fix(deps): update dependency gatsby to v4 [security] by renovate[bot] · Pull Request #98 · woodlike/docfox

renovate · 2023-06-10T00:30:20Z

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence
gatsby (source, changelog)	`2.24.63` → `4.25.7`

Gatsby develop server has Local File Inclusion vulnerability

CVE-2023-34238 / GHSA-c6f8-8r25-c4gc

More information

Details

Impact

The Gatsby framework prior to versions 4.25.7 and 5.9.1 contain a Local File Inclusion vulnerability in the __file-code-frame and __original-stack-frame paths, exposed when running the Gatsby develop server (gatsby develop).

The following steps can be used to reproduce the vulnerability:


##### Create a new Gatsby project
$ npm init gatsby
$ cd my-gatsby-site

##### Start the Gatsby develop server
$ gatsby develop

##### Execute the Local File Inclusion vulnerability in __file-code-frame
$ curl "http://127.0.0.1:8000/__file-code-frame?filePath=/etc/passwd&lineNumber=1"

##### Execute the Local File Inclusion vulnerability in __original-stack-frame
$ curl "http://127.0.0.1:8000/__original-stack-frame?moduleId=/etc/hosts&lineNumber=1&skipSourceMap=1"

It should be noted that by default gatsby develop is only accessible via the localhost 127.0.0.1, and one would need to intentionally expose the server to other interfaces to exploit this vulnerability by using server options such as --host 0.0.0.0, -H 0.0.0.0, or the GATSBY_HOST=0.0.0.0 environment variable.

Patches

A patch has been introduced in gatsby@5.9.1 and gatsby@4.25.7 which mitigates the issue.

Workarounds

As stated above, by default gatsby develop is only exposed to the localhost 127.0.0.1. For those using the develop server in the default configuration no risk is posed. If other ranges are required, preventing the develop server from being exposed to untrusted interfaces or IP address ranges would mitigate the risk from this vulnerability.

We encourage projects to upgrade to the latest major release branch for all Gatsby plugins to ensure the latest security updates and bug fixes are received in a timely manner.

Credits

We would like to thank Maxwell Garrett of Assetnote for bringing the __file-code-frame issue to our attention.

For more information

Email us at security@gatsbyjs.com.

Severity

CVSS Score: 4.3 / 10 (Medium)
Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Release Notes

gatsbyjs/gatsby (gatsby)

Welcome to gatsby@4.24.0 release (September 2022 #2)

Key highlights of this release:

Bleeding Edge: Want to try new features as soon as possible? Install gatsby@next and let us know if you have any issues.

Previous release notes

Full changelog

`v4.23.1`

Compare Source

`v4.23.0`: v4.23

Compare Source

Welcome to gatsby@4.23.0 release (September 2022 #1)

Key highlights of this release:

Open RFCs

Bleeding Edge: Want to try new features as soon as possible? Install gatsby@next and let us know if you have any issues.

Previous release notes

Full changelog

`v4.22.1`

Compare Source

`v4.22.0`: v4.22

Compare Source

Welcome to gatsby@4.22.0 release (August 2022 #3)

Key highlights of this release:

Open RFCs

Bleeding Edge: Want to try new features as soon as possible? Install gatsby@next and let us know if you have any issues.

Previous release notes

Full changelog

`v4.21.1`

Compare Source

`v4.21.0`: v4.21

Compare Source

Welcome to gatsby@4.21.0 release (August 2022 #2)

Key highlights of this release:

Bleeding Edge: Want to try new features as soon as possible? Install gatsby@next and let us know if you have any issues.

Previous release notes

Full changelog

`v4.20.0`: v4.20

Compare Source

Welcome to gatsby@4.20.0 release (August 2022 #1)

Key highlights of this release:

RFC for changes in sort and aggregation fields in Gatsby GraphQL Schema
Release Candidate for gatsby-plugin-mdx v4 - Support for MDX v2 and more!

Bleeding Edge: Want to try new features as soon as possible? Install gatsby@next and let us know if you have any issues.

