This repository has been archived by the owner on Jul 16, 2023. It is now read-only.
fix(deps): update dependency gatsby to v4 [security] #250
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
2.24.43
->4.25.7
GitHub Vulnerability Alerts
CVE-2023-34238
Impact
The Gatsby framework prior to versions 4.25.7 and 5.9.1 contain a Local File Inclusion vulnerability in the
__file-code-frame
and__original-stack-frame
paths, exposed when running the Gatsby develop server (gatsby develop
).The following steps can be used to reproduce the vulnerability:
It should be noted that by default
gatsby develop
is only accessible via the localhost127.0.0.1
, and one would need to intentionally expose the server to other interfaces to exploit this vulnerability by using server options such as--host 0.0.0.0
,-H 0.0.0.0
, or theGATSBY_HOST=0.0.0.0
environment variable.Patches
A patch has been introduced in
gatsby@5.9.1
andgatsby@4.25.7
which mitigates the issue.Workarounds
As stated above, by default
gatsby develop
is only exposed to the localhost127.0.0.1
. For those using the develop server in the default configuration no risk is posed. If other ranges are required, preventing the develop server from being exposed to untrusted interfaces or IP address ranges would mitigate the risk from this vulnerability.We encourage projects to upgrade to the latest major release branch for all Gatsby plugins to ensure the latest security updates and bug fixes are received in a timely manner.
Credits
We would like to thank Maxwell Garrett of Assetnote for bringing the
__file-code-frame
issue to our attention.For more information
Email us at security@gatsbyjs.com.
Release Notes
gatsbyjs/gatsby (gatsby)
v4.25.7
Compare Source
v4.25.6
Compare Source
v4.25.5
Compare Source
v4.25.4
Compare Source
v4.25.3
Compare Source
v4.25.2
Compare Source
v4.25.1
Compare Source
v4.25.0
Compare Source
v4.24.8
Compare Source
v4.24.7
Compare Source
v4.24.6
Compare Source
v4.24.5
Compare Source
v4.24.4
Compare Source
v4.24.3
Compare Source
v4.24.2
Compare Source
v4.24.1
Compare Source
v4.24.0
Compare Source
v4.23.1
Compare Source
v4.23.0
Compare Source
v4.22.1
Compare Source
v4.22.0
Compare Source
v4.21.1
Compare Source
v4.21.0
Compare Source
v4.20.0
Compare Source
v4.19.2
Compare Source
v4.19.1
Compare Source
v4.19.0
Compare Source
v4.18.2
Compare Source
v4.18.1
Compare Source
v4.18.0
Compare Source
v4.17.2
Compare Source
v4.17.1
Compare Source
v4.17.0
Compare Source
v4.16.0
Compare Source
v4.15.2
Compare Source
v4.15.1
Compare Source
v4.15.0
Compare Source
v4.14.1
Compare Source
v4.14.0
Compare Source
v4.13.1
Compare Source
v4.13.0
Compare Source
v4.12.1
Compare Source
v4.12.0
Compare Source
v4.11.3
Compare Source
v4.11.2
Compare Source
v4.11.1
Compare Source
v4.11.0
Compare Source
v4.10.3
Compare Source
v4.10.2
Compare Source
v4.10.1
Compare Source
v4.10.0
Compare Source
v4.9.3
Compare Source
v4.9.2
Compare Source
v4.9.1
Compare Source
v4.9.0
Compare Source
v4.8.2
Compare Source
v4.8.1
Compare Source
v4.8.0
Compare Source
v4.7.2
Compare Source
v4.7.1
Compare Source
v4.7.0
Compare Source
v4.6.2
Compare Source
v4.6.1
Compare Source
v4.6.0
Compare Source
v4.5.5
Compare Source
v4.5.4
Compare Source
v4.5.3
Compare Source
v4.5.2
Compare Source
v4.5.1
Compare Source
v4.5.0
Compare Source
v4.4.0
Compare Source
v4.3.0
Compare Source
v4.2.0
Compare Source
v4.1.6
Compare Source
v4.1.5
Compare Source
v4.1.4
Compare Source
v4.1.3
Compare Source
v4.1.2
Compare Source
v4.1.1
Compare Source
v4.1.0
Compare Source
v4.0.2
Compare Source
v4.0.1
Compare Source
v4.0.0
Compare Source
v3.15.0
Compare Source
v3.14.6
Compare Source
v3.14.5
Compare Source
v3.14.4
Compare Source
v3.14.3
Compare Source
v3.14.2
Compare Source
v3.14.1
Compare Source
v3.14.0
Compare Source
v3.13.1
Compare Source
v3.13.0
Compare Source
v3.12.1
Compare Source
v3.12.0
Compare Source
v3.11.1
Compare Source
v3.11.0
Compare Source
v3.10.2
Compare Source
v3.10.1
Compare Source
v3.10.0
Compare Source
v3.9.1
Compare Source
v3.9.0
Compare Source
v3.8.1
Compare Source
v3.8.0
Compare Source
v3.7.2
Compare Source
v3.7.1
Compare Source
v3.7.0
Compare Source
v3.6.2
Compare Source
v3.6.1
Compare Source
v3.6.0
Compare Source
v3.5.1
Compare Source
v3.5.0
: v3.5 (May 2021 #1)Compare Source
Welcome to
gatsby@3.5.0
release (May 2021 #1)Key highlights of this release:
gatsby-graphql-source-toolkit
v2 - Compatibility with Gatsby v3Also check out notable bugfixes.
