react-permissible
react-permissible copied to clipboard
[renovate] Update dependency gatsby to v4 [SECURITY]
This PR contains the following updates:
Package | Change | Age | Adoption | Passing | Confidence |
---|---|---|---|---|---|
gatsby (source, changelog) | 1.9.279 -> 4.25.7 |
GitHub Vulnerability Alerts
CVE-2023-34238
Impact
The Gatsby framework prior to versions 4.25.7 and 5.9.1 contain a Local File Inclusion vulnerability in the __file-code-frame
and __original-stack-frame
paths, exposed when running the Gatsby develop server (gatsby develop
).
The following steps can be used to reproduce the vulnerability:
# Create a new Gatsby project
$ npm init gatsby
$ cd my-gatsby-site
# Start the Gatsby develop server
$ gatsby develop
# Execute the Local File Inclusion vulnerability in __file-code-frame
$ curl "http://127.0.0.1:8000/__file-code-frame?filePath=/etc/passwd&lineNumber=1"
# Execute the Local File Inclusion vulnerability in __original-stack-frame
$ curl "http://127.0.0.1:8000/__original-stack-frame?moduleId=/etc/hosts&lineNumber=1&skipSourceMap=1"
It should be noted that by default gatsby develop
is only accessible via the localhost 127.0.0.1
, and one would need to intentionally expose the server to other interfaces to exploit this vulnerability by using server options such as --host 0.0.0.0
, -H 0.0.0.0
, or the GATSBY_HOST=0.0.0.0
environment variable.
Patches
A patch has been introduced in [email protected]
and [email protected]
which mitigates the issue.
Workarounds
As stated above, by default gatsby develop
is only exposed to the localhost 127.0.0.1
. For those using the develop server in the default configuration no risk is posed. If other ranges are required, preventing the develop server from being exposed to untrusted interfaces or IP address ranges would mitigate the risk from this vulnerability.
We encourage projects to upgrade to the latest major release branch for all Gatsby plugins to ensure the latest security updates and bug fixes are received in a timely manner.
Credits
We would like to thank Maxwell Garrett of Assetnote for bringing the __file-code-frame
issue to our attention.
For more information
Email us at [email protected].
Release Notes
gatsbyjs/gatsby (gatsby)
v4.25.7
v4.25.6
v4.25.5
v4.25.4
v4.25.3
v4.25.2
v4.25.1
v4.25.0
v4.24.8
v4.24.7
v4.24.6
v4.24.5
v4.24.4
v4.24.3
v4.24.2
v4.24.1
v4.24.0
: v4.24
Welcome to [email protected]
release (September 2022 #2)
Key highlights of this release:
Bleeding Edge: Want to try new features as soon as possible? Install gatsby@next
and let us know if you have any issues.
v4.23.1
v4.23.0
: v4.23
Welcome to [email protected]
release (September 2022 #1)
Key highlights of this release:
Bleeding Edge: Want to try new features as soon as possible? Install gatsby@next
and let us know if you have any issues.
v4.22.1
v4.22.0
: v4.22
Welcome to [email protected]
release (August 2022 #3)
Key highlights of this release:
Bleeding Edge: Want to try new features as soon as possible? Install gatsby@next
and let us know if you have any issues.
v4.21.1
v4.21.0
: v4.21
Welcome to [email protected]
release (August 2022 #2)
Key highlights of this release:
Bleeding Edge: Want to try new features as soon as possible? Install gatsby@next
and let us know if you have any issues.
v4.20.0
: v4.20
Welcome to [email protected]
release (August 2022 #1)
Key highlights of this release:
-
RFC for changes in
sort
and aggregation fields in Gatsby GraphQL Schema - Release Candidate for gatsby-plugin-mdx v4 - Support for MDX v2 and more!
Bleeding Edge: Want to try new features as soon as possible? Install gatsby@next
and let us know if you have any issues.
v4.19.2
v4.19.1
v4.19.0
: v4.19
Welcome to [email protected]
release (July 2022 #2)
Key highlights of this release:
-
Gatsby Head API - Better performance & more future-proof than
react-helmet
- Release Candidate for gatsby-plugin-mdx v4 - Support for MDX v2 and more!
