This repository has been archived by the owner on Mar 22, 2024. It is now read-only.
fix(deps): update dependency gatsby-plugin-mdx to v2.14.1 [security] #265
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![renovate[bot]](https://avatars.githubusercontent.com/in/2740?s=60&v=4){kind=small}
github-actions
bot
temporarily deployed
to
archifiltre-site-renovate-npm-gatsby-plugin-m-68stdg
renovate
bot
force-pushed
the
renovate/npm-gatsby-plugin-mdx-vulnerability
branch
from
744cfda to
e7f96fa
Compare
github-actions
bot
temporarily deployed
to
archifiltre-site-renovate-npm-gatsby-plugin-m-68stdg
renovate
bot
force-pushed
the
renovate/npm-gatsby-plugin-mdx-vulnerability
branch
from
e7f96fa to
e98f8ee
Compare
github-actions
bot
temporarily deployed
to
archifiltre-site-renovate-npm-gatsby-plugin-m-68stdg
renovate
bot
force-pushed
the
renovate/npm-gatsby-plugin-mdx-vulnerability
branch
from
e98f8ee to
80d4d3e
Compare
github-actions
bot
temporarily deployed
to
archifiltre-site-renovate-npm-gatsby-plugin-m-68stdg
renovate
bot
force-pushed
the
renovate/npm-gatsby-plugin-mdx-vulnerability
branch
from
80d4d3e to
f71c4ca
Compare
github-actions
bot
temporarily deployed
to
archifiltre-site-renovate-npm-gatsby-plugin-m-68stdg
renovate
bot
force-pushed
the
renovate/npm-gatsby-plugin-mdx-vulnerability
branch
from
f71c4ca to
15e72d9
Compare
github-actions
bot
temporarily deployed
to
archifiltre-site-renovate-npm-gatsby-plugin-m-68stdg
renovate
bot
force-pushed
the
renovate/npm-gatsby-plugin-mdx-vulnerability
branch
from
15e72d9 to
b12ec58
Compare
github-actions
bot
temporarily deployed
to
archifiltre-site-renovate-npm-gatsby-plugin-m-68stdg
renovate
bot
force-pushed
the
renovate/npm-gatsby-plugin-mdx-vulnerability
branch
2 times, most recently
from
06ad60e to
e11c851
Compare
github-actions
bot
temporarily deployed
to
archifiltre-site-renovate-npm-gatsby-plugin-m-68stdg
renovate
bot
force-pushed
the
renovate/npm-gatsby-plugin-mdx-vulnerability
branch
from
e11c851 to
97cb9b3
Compare
github-actions
bot
temporarily deployed
to
archifiltre-site-renovate-npm-gatsby-plugin-m-68stdg
renovate
bot
force-pushed
the
renovate/npm-gatsby-plugin-mdx-vulnerability
branch
from
97cb9b3 to
f5dd120
Compare
github-actions
bot
temporarily deployed
to
archifiltre-site-renovate-npm-gatsby-plugin-m-68stdg
renovate
bot
force-pushed
the
renovate/npm-gatsby-plugin-mdx-vulnerability
branch
from
f5dd120 to
3b45371
Compare
github-actions
bot
temporarily deployed
to
archifiltre-site-renovate-npm-gatsby-plugin-m-68stdg
renovate
bot
force-pushed
the
renovate/npm-gatsby-plugin-mdx-vulnerability
branch
from
3b45371 to
d395fcf
Compare
github-actions
bot
temporarily deployed
to
archifiltre-site-renovate-npm-gatsby-plugin-m-68stdg
renovate
bot
force-pushed
the
renovate/npm-gatsby-plugin-mdx-vulnerability
branch
from
d395fcf to
f7e90a9
Compare
github-actions
bot
temporarily deployed
to
archifiltre-site-renovate-npm-gatsby-plugin-m-68stdg
renovate
bot
force-pushed
the
renovate/npm-gatsby-plugin-mdx-vulnerability
branch
from
f7e90a9 to
99d2023
Compare
github-actions
bot
temporarily deployed
to
archifiltre-site-renovate-npm-gatsby-plugin-m-68stdg
renovate
bot
force-pushed
the
renovate/npm-gatsby-plugin-mdx-vulnerability
branch
from
99d2023 to
cdf4e29
Compare
github-actions
bot
temporarily deployed
to
archifiltre-site-renovate-npm-gatsby-plugin-m-68stdg
renovate
bot
force-pushed
the
renovate/npm-gatsby-plugin-mdx-vulnerability
branch
from
72f71d0 to
873f083
Compare
github-actions
bot
temporarily deployed
to
archifiltre-site-renovate-npm-gatsby-plugin-m-68stdg
renovate
bot
force-pushed
the
renovate/npm-gatsby-plugin-mdx-vulnerability
branch
from
873f083 to
5b5a096
Compare
github-actions
bot
temporarily deployed
to
archifiltre-site-renovate-npm-gatsby-plugin-m-68stdg
renovate
bot
force-pushed
the
renovate/npm-gatsby-plugin-mdx-vulnerability
branch
from
5b5a096 to
364fac9
Compare
github-actions
bot
temporarily deployed
to
archifiltre-site-renovate-npm-gatsby-plugin-m-68stdg
renovate
bot
force-pushed
the
renovate/npm-gatsby-plugin-mdx-vulnerability
branch
from
364fac9 to
6cf8627
Compare
github-actions
bot
temporarily deployed
to
archifiltre-site-renovate-npm-gatsby-plugin-m-68stdg
renovate
bot
force-pushed
the
renovate/npm-gatsby-plugin-mdx-vulnerability
branch
from
