-
Notifications
You must be signed in to change notification settings - Fork 8
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix(deps): update dependency gatsby to v4 [security] #303
Open
renovate
wants to merge
1
commit into
master
Choose a base branch
from
renovate/npm-gatsby-vulnerability
base: master
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
+1
−1
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
renovate
bot
force-pushed
the
renovate/npm-gatsby-vulnerability
branch
3 times, most recently
from
July 15, 2024 11:25
e99a79a
to
4802ce9
Compare
renovate
bot
force-pushed
the
renovate/npm-gatsby-vulnerability
branch
2 times, most recently
from
July 22, 2024 09:45
f27ed14
to
ac34cee
Compare
renovate
bot
force-pushed
the
renovate/npm-gatsby-vulnerability
branch
2 times, most recently
from
July 31, 2024 14:17
5a2a2ef
to
aebedd6
Compare
renovate
bot
force-pushed
the
renovate/npm-gatsby-vulnerability
branch
2 times, most recently
from
August 19, 2024 06:37
12ed94c
to
a65163e
Compare
renovate
bot
force-pushed
the
renovate/npm-gatsby-vulnerability
branch
from
August 19, 2024 11:44
a65163e
to
e6a9d4e
Compare
renovate
bot
force-pushed
the
renovate/npm-gatsby-vulnerability
branch
6 times, most recently
from
September 9, 2024 10:50
b67948e
to
2586ee9
Compare
renovate
bot
force-pushed
the
renovate/npm-gatsby-vulnerability
branch
3 times, most recently
from
September 16, 2024 09:09
6631378
to
93ab497
Compare
renovate
bot
force-pushed
the
renovate/npm-gatsby-vulnerability
branch
4 times, most recently
from
September 30, 2024 09:15
b69f34e
to
637e967
Compare
renovate
bot
force-pushed
the
renovate/npm-gatsby-vulnerability
branch
3 times, most recently
from
October 14, 2024 06:06
25ff29e
to
ef7f9eb
Compare
renovate
bot
force-pushed
the
renovate/npm-gatsby-vulnerability
branch
from
October 14, 2024 09:38
ef7f9eb
to
b413f94
Compare
renovate
bot
force-pushed
the
renovate/npm-gatsby-vulnerability
branch
from
October 21, 2024 10:40
b413f94
to
9037a04
Compare
renovate
bot
force-pushed
the
renovate/npm-gatsby-vulnerability
branch
from
October 31, 2024 18:49
9037a04
to
e477884
Compare
renovate
bot
force-pushed
the
renovate/npm-gatsby-vulnerability
branch
2 times, most recently
from
November 11, 2024 09:29
2ae2c62
to
87c5a26
Compare
renovate
bot
force-pushed
the
renovate/npm-gatsby-vulnerability
branch
from
November 18, 2024 10:51
87c5a26
to
fc107c5
Compare
renovate
bot
force-pushed
the
renovate/npm-gatsby-vulnerability
branch
2 times, most recently
from
December 2, 2024 10:07
a210bbc
to
1380726
Compare
renovate
bot
changed the title
fix(deps): update dependency gatsby to v4 [security]
fix(deps): update dependency gatsby to v4 [security] - autoclosed
Dec 8, 2024
renovate
bot
changed the title
fix(deps): update dependency gatsby to v4 [security] - autoclosed
fix(deps): update dependency gatsby to v4 [security]
Dec 8, 2024
renovate
bot
force-pushed
the
renovate/npm-gatsby-vulnerability
branch
2 times, most recently
from
December 9, 2024 12:21
1380726
to
0aeb696
Compare
renovate
bot
force-pushed
the
renovate/npm-gatsby-vulnerability
branch
from
December 16, 2024 09:22
0aeb696
to
ca857b6
Compare
renovate
bot
force-pushed
the
renovate/npm-gatsby-vulnerability
branch
from
December 16, 2024 13:08
ca857b6
to
b871b9e
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
None yet
0 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
^3.14.6
->^4.0.0
GitHub Vulnerability Alerts
CVE-2023-34238
Impact
The Gatsby framework prior to versions 4.25.7 and 5.9.1 contain a Local File Inclusion vulnerability in the
__file-code-frame
and__original-stack-frame
paths, exposed when running the Gatsby develop server (gatsby develop
).The following steps can be used to reproduce the vulnerability:
It should be noted that by default
gatsby develop
is only accessible via the localhost127.0.0.1
, and one would need to intentionally expose the server to other interfaces to exploit this vulnerability by using server options such as--host 0.0.0.0
,-H 0.0.0.0
