-
Notifications
You must be signed in to change notification settings - Fork 23
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix(deps): update dependency gatsby to v5.9.1 [security] #482
Open
renovate
wants to merge
1
commit into
master
Choose a base branch
from
renovate/npm-gatsby-vulnerability
base: master
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
renovate
bot
force-pushed
the
renovate/npm-gatsby-vulnerability
branch
from
June 29, 2023 12:14
59bd63c
to
15677c4
Compare
renovate
bot
force-pushed
the
renovate/npm-gatsby-vulnerability
branch
from
July 6, 2023 15:57
15677c4
to
c87020e
Compare
renovate
bot
force-pushed
the
renovate/npm-gatsby-vulnerability
branch
from
July 9, 2023 11:06
c87020e
to
7834b59
Compare
renovate
bot
force-pushed
the
renovate/npm-gatsby-vulnerability
branch
from
July 16, 2023 14:21
7834b59
to
91315a7
Compare
renovate
bot
force-pushed
the
renovate/npm-gatsby-vulnerability
branch
from
July 19, 2023 09:48
91315a7
to
5894e25
Compare
renovate
bot
force-pushed
the
renovate/npm-gatsby-vulnerability
branch
from
July 27, 2023 20:09
5894e25
to
b496c30
Compare
renovate
bot
force-pushed
the
renovate/npm-gatsby-vulnerability
branch
from
August 1, 2023 15:21
b496c30
to
b32bd91
Compare
renovate
bot
force-pushed
the
renovate/npm-gatsby-vulnerability
branch
from
August 9, 2023 12:10
b32bd91
to
124be0f
Compare
renovate
bot
force-pushed
the
renovate/npm-gatsby-vulnerability
branch
from
August 22, 2023 17:40
124be0f
to
e35d79b
Compare
renovate
bot
force-pushed
the
renovate/npm-gatsby-vulnerability
branch
from
August 27, 2023 11:48
e35d79b
to
9151c56
Compare
renovate
bot
force-pushed
the
renovate/npm-gatsby-vulnerability
branch
from
September 11, 2023 02:10
9151c56
to
b1d042a
Compare
renovate
bot
force-pushed
the
renovate/npm-gatsby-vulnerability
branch
from
September 19, 2023 12:31
b1d042a
to
a702c2a
Compare
renovate
bot
force-pushed
the
renovate/npm-gatsby-vulnerability
branch
from
September 26, 2023 15:45
a702c2a
to
d1db90a
Compare
renovate
bot
force-pushed
the
renovate/npm-gatsby-vulnerability
branch
from
September 28, 2023 14:48
d1db90a
to
c1b2bd4
Compare
renovate
bot
force-pushed
the
renovate/npm-gatsby-vulnerability
branch
from
October 23, 2023 16:01
370ce29
to
fd1f882
Compare
renovate
bot
force-pushed
the
renovate/npm-gatsby-vulnerability
branch
from
November 6, 2023 08:53
fd1f882
to
39e5bda
Compare
renovate
bot
force-pushed
the
renovate/npm-gatsby-vulnerability
branch
from
November 16, 2023 08:04
39e5bda
to
68c62c1
Compare
renovate
bot
force-pushed
the
renovate/npm-gatsby-vulnerability
branch
from
December 3, 2023 12:27
68c62c1
to
30a9f3d
Compare
renovate
bot
force-pushed
the
renovate/npm-gatsby-vulnerability
branch
2 times, most recently
from
February 4, 2024 10:57
a6324f5
to
c45d7ae
Compare
renovate
bot
force-pushed
the
renovate/npm-gatsby-vulnerability
branch
from
February 25, 2024 09:08
c45d7ae
to
00f07d5
Compare
renovate
bot
force-pushed
the
renovate/npm-gatsby-vulnerability
branch
2 times, most recently
from
March 12, 2024 10:34
cbf1c35
to
356f655
Compare
renovate
bot
force-pushed
the
renovate/npm-gatsby-vulnerability
branch
2 times, most recently
from
March 24, 2024 17:03
007f5fc
to
815fecb
Compare
renovate
bot
force-pushed
the
renovate/npm-gatsby-vulnerability
branch
2 times, most recently
from
April 21, 2024 08:23
2a70a34
to
e60a2e4
Compare
renovate
bot
force-pushed
the
renovate/npm-gatsby-vulnerability
branch
from
April 25, 2024 08:09
e60a2e4
to
54e3660
Compare
renovate
bot
force-pushed
the
renovate/npm-gatsby-vulnerability
branch
from
June 4, 2024 10:42
54e3660
to
00f11fe
Compare
renovate
bot
force-pushed
the
renovate/npm-gatsby-vulnerability
branch
2 times, most recently
from
July 23, 2024 13:54
c9fda35
to
7eb54ce
Compare
renovate
bot
force-pushed
the
renovate/npm-gatsby-vulnerability
branch
2 times, most recently
from
August 10, 2024 06:00
4d000b8
to
d5da202
Compare
renovate
bot
force-pushed
the
renovate/npm-gatsby-vulnerability
branch
from
August 14, 2024 19:27
d5da202
to
f707157
Compare
renovate
bot
force-pushed
the
renovate/npm-gatsby-vulnerability
branch
from
August 28, 2024 06:40
f707157
to
b259a0a
Compare
renovate
bot
force-pushed
the
renovate/npm-gatsby-vulnerability
branch
from
October 9, 2024 10:38
b259a0a
to
74f956b
Compare
renovate
bot
force-pushed
the
renovate/npm-gatsby-vulnerability
branch
from
October 16, 2024 21:31
74f956b
to
592d212
Compare
renovate
bot
force-pushed
the
renovate/npm-gatsby-vulnerability
branch
from
December 2, 2024 10:36
592d212
to
dc55f38
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
5.4.2
->5.9.1
GitHub Vulnerability Alerts
CVE-2023-34238
Impact
The Gatsby framework prior to versions 4.25.7 and 5.9.1 contain a Local File Inclusion vulnerability in the
__file-code-frame
and__original-stack-frame
paths, exposed when running the Gatsby develop server (gatsby develop
).The following steps can be used to reproduce the vulnerability:
It should be noted that by default
gatsby develop
is only accessible via the localhost127.0.0.1
, and one would need to intentionally expose the server to other interfaces to exploit this vulnerability by using server options such as--host 0.0.0.0
,-H 0.0.0.0
, or theGATSBY_HOST=0.0.0.0
environment variable.Patches
A patch has been introduced in
[email protected]
and[email protected]
which mitigates the issue.Workarounds
As stated above, by default
gatsby develop
is only exposed to the localhost127.0.0.1
. For those using the develop server in the default configuration no risk is posed. If other ranges are required, preventing the develop server from being exposed to untrusted interfaces or IP address ranges would mitigate the risk from this vulnerability.We encourage projects to upgrade to the latest major release branch for all Gatsby plugins to ensure the latest security updates and bug fixes are received in a timely manner.
Credits
We would like to thank Maxwell Garrett of Assetnote for bringing the
__file-code-frame
issue to our attention.For more information
Email us at [email protected].
Release Notes
gatsbyjs/gatsby (gatsby)
v5.9.1
Compare Source
v5.9.0
Compare Source
v5.8.1
Compare Source
v5.8.0
Compare Source
v5.7.0
: v5.7.0Compare Source
Welcome to
[email protected]
release (February 2023 #2)This release focused on bug fixes and perf improvements. Check out notable bugfixes and improvements.
Bleeding Edge: Want to try new features as soon as possible? Install
gatsby@next
and let us know if you have any issues.Previous release notes
Full changelog
v5.6.1
Compare Source
v5.6.0
: v5.6.0Compare Source
Welcome to
[email protected]
release (February 2023 #1)Key highlights of this release:
wrapRootElement
Bleeding Edge: Want to try new features as soon as possible? Install
gatsby@next
and let us know if you have any issues.Previous release notes
Full changelog
v5.5.0
Compare Source
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.