Previous release notes

Full changelog

`v4.19.2`

Compare Source

`v4.19.1`

Compare Source

`v4.19.0`: v4.19

Compare Source

Welcome to gatsby@4.19.0 release (July 2022 #2)

Key highlights of this release:

Gatsby Head API - Better performance & more future-proof than react-helmet
Release Candidate for gatsby-plugin-mdx v4 - Support for MDX v2 and more!

Bleeding Edge: Want to try new features as soon as possible? Install gatsby@next and let us know if you have any issues.

Previous release notes

Full changelog

`v4.18.2`

Compare Source

`v4.18.1`

Compare Source

`v4.18.0`: v4.18

Compare Source

Welcome to gatsby@4.18.0 release (July 2022 #1)

Key highlights of this release:

typesOutputPath option for GraphQL Typegen - Configure the location of the generated TypeScript types
Server Side Rendering (SSR) in development - Find bugs & hydration errors more easily during gatsby develop
Open RFCs - MDX v2 & Metadata management

Bleeding Edge: Want to try new features as soon as possible? Install gatsby@next and let us know if you have any issues.

Previous release notes

Full changelog

`v4.17.2`

Compare Source

`v4.17.1`

Compare Source

`v4.17.0`: v4.17

Compare Source

Welcome to gatsby@4.17.0 release (June 2022 #2)

Key highlights of this release:

Bleeding Edge: Want to try new features as soon as possible? Install gatsby@next and let us know if you have any issues.

Previous release notes

Full changelog

`v4.16.0`: v4.16

Compare Source

Welcome to gatsby@4.16.0 release (June 2022 #1)

Key highlights of this release:

Also check out notable bugfixes.

Bleeding Edge: Want to try new features as soon as possible? Install gatsby@next and let us know if you have any issues.

Previous release notes

Full changelog

`v4.15.2`

Compare Source

`v4.15.1`

Compare Source

`v4.15.0`: v4.15

Compare Source

Welcome to gatsby@4.15.0 release (May 2022 #2)

Key highlights of this release:

Also check out notable bugfixes.

Bleeding Edge: Want to try new features as soon as possible? Install gatsby@next and let us know if you have any issues.

Previous release notes

[Full changelog][full-changelog]

`v4.14.1`

Compare Source

`v4.14.0`: v4.14

Compare Source

Welcome to gatsby@4.14.0 release (May 2022 #1)

Key highlights of this release:

Also check out notable bugfixes.

Bleeding Edge: Want to try new features as soon as possible? Install gatsby@next and let us know if you have any issues.

Previous release notes

Full changelog

`v4.13.1`

Compare Source

`v4.13.0`: v4.13

Compare Source

Welcome to gatsby@4.13.0 release (April 2022 #2)

Key highlights of this release:

Also check out notable bugfixes.

Bleeding Edge: Want to try new features as soon as possible? Install gatsby@next and let us know
if you have any issues.

Previous release notes

Full changelog

`v4.12.1`

Compare Source

`v4.12.0`: v4.12

Compare Source

Welcome to gatsby@4.12.0 release (April 2022 #1)

Key highlights of this release:

New RFCs

Also check out notable bugfixes.

Bleeding Edge: Want to try new features as soon as possible? Install gatsby@next and let us know
if you have any issues.

Previous release notes

Full changelog

`v4.11.3`

Compare Source

`v4.11.2`

Compare Source

`v4.11.1`

Compare Source

`v4.11.0`: v4.11

Compare Source

Welcome to gatsby@4.11.0 release (March 2022 #3)

Key highlights of this release:

Also check out notable bugfixes.

Bleeding Edge: Want to try new features as soon as possible? Install gatsby@next and let us know
if you have any issues.

Previous release notes

Full changelog

`v4.10.3`

Compare Source

`v4.10.2`

Compare Source

`v4.10.1`

Compare Source

`v4.10.0`: v4.10

Compare Source

Welcome to gatsby@4.10.0 release (March 2022 #2)

Key highlights of this release:

Image CDN

Also check out notable bugfixes.

