Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(deps): update dependency gatsby-transformer-remark to v5 [security] #116

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

fix(deps): update dependency gatsby-transformer-remark to v5 [security] #116

wants to merge 1 commit into from

Conversation

renovate[bot]
Copy link

@renovate renovate bot commented Mar 16, 2023
edited
Loading

Mend Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
gatsby-transformer-remark (source) ^4.0.0 -> ^5.25.1 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2023-22491

Impact

The gatsby-transformer-remark plugin prior to versions 5.25.1 and 6.3.2 passes input through to the gray-matter npm package, which is vulnerable to JavaScript injection in its default configuration, unless input is sanitized. The vulnerability is present in gatsby-transformer-remark when passing input in data mode (querying MarkdownRemark nodes via GraphQL). Injected JavaScript executes in the context of the build server.

To exploit this vulnerability untrusted/unsanitized input would need to be sourced by or added into a file processed by gatsby-transformer-remark. The following payload demonstrates a vulnerable configuration:

---js
((require("child_process")).execSync("id >> /tmp/rce"))
---

Patches

A patch has been introduced in gatsby-transformer-remark@5.25.1 and gatsby-transformer-remark@6.3.2 which mitigates the issue by disabling the gray-matter JavaScript Frontmatter engine. The patch introduces a new option, JSFrontmatterEngine which is set to false by default. When setting JSFrontmatterEngine to true, input passed to gatsby-plugin-mdx must be sanitized before processing to avoid a security risk. Warnings are displayed when enabling JSFrontmatterEngine to true or if it appears that the MarkdownRemark input is attempting to use the Frontmatter engine.

Workarounds

If an older version of gatsby-transformer-remark must be used, input passed into the plugin should be sanitized ahead of processing.

We encourage projects to upgrade to the latest major release branch for all Gatsby plugins to ensure the latest security updates and bug fixes are received in a timely manner.

For more information

Email us at security@gatsbyjs.com.

Release Notes

gatsbyjs/gatsby (gatsby-transformer-remark)

v5.25.1

Compare Source

v5.25.0

Compare Source

v5.24.0

Compare Source

🧾 Release notes

Note: Version bump only for package gatsby-transformer-remark

5.23.1 (2022-09-22)

Note: Version bump only for package gatsby-transformer-remark

v5.23.1

Compare Source

Note: Version bump only for package gatsby-transformer-remark

v5.23.0

Compare Source

🧾 Release notes

Chores

v5.22.0

Compare Source

🧾 Release notes

Note: Version bump only for package gatsby-transformer-remark

v5.21.0

Compare Source

🧾 Release notes

Note: Version bump only for package gatsby-transformer-remark

v5.20.0

Compare Source

🧾 Release notes

Note: Version bump only for package gatsby-transformer-remark

v5.19.0

Compare Source

🧾 Release notes

Note: Version bump only for package gatsby-transformer-remark

5.18.1 (2022-07-12)

Note: Version bump only for package gatsby-transformer-remark

v5.18.1

Compare Source

Note: Version bump only for package gatsby-transformer-remark

v5.18.0

Compare Source

🧾 Release notes

Note: Version bump only for package gatsby-transformer-remark

v5.17.0

Compare Source

🧾 Release notes

Note: Version bump only for package gatsby-transformer-remark

v5.16.0

Compare Source

🧾 Release notes

Note: Version bump only for package gatsby-transformer-remark

5.15.1 (2022-06-01)

Note: Version bump only for package gatsby-transformer-remark

v5.15.1

Compare Source

Note: Version bump only for package gatsby-transformer-remark

v5.15.0

Compare Source

🧾 Release notes

Note: Version bump only for package gatsby-transformer-remark

v5.14.0

Compare Source

🧾 Release notes

Note: Version bump only for package gatsby-transformer-remark

v5.13.0

Compare Source

🧾 Release notes

Note: Version bump only for package gatsby-transformer-remark

5.12.1 (2022-04-13)

Note: Version bump only for package gatsby-transformer-remark

v5.12.1

Compare Source

Note: Version bump only for package gatsby-transformer-remark

v5.12.0

Compare Source

🧾 Release notes

Note: Version bump only for package gatsby-transformer-remark

5.11.1 (2022-03-31)

Note: Version bump only for package gatsby-transformer-remark

v5.11.1

Compare Source

Note: Version bump only for package gatsby-transformer-remark

v5.11.0

Compare Source

🧾 Release notes

Note: Version bump only for package gatsby-transformer-remark

5.10.2 (2022-03-23)

