[Snyk] Fix for 1 vulnerabilities

[adamlaska]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • packages/homepage/package.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	658/1000 Why? Proof of Concept exploit, Recently disclosed, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-SEMVER-3247795	Yes	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: gatsby

The new version differs by 250 commits.

• 0c6cd61 chore(release): Publish
• 5e8e621 chore: Update main README (#36954)
• 7130cd4 test(gatsby): Slices API integration tests (#36747)
• 6496eed chore(release): Publish next
• bc7ac84 chore: preserve previous webpack stats derived values, even if we restart webpack itself (#36980)
• 2b5af32 fix: drop `__renderedByLocation` prop when calculating slice props hashes and don't expose it to slice component (#36979)
• cc1ee9b chore(release): Publish next
• 6a53861 chore(gatsby-link): Correct type export (#36968)
• 0ad6314 fix(gatsby-graphiql-explorer): Use upstream exporter package (#36966)
• 964265c chore(release): Publish next
• b624442 chore: Update peerDeps (#36965)
• b2ab092 chore(release): Publish next
• e2a14bf feat(gatsby): Slices <> partial hydration interop (#36960)
• 0083e62 fix(deps): update starters and examples gatsby packages to ^4.24.7 (#36957)
• 68e9cab chore(changelogs): update changelogs (#36958)
• b9eb8d2 chore(deps): update dependency autoprefixer to ^10.4.13 for gatsby-plugin-sass (#36934)
• 58c37ea chore(deps): update dependency @ jridgewell/trace-mapping to ^0.3.17 for gatsby-legacy-polyfills (#36933)
• a5e4c47 fix(deps): update dependency body-parser to ^1.20.1 for gatsby-source-drupal (#36940)
• c86aa7e chore(docs): Add clarification for Pro Tip on Part 4 of tutorial (#36918)
• d5c775a feat(gatsby): handle graphql-import-node bundling (#36951)
• 59e2976 feat(gatsby-remark-embed-snippet): added csproj to language map so it will be recognized as xml (#36919)
• c8a7dda chore(docs): Valhalla Content Hub Reference Guide (#36949)
• 3044280 fix(gatsby): stitch slices if just page html was regenerating without any of used slices regenerating (#36950)
• 10abdcb chore(release): Publish next

See the full diff

Package name: gatsby-cli

The new version differs by 250 commits.

• 0c6cd61 chore(release): Publish
• 5e8e621 chore: Update main README (#36954)
• 7130cd4 test(gatsby): Slices API integration tests (#36747)
• 6496eed chore(release): Publish next
• bc7ac84 chore: preserve previous webpack stats derived values, even if we restart webpack itself (#36980)
• 2b5af32 fix: drop `__renderedByLocation` prop when calculating slice props hashes and don't expose it to slice component (#36979)
• cc1ee9b chore(release): Publish next
• 6a53861 chore(gatsby-link): Correct type export (#36968)
• 0ad6314 fix(gatsby-graphiql-explorer): Use upstream exporter package (#36966)
• 964265c chore(release): Publish next
• b624442 chore: Update peerDeps (#36965)
• b2ab092 chore(release): Publish next
• e2a14bf feat(gatsby): Slices <> partial hydration interop (#36960)
• 0083e62 fix(deps): update starters and examples gatsby packages to ^4.24.7 (#36957)
• 68e9cab chore(changelogs): update changelogs (#36958)
• b9eb8d2 chore(deps): update dependency autoprefixer to ^10.4.13 for gatsby-plugin-sass (#36934)
• 58c37ea chore(deps): update dependency @ jridgewell/trace-mapping to ^0.3.17 for gatsby-legacy-polyfills (#36933)
• a5e4c47 fix(deps): update dependency body-parser to ^1.20.1 for gatsby-source-drupal (#36940)
• c86aa7e chore(docs): Add clarification for Pro Tip on Part 4 of tutorial (#36918)
• d5c775a feat(gatsby): handle graphql-import-node bundling (#36951)
• 59e2976 feat(gatsby-remark-embed-snippet): added csproj to language map so it will be recognized as xml (#36919)
• c8a7dda chore(docs): Valhalla Content Hub Reference Guide (#36949)
• 3044280 fix(gatsby): stitch slices if just page html was regenerating without any of used slices regenerating (#36950)
• 10abdcb chore(release): Publish next

See the full diff

Package name: gatsby-plugin-sharp

The new version differs by 250 commits.