Bleeding Edge: Want to try new features as soon as possible? Install gatsby@next and let us know
if you have any issues.

Previous release notes

Full changelog

`v4.9.3`

Compare Source

`v4.9.2`

Compare Source

`v4.9.1`

Compare Source

`v4.9.0`: v4.9

Compare Source

Welcome to gatsby@4.9.0 release (March 2022 #1)

Key highlights of this release:

Support for TypeScript in gatsby-config and gatsby-node

Also check out notable bugfixes.

Bleeding Edge: Want to try new features as soon as possible? Install gatsby@next and let us know if you have any issues.

Previous release notes

Full changelog

`v4.8.2`

Compare Source

`v4.8.1`

Compare Source

`v4.8.0`: v4.8

Compare Source

Welcome to gatsby@4.8.0 release (February 2022 #2)

Key highlights of this release:

Also check out notable bugfixes.

Bleeding Edge: Want to try new features as soon as possible? Install gatsby@next and let us know
if you have any issues.

Previous release notes

Full changelog

`v4.7.2`

Compare Source

`v4.7.1`

Compare Source

`v4.7.0`: v4.7

Compare Source

Welcome to gatsby@4.7.0 release (February 2022 #1)

Key highlights of this release:

trailingSlash Option - Now built into the Framework itself
Faster Schema Creation & createPages - Speed improvements of at least 30%

Also check out notable bugfixes.

Bleeding Edge: Want to try new features as soon as possible? Install gatsby@next and let us know
if you have any issues.

Previous release notes

Full changelog

`v4.6.2`

Compare Source

`v4.6.1`

Compare Source

`v4.6.0`: v4.6

Compare Source

Welcome to gatsby@4.6.0 release (January 2022 #2)

Key highlights of this release:

Also check out notable bugfixes.

Bleeding Edge: Want to try new features as soon as possible? Install gatsby@next and let us know
if you have any issues.

Previous release notes

Full changelog

`v4.5.5`

Compare Source

`v4.5.4`

Compare Source

`v4.5.3`

Compare Source

`v4.5.2`

Compare Source

`v4.5.1`

Compare Source

`v4.5.0`: v4.5

Compare Source

Welcome to gatsby@4.5.0 release (January 2022 #1)

Key highlights of this release:

Also check out notable bugfixes.

Bleeding Edge: Want to try new features as soon as possible? Install gatsby@next and let us know
if you have any issues.

Previous release notes

Full changelog

`v4.4.0`: v4.4

Compare Source

Welcome to gatsby@4.4.0 release (December 2021 #1)

Key highlights of this release:

Detect Node Mutations

Also check out notable bugfixes.

Bleeding Edge: Want to try new features as soon as possible? Install gatsby@next and let us know
if you have any issues.

Previous release notes

Full changelog

`v4.3.0`: v4.3

Compare Source

Welcome to gatsby@4.3.0 release (November 2021 #3)

Key highlights of this release:

Also check out notable bugfixes.

Bleeding Edge: Want to try new features as soon as possible? Install gatsby@next and let us know
if you have any issues.

Previous release notes

Full changelog

`v4.2.0`: v4.2

Compare Source

Welcome to gatsby@4.2.0 release (November 2021 #2).

Key highlights of this release:

Also check out notable bugfixes.

Bleeding Edge: Want to try new features as soon as possible? Install gatsby@next and let us know
if you have any issues.

Previous release notes

Full changelog

`v4.1.6`

Compare Source

`v4.1.5`

Compare Source

`v4.1.4`

Compare Source

`v4.1.3`

Compare Source

`v4.1.2`

Compare Source

`v4.1.1`

Compare Source

`v4.1.0`: v4.1

Compare Source

Welcome to gatsby@4.1.0 release (November 2021 #1).

Key highlights of this release:

Also check out notable bugfixes.

Bleeding Edge: Want to try new features as soon as possible? Install gatsby@next and let us know
if you have any issues.