Note: Version bump only for package gatsby-transformer-remark

5.10.1 (2022-03-18)

Note: Version bump only for package gatsby-transformer-remark

v5.10.2

Compare Source

Note: Version bump only for package gatsby-transformer-remark

v5.10.1

Compare Source

Note: Version bump only for package gatsby-transformer-remark

v5.10.0

Compare Source

🧾 Release notes

Note: Version bump only for package gatsby-transformer-remark

5.9.1 (2022-03-09)

Note: Version bump only for package gatsby-transformer-remark

v5.9.1

Compare Source

Note: Version bump only for package gatsby-transformer-remark

v5.9.0

Compare Source

🧾 Release notes

Chores
5.8.2 (2022-03-01)

Note: Version bump only for package gatsby-transformer-remark

5.8.1 (2022-02-25)

Note: Version bump only for package gatsby-transformer-remark

v5.8.2

Compare Source

Note: Version bump only for package gatsby-transformer-remark

v5.8.1

Compare Source

Note: Version bump only for package gatsby-transformer-remark

v5.8.0

Compare Source

🧾 Release notes

Note: Version bump only for package gatsby-transformer-remark

v5.7.0

Compare Source

🧾 Release notes

Bug Fixes
  • update dependency underscore.string to ^3.3.6 for gatsby-transformer-remark #​34653 (1d2530e)

v5.6.0

Compare Source

🧾 Release notes

Bug Fixes
5.5.2 (2022-01-17)

Note: Version bump only for package gatsby-transformer-remark

5.5.1 (2022-01-12)

Note: Version bump only for package gatsby-transformer-remark

v5.5.2

Compare Source

Note: Version bump only for package gatsby-transformer-remark

v5.5.1

Compare Source

Note: Version bump only for package gatsby-transformer-remark

v5.5.0

Compare Source

🧾 Release notes

Chores

v5.4.0

Compare Source

🧾 Release notes

Note: Version bump only for package gatsby-transformer-remark

v5.3.0

Compare Source

🧾 Release notes

Note: Version bump only for package gatsby-transformer-remark

v5.2.0

Compare Source

🧾 Release notes

Bug Fixes
5.1.4 (2021-11-15)

Note: Version bump only for package gatsby-transformer-remark

5.1.3 (2021-11-11)

Note: Version bump only for package gatsby-transformer-remark

5.1.2 (2021-11-10)

Note: Version bump only for package gatsby-transformer-remark

5.1.1 (2021-11-09)
Bug Fixes

v5.1.4

Compare Source

Note: Version bump only for package gatsby-transformer-remark

v5.1.3

Compare Source

Note: Version bump only for package gatsby-transformer-remark

v5.1.2

Compare Source

Note: Version bump only for package gatsby-transformer-remark

v5.1.1

Compare Source

Bug Fixes

v5.1.0

Compare Source

🧾 Release notes

Bug Fixes
  • update minor and patch dependencies for gatsby-transformer-remark #​32613 (a1b315f)

v5.0.0

Compare Source

🧾 Release notes

Features
Chores
Other Changes

v4.12.0

Compare Source

v4.11.0

Compare Source

🧾 Release notes

Features
  • use subplugin annotation to use automatic subplugin module loading #​33039 (3260b1a)
Chores
Other Changes
  • Revert "chore(release): Publish next" (a0c4d44)

v4.10.0

Compare Source

🧾 Release notes

Chores

v4.9.0

Compare Source

🧾 Release notes

Chores

v4.8.0

Compare Source

🧾 Release notes

Note: Version bump only for package gatsby-transformer-remark

v4.7.0

Compare Source

🧾 Release notes

Chores

v4.6.0

Compare Source

🧾 Release notes

Note: Version bump only for package gatsby-transformer-remark

v4.5.0

Compare Source

🧾 Release notes

Chores
4.4.1 (2021-06-10)
Chores

v4.4.1

Compare Source

Chores

v4.4.0

Compare Source

🧾 Release notes

Chores

v4.3.0

Compare Source

🧾 Release notes

Note: Version bump only for package gatsby-transformer-remark

v4.2.0

Compare Source

🧾 Release notes

Bug Fixes
  • Activate footnotes by default & remove included options with remark v13 #​31019 (a35d615)

v4.1.0

Compare Source

🧾 Release notes

Bug Fixes

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

@renovate renovate bot changed the title fix(deps): update dependency gatsby-transformer-remark to v6 [security] fix(deps): update dependency gatsby-transformer-remark to v5 [security] Mar 25, 2023
@renovate renovate bot force-pushed the renovate/npm-gatsby-transformer-remark-vulnerability branch from 461d80f to 1e77f46 Compare March 25, 2023 02:52
@codecov
Copy link

codecov bot commented Mar 25, 2023
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 93.82%. Comparing base (d6a81c4) to head (7fc7f05).
Report is 1 commits behind head on master.