Bleeding Edge: Want to try new features as soon as possible? Install gatsby@next
and let us know if you have any issues.
v4.18.2
v4.18.1
v4.18.0
: v4.18
Welcome to [email protected]
release (July 2022 #1)
Key highlights of this release:
-
typesOutputPath
option for GraphQL Typegen - Configure the location of the generated TypeScript types -
Server Side Rendering (SSR) in development - Find bugs & hydration errors more easily during
gatsby develop
- Open RFCs - MDX v2 & Metadata management
Bleeding Edge: Want to try new features as soon as possible? Install gatsby@next
and let us know if you have any issues.
v4.17.2
v4.17.1
v4.17.0
: v4.17
Welcome to [email protected]
release (June 2022 #2)
Key highlights of this release:
- JavaScript and CSS bundling performance improvements
- Incremental builds performance improvements
- Open RFCs
Bleeding Edge: Want to try new features as soon as possible? Install gatsby@next
and let us know if you have any issues.
v4.16.0
: v4.16
Welcome to [email protected]
release (June 2022 #1)
Key highlights of this release:
Also check out notable bugfixes.
Bleeding Edge: Want to try new features as soon as possible? Install gatsby@next
and let us know if you have any issues.
v4.15.2
v4.15.1
v4.15.0
: v4.15
Welcome to [email protected]
release (May 2022 #2)
Key highlights of this release:
Also check out notable bugfixes.
Bleeding Edge: Want to try new features as soon as possible? Install gatsby@next
and let us know if you have any issues.
[Full changelog][full-changelog]
v4.14.1
v4.14.0
: v4.14
Welcome to [email protected]
release (May 2022 #1)
Key highlights of this release:
- Experimental: GraphQL Typgen
- Improvements in Image and Font Loading Times
- Gatsby Functions Body Parsing Configuration
-
gatsby-source-drupal
: Image CDN Support - Updated Default Starter
Also check out notable bugfixes.
Bleeding Edge: Want to try new features as soon as possible? Install gatsby@next
and let us know if you have any issues.
v4.13.1
v4.13.0
: v4.13
Welcome to [email protected]
release (April 2022 #2)
Key highlights of this release:
Also check out notable bugfixes.
Bleeding Edge: Want to try new features as soon as possible? Install gatsby@next
and let us know
if you have any issues.
v4.12.1
v4.12.0
: v4.12
Welcome to [email protected]
release (April 2022 #1)
Key highlights of this release:
Also check out notable bugfixes.
Bleeding Edge: Want to try new features as soon as possible? Install gatsby@next
and let us know
if you have any issues.
v4.11.3
v4.11.2
v4.11.1
v4.11.0
: v4.11
Welcome to [email protected]
release (March 2022 #3)
Key highlights of this release:
Also check out notable bugfixes.
Bleeding Edge: Want to try new features as soon as possible? Install gatsby@next
and let us know
if you have any issues.
v4.10.3
v4.10.2
v4.10.1
v4.10.0
: v4.10
Welcome to [email protected]
release (March 2022 #2)
Key highlights of this release:
Also check out notable bugfixes.
Bleeding Edge: Want to try new features as soon as possible? Install gatsby@next
and let us know
if you have any issues.
v4.9.3
v4.9.2
v4.9.1
v4.9.0
: v4.9
Welcome to [email protected]
release (March 2022 #1)
Key highlights of this release:
Also check out notable bugfixes.
Bleeding Edge: Want to try new features as soon as possible? Install gatsby@next
and let us know if you have any issues.
v4.8.2
v4.8.1
v4.8.0
: v4.8
Welcome to [email protected]
release (February 2022 #2)
Key highlights of this release:
-
Support for TypeScript in
gatsby-browser
andgatsby-ssr
- New TypeScript option when creating Gatsby projects from the CLI
- Significant memory usage reduction when filtering and sorting nodes
-
New APIs in
gatsby-core-utils
andgatsby-plugin-utils
Also check out notable bugfixes.