• 0a455df chore(release): Publish
• 91dc167 fix(gatsby): don't log FAST_DEV message for each worker (#32961) (#32967)
• f936c93 fix(gatsby): set staticQueryResultHash to new hash on data change (#32949) (#32966)
• ea161ce feat(gatsby-graphiql-explorer): upgrade to webpack 5 (#30642)
• 944e381 chore(release): Publish next
• d6326df fix(gatsby-core-utils): Switch `auth` option from got to username/password (#32665)
• cf9c066 fix(gatsby): add this typings to actions (#32210)
• 53aa88e chore: enable test parallelism (#32766)
• b7deabc fix(deps): update starters and examples - gatsby (#32843)
• 6025c84 chore(deps): update dependency katex to ^0.13.13 for gatsby-remark-katex (#32567)
• d87c5cb chore: enable lmdb by default and update node for next major (#32695)
• 818d6c1 feat(gatsby-plugin-gatsby-cloud): Add `disablePreviewUI` option (#32907)
• f556a00 chore: update changelogs (#32924)
• aba5eba feat(gatsby): enable webpack caching in development for everyone (#32922)
• ac7bd4e feat(gatsby-source-wordpress): allow path to js file for beforeChangeNode option (#32901)
• 1a87a8a docs(gatsby-source-wordpress): document content sync (#32768)
• 417df15 chore: re-generate changelogs (#32886)
• 1810874 fix(gatsby-source-wordpress): draft previews (#32915)
• 7c72ab8 chore(gatsby): remove unused packages (#32903)
• afb06d7 chore(docs): Add hint for MDX plugin in remark-plugin-tutorial (#32876)
• 1303ecb chore(docs): Update wording for "using-web-fonts" (#32902)
• 9589911 chore(docs): Fix code highlighting in part 6 (#32900)
• 568d4ce feat(gatsby-source-drupal): Use the collection count from JSON:API extras to enable parallel API requests for cold builds (#32883)
• 41f5337 fix(deps): update typescript to ^4.29.3 (#32614)

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)

[google-cla]

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.

[socket-security]

🚨 Potential security issues detected. Learn more about Socket for GitHub ↗︎

To accept the risk, merge this PR and you will not be notified again.

