[Snyk] Security upgrade gatsby from 2.18.18 to 4.0.0

[snyk-bot]

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • deps/npm/docs/package.json
  • deps/npm/docs/package-lock.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	718/1000 Why? Proof of Concept exploit, Recently disclosed, Has a fix available, CVSS 6.5	Server-side Request Forgery (SSRF) SNYK-JS-PARSEURL-3023021	Yes	Proof of Concept
	643/1000 Why? Proof of Concept exploit, Recently disclosed, Has a fix available, CVSS 5	Improper Input Validation SNYK-JS-PARSEURL-3024398	Yes	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: gatsby

The new version differs by 250 commits.

• 8d07242 chore(release): Publish
• 0790895 chore(gatsby): Update README (events: set target property to null nodejs/node#33615)
• 06760d7 chore(gatsby): Change comment format in actions/public (src: don't use semicolon outside function nodejs/node#33592)
• 7d66a23 feat(gatsby): capture number of ssg,dsg,ssr pages in telemetry ([v12.x] deps: update to ICU 67.1 nodejs/node#33337)
• 98a843c fix(gatsby): use lmdb.removeSync so getNode can't return deleted nodes (src: use MaybeLocal.ToLocal instead of IsEmpty nodejs/node#33554)
• 4d8e40b fix(gatsby-source-wordpress): Add steps for `refetch_ALL` (#33264)
• 4761dc3 fix(gatsby): restore onPreBuild to being called right after bootstrap finishes (async-resource-vs-destroy benchmark is broken locally nodejs/node#33591)
• 1cdbab6 fix(deps): update starters and examples gatsby packages to ^3.14.3 ([v12.x] deps: V8: cherry-pick 548f6c81d424 nodejs/node#33553)
• 0f421db chore(release): Publish next
• 7d6a0aa fix(gatsby): fix page-tree in ink-cli (deps: update V8 to 8.4 nodejs/node#33579)
• 3993819 chore(gatsby): Add `assetPrefix` to `IGatsbyConfig` (async_hooks: improve resource stack performance nodejs/node#33575)
• 6cc964a fix(gatsby-source-wordpress): restore PQR support (support util.promisify for fs.readv nodejs/node#33590)
• 9eef270 specifying what actually changed (v14.3.0 proposal nodejs/node#33452)
• 2975c4d feat(gatsby,gatsby-link): add queue to prefetch (doc: outline when origin is set to unhandledRejection nodejs/node#33530)
• 68fe836 fix(gatsby): temporary workaround for stale jobs cache (Use stream._construct nodejs/node#33586)
• a800d9d fix(gatsby): Update internal usage of .runQuery (New label suggestion: awaiting release nodejs/node#33571)
• 677760c chore(docs): Clarify SEO component guide (src: add default: case to silence compiler warning nodejs/node#33451)
• ccca4b3 fix(gatsby): only remove unused code when apis got removed (lib: initial experimental AbortController implementation nodejs/node#33527)
• 8dbf550 fix(gatsby): assign correct parentSpans to PQR activities (support nested headers in http2 nodejs/node#33568)
• 31d5a5e fix(gatsby-dev-cli): resolve correct versions of packages with unpkg (http: simplify Agent initialization nodejs/node#33551)
• 5110074 fix(gatsby-plugin-gatsby-cloud): emit file nodes after source updates (doc: fix misc. mislabeled code block info strings nodejs/node#33548)
• d2329df fix(gatsby): make sure 404 and 500 page inherit stateful status from original page (wasi: allow WASI stdio to be configured nodejs/node#33544)
• 68e5b90 chore(docs): Update query var in part-7 tutorial (feature-request fs.fileWrite with option.mkdirp nodejs/node#33559)
• a8cab55 chore(gatsby-plugin-react-helmet): Update Examples (src: use NewFromUtf8Literal in GetLinkedBinding nodejs/node#33552)

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Server-side Request Forgery (SSRF)

[guardrails]

⚠️ We detected 12 security issues in this pull request:

Mode: paranoid | Total findings: 12 | Considered vulnerability: 12

Vulnerable Libraries (12)

Severity	Details
Medium	pkg:npm/express@4.18.1@4.18.1 (t) - no patch available
Medium	pkg:npm/ws@7.4.5@7.4.5 (t) - no patch available
High	pkg:npm/dicer@0.2.5@0.2.5 (t) - no patch available
Medium	pkg:npm/es5-ext@0.10.62@0.10.62 (t) - no patch available
High	pkg:npm/busboy@0.2.14@0.2.14 (t) - no patch available
Critical	pkg:npm/shell-quote@1.7.2@1.7.2 (t) upgrade to: 1.7.3
Medium	pkg:npm/object-path@0.11.5@0.11.5 (t) upgrade to: 0.11.6
High	pkg:npm/immer@8.0.1@8.0.1 (t) upgrade to: 9.0.6
Medium	pkg:npm/multer@1.4.4@1.4.4 (t) - no patch available
Low	pkg:npm/node-fetch@2.6.7@2.6.7 (t) - no patch available
Medium	pkg:npm/%40hapi/hoek@8.5.0@8.5.0 (t) - no patch available
High	gatsby@4.0.0 upgrade to: >=1.9.130

More info on how to fix Vulnerable Libraries in JavaScript.

---

👉 Go to the dashboard for detailed results.

📥 Happy? Share your feedback with us.