Bleeding Edge: Want to try new features as soon as possible? Install
gatsby@next
and let us knowif you have any issues.
Previous release notes
Full changelog
v3.4.2
Compare Source
v3.4.1
Compare Source
v3.4.0
: v3.4 (April 2021 #2)Compare Source
Welcome to
gatsby@3.4.0
release (April 2021 #2)Key highlights of this release:
min()
,max()
, andsum()
resolvers toallX
queriesAlso check out notable bugfixes.
Bleeding Edge: Want to try new features as soon as possible? Install
gatsby@next
and let us knowif you have any issues.
Previous release notes
Full changelog
v3.3.1
Compare Source
v3.3.0
: v3.3 (April 2021 #1)Compare Source
Welcome to
gatsby@3.3.0
release (April 2021 #1)Key highlights of this release:
sharp
- built-in image optimizations; and now works on M1 Macsremark
- more consistency in Markdown renderinggatsby-plugin-image
Also check out notable bugfixes.
Bleeding Edge: Want to try new features as soon as possible? Install
gatsby@next
and let us knowif you have any issues.
Previous release notes
Full changelog
v3.2.1
Compare Source
v3.2.0
: v3.2 (March 2021 #3)Compare Source
Welcome to
gatsby@3.2.0
release (March 2021 #3)Key highlights of this release:
StaticImage
errorsgatsby-source-contentful
- improved performance and other changesAlso check out notable bugfixes.
Sneak peek to next releases:
Bleeding Edge: Want to try new features as soon as possible? Install
gatsby@next
and let us knowif you have any issues.
Previous release notes
Full changelog
v3.1.3
Compare Source
v3.1.2
Compare Source
v3.1.1
Compare Source
v3.1.0
: v3.1 (March 2021 #2)Compare Source
Welcome to
gatsby@3.1.0
release (March 2021 #2)Key highlights of this release:
gatsbyImageData
is stableAlso check out notable bugfixes.
Bleeding Edge: Want to try new features as soon as possible? Install
gatsby@next
and let us knowif you have any issues.
Previous release notes for v3.0
Full changelog
v3.0.4
Compare Source
v3.0.3
Compare Source
v3.0.2
Compare Source
v3.0.1
Compare Source
v3.0.0
: v3.0 (March 2021 #1)Compare Source
Welcome to
gatsby@3.0.0
release (March 2021 #1).This is the first major bump of Gatsby since September 2018!
We’ve tried to make migration smooth. Please refer to the migration guide
and let us know if you encounter any issues when migrating.
Key highlights of this release:
Major dependency updates:
Also, check out notable bugfixes and improvements.
Bleeding Edge: Want to try new features as soon as possible? Install
gatsby@next
and let us knowif you have any issues.
Previous release notes for v2.32
Full changelog
v2.32.13
Compare Source
v2.32.12
Compare Source
v2.32.11
Compare Source
v2.32.10
Compare Source
v2.32.9
Compare Source
v2.32.8
Compare Source
v2.32.7
Compare Source
v2.32.6
Compare Source
v2.32.5
Compare Source
v2.32.4
Compare Source
v2.32.3
Compare Source
v2.32.2
Compare Source
v2.32.1
Compare Source
v2.32.0
: v2.32 (February 2021 #1)Compare Source
Welcome to
gatsby@2.32.0
release (February 2021. 1)Key highlights of this release:
Also check out notable bugfixes.
Bleeding Edge: Want to try new features as soon as possible? Install
gatsby@next
and let us knowif you have any issues.
Previous release notes
Full changelog
v2.31.1
Compare Source
v2.31.0
: v2.31 (January 2021 #2)Compare Source
Welcome to
gatsby@2.31.0
release (January 2021 #2)Key highlights of this release:
Also check out notable bugfixes.
Bleeding Edge: Want to try new features as soon as possible? Install
gatsby@next
and let us knowif you have any issues.
Previous release notes
Full changelog
v2.30.3
Compare Source
v2.30.2
Compare Source
v2.30.1
Compare Source
v2.30.0
: v2.30 (January 2021 #1)Compare Source
Welcome to
gatsby@2.30.0
release (January 2021 #1)See full release notes
Key highlights of this release:
gatsby develop
bootup timesass-loader
andDart Sass
by defaultAnd several impactful updates in the new [
gatsby-plugin-image
](https://togithub.com/gatsbyjs/gatsby/blob/master/docs/docs/reference/release-notes/vConfiguration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.