Previous release notes

Full changelog

`v4.0.2`

Compare Source

`v4.0.1`

Compare Source

`v4.0.0`: v4.0.0

Compare Source

Welcome to gatsby@4.0.0 release (October 2021 #1).

We've released Gatsby 3 in March 2021 and now have a lot of exciting new features for Gatsby 4!
We’ve tried to make migration smooth. Please refer to the migration guide
and let us know if you encounter any issues when migrating.

Key highlights of this release:

Parallel Query Running - up to 40% reduction in build times
Deferred Static Generation (DSG) - defer page generation to user request, speeding up build times
Server-Side Rendering (SSR) - pre-render a page with data that is fetched when a user visits the page

Also check out notable bugfixes and improvements.

Bleeding Edge: Want to try new features as soon as possible? Install gatsby@next and let us know
if you have any issues.

Previous release notes for 3.14

Full changelog

`v3.15.0`

Compare Source

`v3.14.6`

Compare Source

`v3.14.5`

Compare Source

`v3.14.4`

Compare Source

`v3.14.3`

Compare Source

`v3.14.2`

Compare Source

`v3.14.1`

Compare Source

`v3.14.0`: v3.14 (September 2021 #1)

Compare Source

Welcome to gatsby@3.14.0 release (September 2021 #1)

This is the final minor release for gatsby v3. Gatsby v4 beta is already published behind the next npm tag and the next stable release will be gatsby@4.0.0. See what's inside!

We will keep publishing patches for 3.14.x with hotfixes until 4.0.0 stable is published and at least several weeks after.

Key highlights of this release:

Better UX for navigation in the middle of deployment
New developer tools - createPages snippet in GraphiQL and new GraphQL capability
Preparations for gatsby v4 - API deprecations; migration guide; docs
Improvements for gatsby-source-drupal
New home for gatsby-plugin-netlify

Also, check out notable bugfixes.

Bleeding Edge: Want to try new features as soon as possible? Install gatsby@next and let us know
if you have any issues.

Previous release notes

Full changelog

`v3.13.1`

Compare Source

`v3.13.0`: v3.13 (August 2021 #3)

Compare Source

Welcome to gatsby@3.13.0 release (August 2021 #3)

Key highlights of this release:

Improved Changelogs - Better structured and easier to read
sharp v0.29 - Reduced install size, improved encoding time, and improved AVIF image quality
Faster Sourcing for gatsby-source-drupal - Speed up fetching data by around 4x
webpack Caching in Development for Everyone - Activating it for all users

Also check out notable bugfixes.

Bleeding Edge: Want to try new features as soon as possible? Install gatsby@next and let us know
if you have any issues.

Previous release notes

Full changelog

`v3.12.1`

Compare Source

`v3.12.0`: v3.12 (August 2021 #2)

Compare Source

Welcome to gatsby@3.12.0 release (August 2021 #2)

Key highlights of this release:

webpack dev server caching - opt-in 20% of users
Improvements to gatsby-source-shopify - Add compat for breaking change in Shopify's API
Improvements to gatsby-source-wordpress - Support for generating WebP images in HTML fields

Also check out notable bugfixes.

Bleeding Edge: Want to try new features as soon as possible? Install gatsby@next and let us know
if you have any issues.

Previous release notes

Full changelog

`v3.11.1`

Compare Source

`v3.11.0`: v3.11 (August 2021 #1)

Compare Source

Welcome to gatsby@3.11.0 release (August 2021 #1)

Key highlights of this release:

Improvements to Parallel Query Running - Better performance and more configurable

Also check out notable bugfixes.

Bleeding Edge: Want to try new features as soon as possible? Install gatsby@next and let us know
if you have any issues.

Previous release notes

Full changelog

`v3.10.2`

Compare Source

`v3.10.1`

Compare Source

`v3.10.0`: v3.10 (July 2021 #2)

Compare Source

Welcome to gatsby@3.10.0 release (July 2021 #2)

Key hig

✂ Note

PR body was truncated to here.