, or theGATSBY_HOST=0.0.0.0
environment variable.Patches
A patch has been introduced in
[email protected]
and[email protected]
which mitigates the issue.Workarounds
As stated above, by default
gatsby develop
is only exposed to the localhost127.0.0.1
. For those using the develop server in the default configuration no risk is posed. If other ranges are required, preventing the develop server from being exposed to untrusted interfaces or IP address ranges would mitigate the risk from this vulnerability.We encourage projects to upgrade to the latest major release branch for all Gatsby plugins to ensure the latest security updates and bug fixes are received in a timely manner.
Credits
We would like to thank Maxwell Garrett of Assetnote for bringing the
__file-code-frame
issue to our attention.For more information
Email us at [email protected].
Release Notes
gatsbyjs/gatsby (gatsby)
v4.25.7
Compare Source
v4.25.6
Compare Source
v4.25.5
Compare Source
v4.25.4
Compare Source
v4.25.3
Compare Source
v4.25.2
Compare Source
v4.25.1
Compare Source
v4.25.0
Compare Source
v4.24.8
Compare Source
v4.24.7
Compare Source
v4.24.6
Compare Source
v4.24.5
Compare Source
v4.24.4
Compare Source
v4.24.3
Compare Source
v4.24.2
Compare Source
v4.24.1
Compare Source
v4.24.0
: v4.24Compare Source
Welcome to
[email protected]
release (September 2022 #2)Key highlights of this release:
Bleeding Edge: Want to try new features as soon as possible? Install
gatsby@next
and let us know if you have any issues.Previous release notes
Full changelog
v4.23.1
Compare Source
v4.23.0
: v4.23Compare Source
Welcome to
[email protected]
release (September 2022 #1)Key highlights of this release:
Bleeding Edge: Want to try new features as soon as possible? Install
gatsby@next
and let us know if you have any issues.Previous release notes
Full changelog
v4.22.1
Compare Source
v4.22.0
: v4.22Compare Source
Welcome to
[email protected]
release (August 2022 #3)Key highlights of this release:
Bleeding Edge: Want to try new features as soon as possible? Install
gatsby@next
and let us know if you have any issues.Previous release notes
Full changelog
v4.21.1
Compare Source
v4.21.0
: v4.21Compare Source
Welcome to
[email protected]
release (August 2022 #2)Key highlights of this release:
gatsby-plugin-mdx
v4Bleeding Edge: Want to try new features as soon as possible? Install
gatsby@next
and let us know if you have any issues.Previous release notes
Full changelog
v4.20.0
: v4.20Compare Source
Welcome to
[email protected]
release (August 2022 #1)Key highlights of this release:
sort
and aggregation fields in Gatsby GraphQL SchemaBleeding Edge: Want to try new features as soon as possible? Install
gatsby@next
and let us know if you have any issues.Previous release notes
Full changelog
v4.19.2
Compare Source
v4.19.1
Compare Source
v4.19.0
: v4.19Compare Source
Welcome to
[email protected]
release (July 2022 #2)Key highlights of this release:
react-helmet
Bleeding Edge: Want to try new features as soon as possible? Install
gatsby@next
and let us know if you have any issues.Previous release notes
Full changelog
v4.18.2
Compare Source
v4.18.1
Compare Source
v4.18.0
: v4.18Compare Source
Welcome to
[email protected]
release (July 2022 #1)Key highlights of this release:
typesOutputPath
option for GraphQL Typegen - Configure the location of the generated TypeScript typesgatsby develop
Bleeding Edge: Want to try new features as soon as possible? Install
gatsby@next
and let us know if you have any issues.Previous release notes
Full changelog
v4.17.2
Compare Source
v4.17.1
Compare Source
v4.17.0
: v4.17Compare Source
Welcome to
[email protected]
release (June 2022 #2)Key highlights of this release:
Bleeding Edge: Want to try new features as soon as possible? Install
gatsby@next
and let us know if you have any issues.Previous release notes
Full changelog
v4.16.0
: v4.16Compare Source
Welcome to
[email protected]
release (June 2022 #1)Key highlights of this release:
useContentfulImage
hookAlso check out notable bugfixes.
