New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(deps): update dependency gatsby-source-wordpress to v4 [security] #58

Open

renovate wants to merge 1 commit into master from renovate/npm-gatsby-source-wordpress-vulnerability

renovate bot commented Jul 11, 2023 •

edited

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
gatsby-source-wordpress (source)	`^3.2.5` -> `^4.0.0`

GitHub Vulnerability Alerts

CVE-2021-32770

Impact

The gatsby-source-wordpress plugin prior to versions 4.0.8 and 5.9.2 leaks .htaccess HTTP Basic Authentication variables into the app.js bundle during build-time. Users who are not initializing basic authentication credentials in the gatsby-config.js are not affected.

Example affected gatsby-config.js:

      resolve: 'gatsby-source-wordpress',
        auth: {
          htaccess: {
            username: leaked_username
            password: leaked_password,
          },
        },

Patches

A patch has been introduced in gatsby-source-wordpress@4.0.8 and gatsby-source-wordpress@5.9.2 which mitigates the issue by filtering all variables specified in the auth: { } section. Users that depend on this functionality are advised to upgrade to the latest release of gatsby-source-wordpress, run gatsby clean followed by a gatsby build.

Workarounds

There is no known workaround at this time, other than manually editing the app.js file post-build.

For more information

Email us at security@gatsbyjs.com

Release Notes

gatsbyjs/gatsby (gatsby-source-wordpress)

`v4.0.8`

Other Changes

run setGatsbyApiToState in onPreInit to delete auth options #32339 (f49a976)

`v4.0.7`

Bug Fixes

Backporting auth leak fix fix #32315 (98e726f)

`v4.0.6`

Bug Fixes

schema customization errors #30358 #30650 (8d7c3a1)

`v4.0.5`

Bug Fixes

image fixes fixes #29813 fixes #29881 (c7a6e9f)

`v4.0.4`

Bug Fixes

auto-rename types named "Filter" #29718 #29884 (8986b12)
HTML image regex's #29778 #29883 (c2ea9b9)

`v4.0.3`

Other Changes

fix(gatsby-source-wordpress):issue #29535 not finished createSchemaCu… #29535 #29554 #29712 (d806703)

`v4.0.2`

Note: Version bump only for package gatsby-source-wordpress

`v4.0.1`

Note: Version bump only for package gatsby-source-wordpress

`v4.0.0`

🧾 Release notes

Other Changes

launch gatsby-source-wordpress v4 #29150 #29330 #29150 (0a31b64)

`v3.11.0`

🧾 Release notes

Note: Version bump only for package gatsby-source-wordpress

`v3.10.0`

🧾 Release notes

Bug Fixes

update vulnerable packages, include React 17 in peerDeps #28545 (18b5f30)

Chores

Fix all /packages links to /plugins Fix #28816 (200e307)

3.9.1 (2021-01-16)

Note: Version bump only for package gatsby-source-wordpress

`v3.9.1`

Note: Version bump only for package gatsby-source-wordpress

`v3.9.0`

🧾 Release notes

Note: Version bump only for package gatsby-source-wordpress

3.8.1 (2020-12-23)

Note: Version bump only for package gatsby-source-wordpress

`v3.8.1`

Note: Version bump only for package gatsby-source-wordpress

`v3.8.0`

🧾 Release notes

Chores

update dependency cross-env to ^7.0.3 #28505 (a819b9b)

`v3.7.0`

🧾 Release notes

Note: Version bump only for package gatsby-source-wordpress

3.6.1 (2020-11-23)

Note: Version bump only for package gatsby-source-wordpress

`v3.6.1`

Note: Version bump only for package gatsby-source-wordpress

`v3.6.0`

🧾 Release notes

Chores

update babel monorepo #27528 (539dbb0)

`v3.5.0`

🧾 Release notes

Note: Version bump only for package gatsby-source-wordpress

`v3.4.2`

`v3.4.1`

Configuration

📅 Schedule: Branch creation - "" in timezone Asia/Tokyo, Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

renovate bot changed the title ~~fix(deps): update dependency gatsby-source-wordpress to v4 [security]~~ fix(deps): update dependency gatsby-source-wordpress to v4 [security] - autoclosed

renovate bot closed this

renovate bot deleted the renovate/npm-gatsby-source-wordpress-vulnerability branch

April 3, 2024 13:19

renovate bot changed the title ~~fix(deps): update dependency gatsby-source-wordpress to v4 [security] - autoclosed~~ fix(deps): update dependency gatsby-source-wordpress to v4 [security]

renovate bot reopened this

renovate bot restored the renovate/npm-gatsby-source-wordpress-vulnerability branch

April 3, 2024 15:15


          fix(deps): update dependency gatsby-source-wordpress to v4 [security]

19f70d5

renovate bot force-pushed the renovate/npm-gatsby-source-wordpress-vulnerability branch from 009347f to 19f70d5 Compare

April 3, 2024 15:17

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment