14.1`

`v4.14.0`

`v4.13.1`

`v4.13.0`

`v4.12.1`

`v4.12.0`

`v4.11.3`

`v4.11.2`

`v4.11.1`

`v4.11.0`

`v4.10.3`

`v4.10.2`

`v4.10.1`

`v4.10.0`

`v4.9.3`

`v4.9.2`

`v4.9.1`

`v4.9.0`

`v4.8.2`

`v4.8.1`

`v4.8.0`

`v4.7.2`

`v4.7.1`

`v4.7.0`

`v4.6.2`

`v4.6.1`

`v4.6.0`

`v4.5.5`

`v4.5.4`

`v4.5.3`

`v4.5.2`

`v4.5.1`

`v4.5.0`

`v4.4.0`

`v4.3.0`

`v4.2.0`

`v4.1.6`

`v4.1.5`

`v4.1.4`

`v4.1.3`

`v4.1.2`

`v4.1.1`

`v4.1.0`

`v4.0.2`

`v4.0.1`

`v4.0.0`

`v3.15.0`

`v3.14.6`

`v3.14.5`

`v3.14.4`

`v3.14.3`

`v3.14.2`

`v3.14.1`

`v3.14.0`

`v3.13.1`

`v3.13.0`

`v3.12.1`

`v3.12.0`

`v3.11.1`

`v3.11.0`

`v3.10.2`

`v3.10.1`

`v3.10.0`

`v3.9.1`

`v3.9.0`

`v3.8.1`

`v3.8.0`

`v3.7.2`

`v3.7.1`

`v3.7.0`

`v3.6.2`

`v3.6.1`

`v3.6.0`

`v3.5.1`

`v3.5.0`: v3.5 (May 2021 #1)

Welcome to gatsby@3.5.0 release (May 2021 #1)

Key highlights of this release:

Performance improvements - up to 20% faster CLI startup, up to 20% faster query running, 70% speedup to creating pages
gatsby-graphql-source-toolkit v2 - Compatibility with Gatsby v3
New SSR in Develop overlay - the experimental SSR in Develop feature got a new overlay
Documentation updates - new docs: Functions, CSS, and our image plugins

Also check out notable bugfixes.

Bleeding Edge: Want to try new features as soon as possible? Install gatsby@next and let us know
if you have any issues.

Previous release notes

`v3.4.2`

`v3.4.1`

`v3.4.0`: v3.4 (April 2021 #2)

Welcome to gatsby@3.4.0 release (April 2021 #2)

Key highlights of this release:

Experimental: Enable webpack persistent caching for production builds - significantly speed up webpack compilation on subsequent builds
Experimental: Gatsby Functions - serverless functions in Gatsby & Gatsby Cloud
New Aggregation Resolvers - adds min(), max(), and sum() resolvers to allX queries
Better Fast Refresh handling for styling libraries - Theme UI and Chakra UI now work correctly with Fast Refresh

Also check out notable bugfixes.

Bleeding Edge: Want to try new features as soon as possible? Install gatsby@next and let us know
if you have any issues.

Previous release notes

`v3.3.1`

`v3.3.0`: v3.3 (April 2021 #1)

Welcome to gatsby@3.3.0 release (April 2021 #1)

Key highlights of this release:

Performance optimizations - faster JS bundling, lower peak memory usage
Upgrade to the latest sharp - built-in image optimizations; and now works on M1 Macs
Upgrade to the latest remark - more consistency in Markdown rendering
Bugfixes in gatsby-plugin-image

Also check out notable bugfixes.

Bleeding Edge: Want to try new features as soon as possible? Install gatsby@next and let us know
if you have any issues.

Previous release notes

`v3.2.1`

`v3.2.0`: v3.2 (March 2021 #3)

Welcome to gatsby@3.2.0 release (March 2021 #3)

Key highlights of this release:

Better StaticImage errors
Adjustable ES Modules option for CSS Modules
gatsby-source-contentful - improved performance and other changes

Also check out notable bugfixes.

Sneak peek to next releases:

Major bump of all remark plugins

Bleeding Edge: Want to try new features as soon as possible? Install gatsby@next and let us know
if you have any issues.