6cf8627 to
be9b5c0
Compare
github-actions
bot
temporarily deployed
to
archifiltre-site-renovate-npm-gatsby-plugin-m-68stdg
renovate
bot
force-pushed
the
renovate/npm-gatsby-plugin-mdx-vulnerability
branch
from
be9b5c0 to
cd01977
Compare
github-actions
bot
temporarily deployed
to
archifiltre-site-renovate-npm-gatsby-plugin-m-68stdg
renovate
bot
force-pushed
the
renovate/npm-gatsby-plugin-mdx-vulnerability
branch
from
cd01977 to
5775ed4
Compare
github-actions
bot
temporarily deployed
to
archifiltre-site-renovate-npm-gatsby-plugin-m-68stdg
renovate
bot
force-pushed
the
renovate/npm-gatsby-plugin-mdx-vulnerability
branch
from
5775ed4 to
3283de1
Compare
github-actions
bot
temporarily deployed
to
archifiltre-site-renovate-npm-gatsby-plugin-m-68stdg
renovate
bot
force-pushed
the
renovate/npm-gatsby-plugin-mdx-vulnerability
branch
from
3283de1 to
4db3f37
Compare
github-actions
bot
temporarily deployed
to
archifiltre-site-renovate-npm-gatsby-plugin-m-68stdg
renovate
bot
force-pushed
the
renovate/npm-gatsby-plugin-mdx-vulnerability
branch
from
4db3f37 to
20f62fc
Compare
|
Kudos, SonarCloud Quality Gate passed!
|
|
🎉 Deployment for commit 20f62fc : %0A %0A%0AIngresses%0A%0A - 🚀 https://archifiltre-site-renovate-npm-gatsby-plugin-m-68stdg.dev.fabrique.social.gouv.fr/%0A%0A%0A %0A%0ADocker images%0A%0A - 📦 docker pull ghcr.io/socialgouv/archifiltre/archifiltre-site:sha-20f62fc2064c185b99885f6a18fb53cc866da0ff%0A%0A%0A
Debug%0A%0A - 📕 Loki logs for namespace archifiltre-site-renovate-npm-gatsby-plugin-m-68stdg%0A - 📈 Pods monitoring for namespace archifiltre-site-renovate-npm-gatsby-plugin-m-68stdg%0A - 📈 Workloads monitoring for namespace archifiltre-site-renovate-npm-gatsby-plugin-m-68stdg%0A - 👮♂️ Namespace rancher archifiltre-site-renovate-npm-gatsby-plugin-m-68stdg%0A - 👮♂️ Deployment app%0A%0A |
Alezco
approved these changes
Jan 17, 2023
SocialGroovyBot
pushed a commit
that referenced
this pull request
Jan 17, 2023
## [2.0.7](v2.0.6...v2.0.7) (2023-01-17) ### Bug Fixes * **deps:** update dependency gatsby-plugin-mdx to v2.14.1 [security] ([#265](#265)) ([5fa2205](5fa2205))
|
🎉 This PR is included in version 2.0.7 🎉 The release is available on GitHub release Your semantic-release bot 📦🚀 |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
2.14.0->2.14.1GitHub Vulnerability Alerts
CVE-2022-25863
Impact
The gatsby-plugin-mdx plugin prior to versions 3.15.2 and 2.14.1 passes input through to the
gray-matternpm package, which is vulnerable to JavaScript injection in its default configuration, unless input is sanitized. The vulnerability is present when passing input in both webpack (MDX files insrc/pagesor MDX file imported as component in frontend / React code) and data mode (querying MDX nodes via GraphQL). Injected JavaScript executes in the context of the build server.To exploit this vulnerability untrusted/unsanitized input would need to be sourced or added into an MDX file. The following MDX payload demonstrates a vulnerable configuration:
Patches
A patch has been introduced in
gatsby-plugin-mdx@3.15.2andgatsby-plugin-mdx@2.14.1which mitigates the issue by disabling thegray-matterJavaScript Frontmatter engine. The patch introduces a new option,JSFrontmatterEnginewhich is set tofalseby default. When settingJSFrontmatterEnginetotrue, input passed togatsby-plugin-mdxmust be sanitized before processing to avoid a security risk. Warnings are displayed when enablingJSFrontmatterEnginetotrueor if it appears that the MDX input is attempting to use the Frontmatter engine.Workarounds
If an older version of
gatsby-plugin-mdxmust be used, input passed into the plugin should be sanitized ahead of processing.We encourage projects to upgrade to the latest major release branch for all Gatsby plugins to ensure the latest security updates and bug fixes are received in a timely manner.
Credits
We would like to thank Snyk [snyk.io] for initially bringing the issue to our attention, as well as Feng Xiao and Zhongfu Su, who reported the issue to Snyk.
For more information
Email us at security@gatsbyjs.com.
Release Notes
gatsbyjs/gatsby
v2.14.1Compare Source
Configuration
📅 Schedule: Branch creation - "" in timezone Europe/Paris, Automerge - At any time (no schedule defined).
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.