Configuration

📅 Schedule: (UTC)

Branch creation
- ""
Automerge
- At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

renovate Bot changed the title ~~chore(deps): update dependency gatsby to v4 [security]~~ chore(deps): update dependency gatsby to v4 [security] - autoclosed Jul 26, 2023

renovate Bot closed this Jul 26, 2023

renovate Bot deleted the renovate/npm-gatsby-vulnerability branch July 26, 2023 07:35

renovate Bot changed the title ~~chore(deps): update dependency gatsby to v4 [security] - autoclosed~~ chore(deps): update dependency gatsby to v4 [security] Jul 26, 2023

renovate Bot reopened this Jul 26, 2023

renovate Bot restored the renovate/npm-gatsby-vulnerability branch July 26, 2023 10:29

renovate Bot force-pushed the renovate/npm-gatsby-vulnerability branch from c0382e5 to b711a82 Compare July 26, 2023 10:29

renovate Bot changed the title ~~chore(deps): update dependency gatsby to v4 [security]~~ fix(deps): update dependency gatsby to v4 [security] Dec 10, 2024

renovate Bot force-pushed the renovate/npm-gatsby-vulnerability branch 2 times, most recently from 2f82a6c to 39745d4 Compare August 13, 2025 13:41

renovate Bot force-pushed the renovate/npm-gatsby-vulnerability branch from 39745d4 to d5b10a9 Compare August 19, 2025 19:42

renovate Bot force-pushed the renovate/npm-gatsby-vulnerability branch from d5b10a9 to 807af1f Compare August 31, 2025 11:02

renovate Bot force-pushed the renovate/npm-gatsby-vulnerability branch from 807af1f to bc8cef6 Compare September 25, 2025 20:24

renovate Bot force-pushed the renovate/npm-gatsby-vulnerability branch from bc8cef6 to 1a4c8fd Compare October 21, 2025 13:57

renovate Bot force-pushed the renovate/npm-gatsby-vulnerability branch from 1a4c8fd to 81753ad Compare November 11, 2025 00:58

renovate Bot force-pushed the renovate/npm-gatsby-vulnerability branch from 81753ad to 04eb77f Compare November 18, 2025 13:50

renovate Bot force-pushed the renovate/npm-gatsby-vulnerability branch from 04eb77f to 866f35b Compare December 3, 2025 17:52

renovate Bot force-pushed the renovate/npm-gatsby-vulnerability branch from 866f35b to 694786c Compare December 31, 2025 17:14

renovate Bot force-pushed the renovate/npm-gatsby-vulnerability branch from 694786c to b552117 Compare January 8, 2026 18:12

renovate Bot force-pushed the renovate/npm-gatsby-vulnerability branch from b552117 to f4380b5 Compare January 19, 2026 20:00

renovate Bot force-pushed the renovate/npm-gatsby-vulnerability branch from f4380b5 to 1f69ad9 Compare February 2, 2026 21:15

renovate Bot force-pushed the renovate/npm-gatsby-vulnerability branch 2 times, most recently from 9402d5e to 2ac5ba7 Compare February 17, 2026 19:57

renovate Bot force-pushed the renovate/npm-gatsby-vulnerability branch from 2ac5ba7 to 4b0296d Compare March 5, 2026 19:53

renovate Bot force-pushed the renovate/npm-gatsby-vulnerability branch from 4b0296d to 51a3842 Compare March 13, 2026 14:49

renovate Bot changed the title ~~fix(deps): update dependency gatsby to v4 [security]~~ fix(deps): update dependency gatsby to v4 [security] - autoclosed Mar 27, 2026

renovate Bot closed this Mar 27, 2026

renovate Bot deleted the renovate/npm-gatsby-vulnerability branch March 27, 2026 01:25

renovate Bot changed the title ~~fix(deps): update dependency gatsby to v4 [security] - autoclosed~~ fix(deps): update dependency gatsby to v4 [security] Mar 30, 2026

renovate Bot reopened this Mar 30, 2026

renovate Bot force-pushed the renovate/npm-gatsby-vulnerability branch 2 times, most recently from 873d1a8 to 827e42d Compare April 1, 2026 19:54