Bleeding Edge: Want to try new features as soon as possible? Install
gatsby@next
and let us know if you have any issues.Previous release notes
Full changelog
v4.15.2
Compare Source
v4.15.1
Compare Source
v4.15.0
: v4.15Compare Source
Welcome to
[email protected]
release (May 2022 #2)Key highlights of this release:
Also check out notable bugfixes.
Bleeding Edge: Want to try new features as soon as possible? Install
gatsby@next
and let us know if you have any issues.Previous release notes
[Full changelog][full-changelog]
v4.14.1
Compare Source
v4.14.0
: v4.14Compare Source
Welcome to
[email protected]
release (May 2022 #1)Key highlights of this release:
gatsby-source-drupal
: Image CDN SupportAlso check out notable bugfixes.
Bleeding Edge: Want to try new features as soon as possible? Install
gatsby@next
and let us know if you have any issues.Previous release notes
Full changelog
v4.13.1
Compare Source
v4.13.0
: v4.13Compare Source
Welcome to
[email protected]
release (April 2022 #2)Key highlights of this release:
Also check out notable bugfixes.
Bleeding Edge: Want to try new features as soon as possible? Install
gatsby@next
and let us knowif you have any issues.
Previous release notes
Full changelog
v4.12.1
Compare Source
v4.12.0
: v4.12Compare Source
Welcome to
[email protected]
release (April 2022 #1)Key highlights of this release:
Also check out notable bugfixes.
Bleeding Edge: Want to try new features as soon as possible? Install
gatsby@next
and let us knowif you have any issues.
Previous release notes
Full changelog
v4.11.3
Compare Source
v4.11.2
Compare Source
v4.11.1
Compare Source
v4.11.0
: v4.11Compare Source
Welcome to
[email protected]
release (March 2022 #3)Key highlights of this release:
gatsby-source-shopify
v7Also check out notable bugfixes.
Bleeding Edge: Want to try new features as soon as possible? Install
gatsby@next
and let us knowif you have any issues.
Previous release notes
Full changelog
v4.10.3
Compare Source
v4.10.2
Compare Source
v4.10.1
Compare Source
v4.10.0
: v4.10Compare Source
Welcome to
[email protected]
release (March 2022 #2)Key highlights of this release:
Also check out notable bugfixes.
Bleeding Edge: Want to try new features as soon as possible? Install
gatsby@next
and let us knowif you have any issues.
Previous release notes
Full changelog
v4.9.3
Compare Source
v4.9.2
Compare Source
v4.9.1
Compare Source
v4.9.0
: v4.9Compare Source
Welcome to
[email protected]
release (March 2022 #1)Key highlights of this release:
gatsby-config
andgatsby-node
Also check out notable bugfixes.
Bleeding Edge: Want to try new features as soon as possible? Install
gatsby@next
and let us know if you have any issues.Previous release notes
Full changelog
v4.8.2
Compare Source
v4.8.1
Compare Source
v4.8.0
: v4.8Compare Source
Welcome to
[email protected]
release (February 2022 #2)Key highlights of this release:
gatsby-browser
andgatsby-ssr
gatsby-core-utils
andgatsby-plugin-utils
Also check out notable bugfixes.