Current head 7fc7f05 differs from pull request most recent head b3462dc

Please upload reports for the commit b3462dc to get more accurate results.

Additional details and impacted files 
@@           Coverage Diff           @@
##           master     #116   +/-   ##
=======================================
  Coverage   93.82%   93.82%           
=======================================
  Files          14       14           
  Lines         356      356           
  Branches       81       81           
=======================================
  Hits          334      334           
  Misses         21       21           
  Partials        1        1

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@renovate renovate bot force-pushed the renovate/npm-gatsby-transformer-remark-vulnerability branch from 1e77f46 to 474883f Compare April 3, 2023 10:47
@renovate renovate bot changed the title fix(deps): update dependency gatsby-transformer-remark to v5 [security] fix(deps): update dependency gatsby-transformer-remark to v6 [security] Apr 3, 2023
@renovate renovate bot force-pushed the renovate/npm-gatsby-transformer-remark-vulnerability branch from 474883f to 5023f77 Compare April 3, 2023 13:00
@renovate renovate bot changed the title fix(deps): update dependency gatsby-transformer-remark to v6 [security] fix(deps): update dependency gatsby-transformer-remark to v5 [security] Apr 3, 2023
@renovate renovate bot force-pushed the renovate/npm-gatsby-transformer-remark-vulnerability branch from 5023f77 to a844945 Compare April 17, 2023 12:22
@renovate renovate bot changed the title fix(deps): update dependency gatsby-transformer-remark to v5 [security] fix(deps): update dependency gatsby-transformer-remark to v6 [security] Apr 17, 2023
@renovate renovate bot force-pushed the renovate/npm-gatsby-transformer-remark-vulnerability branch from a844945 to ac03456 Compare April 17, 2023 15:44
@renovate renovate bot changed the title fix(deps): update dependency gatsby-transformer-remark to v6 [security] fix(deps): update dependency gatsby-transformer-remark to v5 [security] Apr 17, 2023
@renovate renovate bot force-pushed the renovate/npm-gatsby-transformer-remark-vulnerability branch from ac03456 to 012734f Compare May 28, 2023 09:39
@renovate renovate bot changed the title fix(deps): update dependency gatsby-transformer-remark to v5 [security] fix(deps): update dependency gatsby-transformer-remark to v6 [security] May 28, 2023
@renovate renovate bot changed the title fix(deps): update dependency gatsby-transformer-remark to v6 [security] fix(deps): update dependency gatsby-transformer-remark to v5 [security] May 28, 2023
@renovate renovate bot force-pushed the renovate/npm-gatsby-transformer-remark-vulnerability branch from 012734f to 4d40f63 Compare May 28, 2023 12:35
@renovate renovate bot changed the title fix(deps): update dependency gatsby-transformer-remark to v5 [security] fix(deps): update dependency gatsby-transformer-remark to v6 [security] Jun 4, 2023
@renovate renovate bot force-pushed the renovate/npm-gatsby-transformer-remark-vulnerability branch from 4d40f63 to a9f4ec4 Compare June 4, 2023 11:34
@renovate renovate bot changed the title fix(deps): update dependency gatsby-transformer-remark to v6 [security] fix(deps): update dependency gatsby-transformer-remark to v5 [security] Jun 4, 2023
@renovate renovate bot force-pushed the renovate/npm-gatsby-transformer-remark-vulnerability branch from a9f4ec4 to a89631a Compare June 4, 2023 12:15
@renovate renovate bot changed the title fix(deps): update dependency gatsby-transformer-remark to v5 [security] fix(deps): update dependency gatsby-transformer-remark to v6 [security] Jun 13, 2023
@renovate renovate bot force-pushed the renovate/npm-gatsby-transformer-remark-vulnerability branch from a89631a to d6e6495 Compare June 13, 2023 16:22
@renovate renovate bot changed the title fix(deps): update dependency gatsby-transformer-remark to v6 [security] fix(deps): update dependency gatsby-transformer-remark to v5 [security] Jun 13, 2023
