-
Notifications
You must be signed in to change notification settings - Fork 0
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update dependency gatsby to v5.9.1 [SECURITY] #71
Open
renovate
wants to merge
1
commit into
main
Choose a base branch
from
renovate/npm-gatsby-vulnerability
base: main
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
renovate
bot
force-pushed
the
renovate/npm-gatsby-vulnerability
branch
2 times, most recently
from
June 18, 2023 05:45
bdff95d
to
0d4396a
Compare
renovate
bot
force-pushed
the
renovate/npm-gatsby-vulnerability
branch
from
June 22, 2023 14:46
0d4396a
to
256947e
Compare
renovate
bot
force-pushed
the
renovate/npm-gatsby-vulnerability
branch
from
June 30, 2023 03:01
256947e
to
90794f3
Compare
renovate
bot
force-pushed
the
renovate/npm-gatsby-vulnerability
branch
2 times, most recently
from
July 10, 2023 11:58
471a45f
to
ae6574e
Compare
renovate
bot
force-pushed
the
renovate/npm-gatsby-vulnerability
branch
2 times, most recently
from
July 20, 2023 02:48
51e413e
to
9989f9c
Compare
renovate
bot
force-pushed
the
renovate/npm-gatsby-vulnerability
branch
2 times, most recently
from
August 3, 2023 02:27
710b0e9
to
b497dfd
Compare
renovate
bot
force-pushed
the
renovate/npm-gatsby-vulnerability
branch
from
August 11, 2023 02:19
b497dfd
to
fb66995
Compare
renovate
bot
force-pushed
the
renovate/npm-gatsby-vulnerability
branch
2 times, most recently
from
August 27, 2023 20:55
df46dfb
to
920c354
Compare
renovate
bot
force-pushed
the
renovate/npm-gatsby-vulnerability
branch
from
September 20, 2023 02:34
920c354
to
8686a59
Compare
renovate
bot
force-pushed
the
renovate/npm-gatsby-vulnerability
branch
2 times, most recently
from
September 29, 2023 22:55
b0d48c9
to
27d5a56
Compare
renovate
bot
force-pushed
the
renovate/npm-gatsby-vulnerability
branch
2 times, most recently
from
October 16, 2023 08:54
8b0ed79
to
5d50e83
Compare
renovate
bot
force-pushed
the
renovate/npm-gatsby-vulnerability
branch
from
October 24, 2023 23:23
5d50e83
to
6227116
Compare
renovate
bot
force-pushed
the
renovate/npm-gatsby-vulnerability
branch
from
November 7, 2023 17:51
6227116
to
90422ae
Compare
renovate
bot
force-pushed
the
renovate/npm-gatsby-vulnerability
branch
from
November 17, 2023 05:46
90422ae
to
03244f1
Compare
renovate
bot
force-pushed
the
renovate/npm-gatsby-vulnerability
branch
from
December 5, 2023 08:25
03244f1
to
7feafc3
Compare
renovate
bot
force-pushed
the
renovate/npm-gatsby-vulnerability
branch
2 times, most recently
from
February 5, 2024 05:33
63b0f8c
to
b202070
Compare
renovate
bot
force-pushed
the
renovate/npm-gatsby-vulnerability
branch
from
February 27, 2024 08:38
b202070
to
5f9542d
Compare
renovate
bot
force-pushed
the
renovate/npm-gatsby-vulnerability
branch
from
March 13, 2024 08:48
5f9542d
to
89f7d30
Compare
renovate
bot
force-pushed
the
renovate/npm-gatsby-vulnerability
branch
2 times, most recently
from
March 25, 2024 02:48
892b0b5
to
2c5ec35
Compare
renovate
bot
force-pushed
the
renovate/npm-gatsby-vulnerability
branch
2 times, most recently
from
April 22, 2024 23:42
6e792c4
to
8a8eb0c
Compare
renovate
bot
force-pushed
the
renovate/npm-gatsby-vulnerability
branch
from
April 26, 2024 02:42
8a8eb0c
to
63f3541
Compare
renovate
bot
force-pushed
the
renovate/npm-gatsby-vulnerability
branch
from
June 5, 2024 05:39
63f3541
to
c633270
Compare
renovate
bot
force-pushed
the
renovate/npm-gatsby-vulnerability
branch
from
July 24, 2024 02:50
c633270
to
8e58f58
Compare
renovate
bot
force-pushed
the
renovate/npm-gatsby-vulnerability
branch