Bleeding Edge: Want to try new features as soon as possible? Install
gatsby@next
and let us knowif you have any issues.
Previous release notes
Full changelog
v4.7.2
Compare Source
v4.7.1
Compare Source
v4.7.0
: v4.7Compare Source
Welcome to
[email protected]
release (February 2022 #1)Key highlights of this release:
trailingSlash
Option - Now built into the Framework itselfcreatePages
- Speed improvements of at least 30%Also check out notable bugfixes.
Bleeding Edge: Want to try new features as soon as possible? Install
gatsby@next
and let us knowif you have any issues.
Previous release notes
Full changelog
v4.6.2
Compare Source
v4.6.1
Compare Source
v4.6.0
: v4.6Compare Source
Welcome to
[email protected]
release (January 2022 #2)Key highlights of this release:
gatsby-plugin-utils
Also check out notable bugfixes.
Bleeding Edge: Want to try new features as soon as possible? Install
gatsby@next
and let us knowif you have any issues.
Previous release notes
Full changelog
v4.5.5
Compare Source
v4.5.4
Compare Source
v4.5.3
Compare Source
v4.5.2
Compare Source
v4.5.1
Compare Source
v4.5.0
: v4.5Compare Source
Welcome to
[email protected]
release (January 2022 #1)Key highlights of this release:
getServerData
gatsby-recipes
Also check out notable bugfixes.
Bleeding Edge: Want to try new features as soon as possible? Install
gatsby@next
and let us knowif you have any issues.
Previous release notes
Full changelog
v4.4.0
: v4.4Compare Source
Welcome to
[email protected]
release (December 2021 #1)Key highlights of this release:
Also check out notable bugfixes.
Bleeding Edge: Want to try new features as soon as possible? Install
gatsby@next
and let us knowif you have any issues.
Previous release notes
Full changelog
v4.3.0
: v4.3Compare Source
Welcome to
[email protected]
release (November 2021 #3)Key highlights of this release:
Also check out notable bugfixes.
Bleeding Edge: Want to try new features as soon as possible? Install
gatsby@next
and let us knowif you have any issues.
Previous release notes
Full changelog
v4.2.0
: v4.2Compare Source
Welcome to
[email protected]
release (November 2021 #2).Key highlights of this release:
gatsby-source-contentful
v7getServerData
improvementsAlso check out notable bugfixes.
Bleeding Edge: Want to try new features as soon as possible? Install
gatsby@next
and let us knowif you have any issues.
Previous release notes
Full changelog
v4.1.6
Compare Source
v4.1.5
Compare Source
v4.1.4
Compare Source
v4.1.3
Compare Source
v4.1.2
Compare Source
v4.1.1
Compare Source
v4.1.0
: v4.1Compare Source
Welcome to
[email protected]
release (November 2021 #1).Key highlights of this release:
gatsby-config.js
Also check out notable bugfixes.
Bleeding Edge: Want to try new features as soon as possible? Install
gatsby@next
and let us knowif you have any issues.
Previous release notes
Full changelog
v4.0.2
Compare Source
v4.0.1
Compare Source
v4.0.0
: v4.0.0Compare Source
Welcome to
[email protected]
release (October 2021 #1).We've released Gatsby 3 in March 2021 and now have a lot of exciting new features for Gatsby 4!
We’ve tried to make migration smooth. Please refer to the migration guide
and let us know if you encounter any issues when migrating.
Key highlights of this release:
Also check out notable bugfixes and improvements.
Bleeding Edge: Want to try new features as soon as possible? Install
gatsby@next
and let us knowif you have any issues.
Previous release notes for 3.14
Full changelog
Configuration
📅 Schedule: Branch creation - "" in timezone America/New_York, Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.