Previous release notes

`v3.1.3`

`v3.1.2`

`v3.1.1`

`v3.1.0`: v3.1 (March 2021 #2)

Welcome to gatsby@3.1.0 release (March 2021 #2)

Key highlights of this release:

Also check out notable bugfixes.

Bleeding Edge: Want to try new features as soon as possible? Install gatsby@next and let us know
if you have any issues.

Previous release notes for v3.0

`v3.0.4`

`v3.0.3`

`v3.0.2`

`v3.0.1`

`v3.0.0`: v3.0 (March 2021 #1)

Welcome to gatsby@3.0.0 release (March 2021 #1).

This is the first major bump of Gatsby since September 2018!
We’ve tried to make migration smooth. Please refer to the migration guide
and let us know if you encounter any issues when migrating.

Key highlights of this release:

Incremental Builds in OSS - regenerate HTML only when necessary, leading to faster builds
Fast Refresh - new hot-reloading engine, error recovery, better DX
gatsby-plugin-image@1.0.0
gatsby-source-wordpress@5.0.0 - brand-new, significantly improved integration with WordPress
gatsby-source-contentful@5.0.0
Miscellaneous changes in plugins

Major dependency updates:

Also, check out notable bugfixes and improvements.

Bleeding Edge: Want to try new features as soon as possible? Install gatsby@next and let us know
if you have any issues.

Previous release notes for v2.32

`v2.32.13`

`v2.32.12`

`v2.32.11`

`v2.32.10`

`v2.32.9`

`v2.32.8`

`v2.32.7`

`v2.32.6`

`v2.32.5`

`v2.32.4`

`v2.32.3`

`v2.32.2`

`v2.32.1`

`v2.32.0`: v2.32 (February 2021 #1)

Welcome to gatsby@2.32.0 release (February 2021. 1)

Key highlights of this release:

Also check out notable bugfixes.

Bleeding Edge: Want to try new features as soon as possible? Install gatsby@next and let us know
if you have any issues.

Previous release notes

`v2.31.1`

`v2.31.0`: v2.31 (January 2021 #2)

Welcome to gatsby@2.31.0 release (January 2021 #2)

Key highlights of this release:

Also check out notable bugfixes.

Bleeding Edge: Want to try new features as soon as possible? Install gatsby@next and let us know
if you have any issues.

Previous release notes

`v2.30.3`

`v2.30.2`

`v2.30.1`

`v2.30.0`: v2.30 (January 2021 #1)

Welcome to gatsby@2.30.0 release (January 2021 #‎1)

See full release notes

Key highlights of this release:

Query on Demand and Lazy Images: Generally available - improves gatsby develop bootup time
Server Side Rendering (SSR) in development — helps you find and fix many build errors in development. We're starting a partial release of this feature to 5% of users.
gatsby-plugin-sass v3 - use the latest sass-loader and Dart Sass by default
Image transformations up to 30% faster

And several impactful updates in the new [gatsby-plugin-image](https://togithub.com/gatsbyjs/gatsby/blob/master/docs/docs/reference/release-notes/v

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

commit-lint bot commented Jun 9, 2023 •

edited

Bug Fixes

deps: update dependency gatsby to v4 [security] (7783d5d)

Contributors

Commit-Lint commands

You can trigger Commit-Lint actions by commenting on this PR:

@Commit-Lint merge patch will merge dependabot PR on "patch" versions (X.X.Y - Y change)
@Commit-Lint merge minor will merge dependabot PR on "minor" versions (X.Y.Y - Y change)
@Commit-Lint merge major will merge dependabot PR on "major" versions (Y.Y.Y - Y change)
@Commit-Lint merge disable will desactivate merge dependabot PR
@Commit-Lint review will approve dependabot PR
@Commit-Lint stop review will stop approve dependabot PR


          fix(deps): update dependency gatsby to v4 [security]

7783d5d

renovate bot force-pushed the renovate/npm-gatsby-vulnerability branch from 79d1d7c to 7783d5d Compare

July 13, 2023 19:29

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.