Issue	Package	Version	Note	Source
Native code	@parcel/watcher	2.1.0	Location: binding.gyp	packages/homepage/package.json via gatsby@5.11.0
Native code	lmdb	2.5.2	Location: binding.gyp	packages/homepage/package.json via gatsby@5.11.0
Native code	lmdb	2.5.3	Location: binding.gyp	packages/homepage/package.json via gatsby@5.11.0, gatsby-cli@5.11.0
Native code	msgpackr-extract	3.0.2	Location: binding.gyp	packages/homepage/package.json via gatsby@5.11.0, gatsby-cli@5.11.0
Network access	@parcel/reporter-dev-server	2.8.3	Module: tls Location: lib/ServerReporter.js	packages/homepage/package.json via gatsby@5.11.0
Network access	http2-wrapper	1.0.3	Module: tls Location: source/agent.js	packages/homepage/package.json via gatsby@5.11.0, gatsby-cli@5.11.0, gatsby-plugin-sharp@3.15.0
Network access	http2-wrapper	2.2.0	Module: tls Location: source/agent.js	packages/homepage/package.json via gatsby@5.11.0
Network access	resolve-alpn	1.2.1	Module: tls Location: index.js	packages/homepage/package.json via gatsby@5.11.0, gatsby-cli@5.11.0, gatsby-plugin-sharp@3.15.0
Network access	@builder.io/partytown	0.7.6	Module: globalThis["fetch"] Location: lib/debug/partytown-ww-atomics.js	packages/homepage/package.json via gatsby@5.11.0
Network access	@parcel/runtime-js	2.8.3	Module: globalThis["fetch"] Location: lib/helpers/browser/html-loader.js	packages/homepage/package.json via gatsby@5.11.0
Network access	abortcontroller-polyfill	1.7.5	Module: globalThis["fetch"] Location: dist/cjs-ponyfill.js	packages/homepage/package.json via gatsby@5.11.0
Network access	graphql-http	1.19.0	Module: globalThis["fetch"] Location: lib/audits/server.js	packages/homepage/package.json via gatsby@5.11.0
Network access	svgo	2.8.0	Module: globalThis["fetch"] Location: dist/svgo.browser.js	packages/homepage/package.json via gatsby@5.11.0, gatsby-plugin-sharp@3.15.0
Network access	@parcel/utils	2.8.3	Module: https Location: src/http-server.js	packages/homepage/package.json via gatsby@5.11.0
Network access	express-http-proxy	1.6.3	Module: https Location: lib/requestOptions.js	packages/homepage/package.json via gatsby@5.11.0
Network access	got	11.8.6	Module: http2-wrapper Location: dist/source/core/index.js	packages/homepage/package.json via gatsby@5.11.0, gatsby-cli@5.11.0, gatsby-plugin-sharp@3.15.0

Next steps

What's wrong with native code?

Contains native code which could be a vector to obscure malicious code, and generally decrease the likelihood of reproducible or reliable installs.

Ensure that native code bindings are expected. Consumers may consider pure JS and functionally similar alternatives to avoid the challenges and risks associated with native code bindings.

What is network access?

This module accesses the network.

Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use.

Take a deeper look at the dependency

Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support [AT] socket [DOT] dev.

Remove the package

If you happen to install a dependency that Socket reports as Known Malware you should immediately remove it and select a different dependency. For other alert types, you may may wish to investigate alternative packages or consider if there are other ways to mitigate the specific risk posed by the dependency.

Mark a package as acceptable risk

To ignore an alert, reply with a comment starting with @SocketSecurity ignore followed by a space separated list of package-name@version specifiers. e.g. @SocketSecurity ignore foo@1.0.0 bar@* or ignore all packages with @SocketSecurity ignore-all

• @SocketSecurity ignore @parcel/watcher@2.1.0
• @SocketSecurity ignore lmdb@2.5.2
• @SocketSecurity ignore lmdb@2.5.3
• @SocketSecurity ignore msgpackr-extract@3.0.2
• @SocketSecurity ignore @parcel/reporter-dev-server@2.8.3
• @SocketSecurity ignore http2-wrapper@1.0.3
• @SocketSecurity ignore http2-wrapper@2.2.0
• @SocketSecurity ignore resolve-alpn@1.2.1
• @SocketSecurity ignore @builder.io/partytown@0.7.6
• @SocketSecurity ignore @parcel/runtime-js@2.8.3
• @SocketSecurity ignore abortcontroller-polyfill@1.7.5
• @SocketSecurity ignore graphql-http@1.19.0
• @SocketSecurity ignore svgo@2.8.0
• @SocketSecurity ignore @parcel/utils@2.8.3
• @SocketSecurity ignore express-http-proxy@1.6.3
• @SocketSecurity ignore got@11.8.6

[socket-security]

New and updated dependency changes detected. Learn more about Socket for GitHub ↗︎

Packages		Version	New capabilities	Transitives1	Size	Publisher
gatsby	🆕	5.11.0	environment	+275	271 MB	lekoarts
babel-plugin-macros	🆕	3.1.0	None	+0	38 kB	kentcdodds
gatsby-cli	🆕	5.11.0	environment	+38	33 MB	lekoarts
gatsby-plugin-sharp	🆕	3.15.0	filesystem	+149	47.6 MB	pieh

Footnotes

1. https://docs.socket.dev ↩