from
August 9, 2024 23:54
8e58f58
to
801ecb4
Compare
renovate
bot
force-pushed
the
renovate/npm-gatsby-vulnerability
branch
from
August 28, 2024 20:57
801ecb4
to
a2d7a45
Compare
renovate
bot
force-pushed
the
renovate/npm-gatsby-vulnerability
branch
from
October 10, 2024 02:55
a2d7a45
to
28ca8c6
Compare
renovate
bot
force-pushed
the
renovate/npm-gatsby-vulnerability
branch
from
December 3, 2024 02:54
28ca8c6
to
8e1a9ea
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
None yet
0 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
5.3.3
->5.9.1
GitHub Vulnerability Alerts
CVE-2023-34238
Impact
The Gatsby framework prior to versions 4.25.7 and 5.9.1 contain a Local File Inclusion vulnerability in the
__file-code-frame
and__original-stack-frame
paths, exposed when running the Gatsby develop server (gatsby develop
).The following steps can be used to reproduce the vulnerability:
It should be noted that by default
gatsby develop
is only accessible via the localhost127.0.0.1
, and one would need to intentionally expose the server to other interfaces to exploit this vulnerability by using server options such as--host 0.0.0.0
,-H 0.0.0.0
, or theGATSBY_HOST=0.0.0.0
environment variable.Patches
A patch has been introduced in
gatsby@5.9.1
andgatsby@4.25.7
which mitigates the issue.Workarounds
As stated above, by default
gatsby develop
is only exposed to the localhost127.0.0.1
. For those using the develop server in the default configuration no risk is posed. If other ranges are required, preventing the develop server from being exposed to untrusted interfaces or IP address ranges would mitigate the risk from this vulnerability.We encourage projects to upgrade to the latest major release branch for all Gatsby plugins to ensure the latest security updates and bug fixes are received in a timely manner.
Credits
We would like to thank Maxwell Garrett of Assetnote for bringing the
__file-code-frame
issue to our attention.For more information
Email us at security@gatsbyjs.com.
Release Notes
gatsbyjs/gatsby (gatsby)
v5.9.1
Compare Source
v5.9.0
Compare Source
v5.8.1
Compare Source
v5.8.0
Compare Source
v5.7.0
: v5.7.0Compare Source
Welcome to
gatsby@5.7.0
release (February 2023 #2)This release focused on bug fixes and perf improvements. Check out notable bugfixes and improvements.
Bleeding Edge: Want to try new features as soon as possible? Install
gatsby@next
and let us know if you have any issues.Previous release notes
Full changelog
v5.6.1
Compare Source
v5.6.0
: v5.6.0Compare Source
Welcome to
gatsby@5.6.0
release (February 2023 #1)Key highlights of this release:
wrapRootElement
Bleeding Edge: Want to try new features as soon as possible? Install
gatsby@next
and let us know if you have any issues.Previous release notes
Full changelog
v5.5.0
Compare Source
v5.4.2
Compare Source
v5.4.1
Compare Source
v5.4.0
: v5.4.0Compare Source
Welcome to
gatsby@5.4.0
release (January 2023 #1)The whole team took time off for a much deserved winter break and we hope you had relaxing holidays, too! Before the break we spent time doing maintenance work such as updating internal dependencies or fixing some smaller bugs here and there. In case you missed it, we shipped ES Modules (ESM) in Gatsby files in the last release.
So check out the notable bugfixes section to learn more.
Bleeding Edge: Want to try new features as soon as possible? Install
gatsby@next
and let us know if you have any issues.Previous release notes
Full changelog
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.