Bleeding Edge: Want to try new features as soon as possible? Install gatsby@next
and let us know
if you have any issues.
v4.7.2
v4.7.1
v4.7.0
: v4.7
Welcome to [email protected]
release (February 2022 #1)
Key highlights of this release:
-
trailingSlash
Option - Now built into the Framework itself -
Faster Schema Creation &
createPages
- Speed improvements of at least 30%
Also check out notable bugfixes.
Bleeding Edge: Want to try new features as soon as possible? Install gatsby@next
and let us know
if you have any issues.
v4.6.2
v4.6.1
v4.6.0
: v4.6
Welcome to [email protected]
release (January 2022 #2)
Key highlights of this release:
- Speeding Up Subsequent Queries
- Tracking Image Changes in Markdown Files
-
New Major Version for
gatsby-plugin-utils
Also check out notable bugfixes.
Bleeding Edge: Want to try new features as soon as possible? Install gatsby@next
and let us know
if you have any issues.
Previous release notes
v4.5.5
v4.5.4
v4.5.3
v4.5.2
v4.5.1
v4.5.0
: v4.5
Welcome to [email protected]
release (January 2022 #1)
Key highlights of this release:
- Gracefully Handling Browser Cache Issues
-
TypeScript Types for
getServerData
-
Deprecation of
gatsby-recipes
Also check out notable bugfixes.
Bleeding Edge: Want to try new features as soon as possible? Install gatsby@next
and let us know
if you have any issues.
v4.4.0
: v4.4
Welcome to [email protected]
release (December 2021 #1)
Key highlights of this release:
Also check out notable bugfixes.
Bleeding Edge: Want to try new features as soon as possible? Install gatsby@next
and let us know
if you have any issues.
v4.3.0
: v4.3
Welcome to [email protected]
release (November 2021 #โ3)
Key highlights of this release:
Also check out notable bugfixes.
Bleeding Edge: Want to try new features as soon as possible? Install gatsby@next
and let us know
if you have any issues.
v4.2.0
: v4.2
Welcome to [email protected]
release (November 2021 #2).
Key highlights of this release:
Also check out notable bugfixes.
Bleeding Edge: Want to try new features as soon as possible? Install gatsby@next
and let us know
if you have any issues.
v4.1.6
v4.1.5
v4.1.4
v4.1.3
v4.1.2
v4.1.1
v4.1.0
: v4.1
Welcome to [email protected]
release (November 2021 #1).
Key highlights of this release:
- Support for Deferred Static Generation in File System Route API
-
JSX Runtime Options in
gatsby-config.js
Also check out notable bugfixes.
Bleeding Edge: Want to try new features as soon as possible? Install gatsby@next
and let us know
if you have any issues.
v4.0.2
v4.0.1
v4.0.0
: v4.0.0
Welcome to [email protected]
release (October 2021 #1).
We've released Gatsby 3 in March 2021 and now have a lot of exciting new features for Gatsby 4! Weโve tried to make migration smooth. Please refer to the migration guide and let us know if you encounter any issues when migrating.
Key highlights of this release:
- Parallel Query Running - up to 40% reduction in build times
- Deferred Static Generation (DSG) - defer page generation to user request, speeding up build times
- Server-Side Rendering (SSR) - pre-render a page with data that is fetched when a user visits the page
Also check out notable bugfixes and improvements.
Bleeding Edge: Want to try new features as soon as possible? Install gatsby@next
and let us know
if you have any issues.
Previous release notes for 3.14
v3.15.0
v3.14.6
v3.14.5
v3.14.4
v3.14.3
v3.14.2
v3.14.1
v3.14.0
: v3.14 (September 2021 #โ1)
Welcome to [email protected]
release (September 2021 #1)
This is the final minor release for gatsby v3. Gatsby v4 beta is already published behind the
next
npm tag and the next stable release will be[email protected]
. See what's inside!We will keep publishing patches for 3.14.x with hotfixes until
4.0.0
stable is published and at least several weeks after.