renovate Bot force-pushed the renovate/npm-gatsby-vulnerability branch from 827e42d to bb0358d Compare April 8, 2026 20:05

renovate Bot changed the title ~~fix(deps): update dependency gatsby to v4 [security]~~ fix(deps): update dependency gatsby to v4 [security] - autoclosed Apr 27, 2026

renovate Bot closed this Apr 27, 2026

renovate Bot changed the title ~~fix(deps): update dependency gatsby to v4 [security] - autoclosed~~ fix(deps): update dependency gatsby to v4 [security] Apr 27, 2026

renovate Bot reopened this Apr 27, 2026

renovate Bot force-pushed the renovate/npm-gatsby-vulnerability branch 3 times, most recently from 8090c70 to c621c4c Compare April 29, 2026 19:04

renovate Bot force-pushed the renovate/npm-gatsby-vulnerability branch from c621c4c to baadf2b Compare May 12, 2026 12:04

fix(deps): update dependency gatsby to v4 [security]

38bb227

renovate Bot force-pushed the renovate/npm-gatsby-vulnerability branch from baadf2b to 38bb227 Compare May 18, 2026 12:28

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

fix(deps): update dependency gatsby to v4 [security]#98

fix(deps): update dependency gatsby to v4 [security]#98
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/npm-gatsby-vulnerability

renovate Bot commented Jun 10, 2023 •

edited

Loading

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Conversation

renovate Bot commented Jun 10, 2023 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Gatsby develop server has Local File Inclusion vulnerability

Details

Impact

Patches

Workarounds

Credits

For more information

Severity

References

Release Notes

v4.24.0: v4.24

v4.23.0: v4.23

v4.22.0: v4.22

v4.21.0: v4.21

v4.20.0: v4.20

v4.19.0: v4.19

v4.18.0: v4.18

v4.17.0: v4.17

v4.16.0: v4.16

v4.15.0: v4.15

v4.14.0: v4.14

v4.13.0: v4.13

v4.12.0: v4.12

v4.11.0: v4.11

v4.10.0: v4.10

v4.9.0: v4.9

v4.8.0: v4.8

v4.7.0: v4.7

v4.6.0: v4.6

v4.5.0: v4.5

v4.4.0: v4.4

v4.3.0: v4.3

v4.2.0: v4.2

v4.1.0: v4.1

v4.0.0: v4.0.0

v3.14.0: v3.14 (September 2021 #​1)

v3.13.0: v3.13 (August 2021 #​3)

v3.12.0: v3.12 (August 2021 #​2)

v3.11.0: v3.11 (August 2021 #​1)

v3.10.0: v3.10 (July 2021 #​2)

Configuration

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

renovate Bot commented Jun 10, 2023 •

edited

Loading

`v4.24.0`: v4.24

`v4.23.0`: v4.23

`v4.22.0`: v4.22

`v4.21.0`: v4.21

`v4.20.0`: v4.20

`v4.19.0`: v4.19

`v4.18.0`: v4.18

`v4.17.0`: v4.17

`v4.16.0`: v4.16

`v4.15.0`: v4.15

`v4.14.0`: v4.14

`v4.13.0`: v4.13

`v4.12.0`: v4.12

`v4.11.0`: v4.11

`v4.10.0`: v4.10

`v4.9.0`: v4.9

`v4.8.0`: v4.8

`v4.7.0`: v4.7

`v4.6.0`: v4.6

`v4.5.0`: v4.5

`v4.4.0`: v4.4

`v4.3.0`: v4.3

`v4.2.0`: v4.2

`v4.1.0`: v4.1

`v4.0.0`: v4.0.0

`v3.14.0`: v3.14 (September 2021 #1)

`v3.13.0`: v3.13 (August 2021 #3)

`v3.12.0`: v3.12 (August 2021 #2)

`v3.11.0`: v3.11 (August 2021 #1)

`v3.10.0`: v3.10 (July 2021 #2)