Key highlights of this release:
- Better UX for navigation in the middle of deployment
-
New developer tools -
createPages
snippet in GraphiQL and new GraphQL capability - Preparations for gatsby v4 - API deprecations; migration guide; docs
-
Improvements for
gatsby-source-drupal
-
New home for
gatsby-plugin-netlify
Also, check out notable bugfixes.
Bleeding Edge: Want to try new features as soon as possible? Install gatsby@next
and let us know
if you have any issues.
Previous release notes
v3.13.1
v3.13.0
: v3.13 (August 2021 #โ3)
Welcome to [email protected]
release (August 2021 #3)
Key highlights of this release:
- Improved Changelogs - Better structured and easier to read
-
sharp
v0.29 - Reduced install size, improved encoding time, and improved AVIF image quality -
Faster Sourcing for
gatsby-source-drupal
- Speed up fetching data by around 4x - webpack Caching in Development for Everyone - Activating it for all users
Also check out notable bugfixes.
Bleeding Edge: Want to try new features as soon as possible? Install gatsby@next
and let us know
if you have any issues.
v3.12.1
v3.12.0
: v3.12 (August 2021 #โ2)
Welcome to [email protected]
release (August 2021 #2)
Key highlights of this release:
-
webpack
dev server caching - opt-in 20% of users -
Improvements to
gatsby-source-shopify
- Add compat for breaking change in Shopify's API -
Improvements to
gatsby-source-wordpress
- Support for generating WebP images in HTML fields
Also check out notable bugfixes.
Bleeding Edge: Want to try new features as soon as possible? Install gatsby@next
and let us know
if you have any issues.
v3.11.1
v3.11.0
: v3.11 (August 2021 #โ1)
Welcome to [email protected]
release (August 2021 #โ1)
Key highlights of this release:
- Improvements to Parallel Query Running - Better performance and more configurable
Also check out notable bugfixes.
Bleeding Edge: Want to try new features as soon as possible? Install gatsby@next
and let us know
if you have any issues.
v3.10.2
v3.10.1
v3.10.0
: v3.10 (July 2021 #โ2)
Welcome to [email protected]
release (July 2021 #โ2)
Key highlights of this release:
- Experimental: Parallel Query Running - Improves time it takes to run queries during gatsby build
-
Experimental: webpack persistent caching for
gatsby develop
- significantly speed up start of webpack server
Also check out notable bugfixes.
Bleeding Edge: Want to try new features as soon as possible? Install gatsby@next
and let us know
if you have any issues.
v3.9.1
v3.9.0
: v3.9 (July 2021 #โ1)
Welcome to [email protected]
release (July 2021 #โ1)
Key highlights of this release:
- React 18 - New Suspense SSR Architecture - Enables SSR support for Suspense when using React 18 (Alpha)
- Shopify App for Gatsby Cloud
- gatsby-source-contentful - quality of life improvements
Also check out notable bugfixes.
Bleeding Edge: Want to try new features as soon as possible? Install gatsby@next
and let us know
if you have any issues.
Previous release notes
v3.8.1
v3.8.0
: v3.8 (June 2021 #โ2)
Welcome to [email protected]
release (June 2021 #2)
Key highlights of this release:
- React 18 - Alpha - React 18 Alpha is available in Gatsby
-
gatsby-source-shopify
v5 - Web Vitals Tracking - Analytics Plugins now support tracking Web Vitals
- webpack caching - built-in persistent caching activated for everyone
- [Improvements to Drupal integration](https://www.gatsby
Configuration
๐ Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
๐ฆ Automerge: Disabled by config. Please merge this manually once you are satisfied.
โป Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
๐ Ignore: Close this PR and you won't be reminded about this update again.
- [ ] If you want to rebase/retry this PR, check this box
This PR has been generated by Mend Renovate. View repository job log here.