@renovate renovate bot force-pushed the renovate/npm-gatsby-transformer-remark-vulnerability branch from d6e6495 to e7af8b4 Compare June 13, 2023 19:05
@renovate renovate bot changed the title fix(deps): update dependency gatsby-transformer-remark to v5 [security] fix(deps): update dependency gatsby-transformer-remark to v6 [security] Jun 18, 2023
@renovate renovate bot force-pushed the renovate/npm-gatsby-transformer-remark-vulnerability branch from e7af8b4 to 594dab1 Compare June 18, 2023 06:31
@renovate renovate bot changed the title fix(deps): update dependency gatsby-transformer-remark to v6 [security] fix(deps): update dependency gatsby-transformer-remark to v5 [security] Jun 18, 2023
@renovate renovate bot force-pushed the renovate/npm-gatsby-transformer-remark-vulnerability branch from 594dab1 to 18c4eca Compare June 18, 2023 10:53
@renovate renovate bot changed the title fix(deps): update dependency gatsby-transformer-remark to v5 [security] fix(deps): update dependency gatsby-transformer-remark to v6 [security] Jun 19, 2023
@renovate renovate bot force-pushed the renovate/npm-gatsby-transformer-remark-vulnerability branch 2 times, most recently from 7f95839 to 5f2290f Compare June 19, 2023 13:36
@renovate renovate bot changed the title fix(deps): update dependency gatsby-transformer-remark to v6 [security] fix(deps): update dependency gatsby-transformer-remark to v5 [security] Apr 14, 2024
@renovate renovate bot force-pushed the renovate/npm-gatsby-transformer-remark-vulnerability branch from feb77f4 to b0ff042 Compare April 21, 2024 11:48
@renovate renovate bot changed the title fix(deps): update dependency gatsby-transformer-remark to v5 [security] fix(deps): update dependency gatsby-transformer-remark to v6 [security] Apr 21, 2024
@renovate renovate bot force-pushed the renovate/npm-gatsby-transformer-remark-vulnerability branch from b0ff042 to f2f2ec5 Compare April 21, 2024 12:17
@renovate renovate bot changed the title fix(deps): update dependency gatsby-transformer-remark to v6 [security] fix(deps): update dependency gatsby-transformer-remark to v5 [security] Apr 21, 2024
@renovate renovate bot force-pushed the renovate/npm-gatsby-transformer-remark-vulnerability branch from f2f2ec5 to 9d41f56 Compare April 25, 2024 08:12
@renovate renovate bot changed the title fix(deps): update dependency gatsby-transformer-remark to v5 [security] fix(deps): update dependency gatsby-transformer-remark to v6 [security] Apr 25, 2024
@renovate renovate bot force-pushed the renovate/npm-gatsby-transformer-remark-vulnerability branch from 9d41f56 to a5cefbe Compare April 25, 2024 09:47
@renovate renovate bot changed the title fix(deps): update dependency gatsby-transformer-remark to v6 [security] fix(deps): update dependency gatsby-transformer-remark to v5 [security] Apr 25, 2024
@renovate renovate bot force-pushed the renovate/npm-gatsby-transformer-remark-vulnerability branch from a5cefbe to eaf910d Compare May 1, 2024 11:10
@renovate renovate bot changed the title fix(deps): update dependency gatsby-transformer-remark to v5 [security] fix(deps): update dependency gatsby-transformer-remark to v6 [security] May 1, 2024
@renovate renovate bot force-pushed the renovate/npm-gatsby-transformer-remark-vulnerability branch from eaf910d to c409088 Compare May 1, 2024 12:48
@renovate renovate bot changed the title fix(deps): update dependency gatsby-transformer-remark to v6 [security] fix(deps): update dependency gatsby-transformer-remark to v5 [security] May 1, 2024
@renovate renovate bot force-pushed the renovate/npm-gatsby-transformer-remark-vulnerability branch from c409088 to 181754d Compare May 9, 2024 10:56
@renovate renovate bot changed the title fix(deps): update dependency gatsby-transformer-remark to v5 [security] fix(deps): update dependency gatsby-transformer-remark to v6 [security] May 9, 2024
@renovate renovate bot force-pushed the renovate/npm-gatsby-transformer-remark-vulnerability branch from 181754d to dc9f124 Compare May 9, 2024 12:39
@renovate renovate bot changed the title fix(deps): update dependency gatsby-transformer-remark to v6 [security] fix(deps): update dependency gatsby-transformer-remark to v5 [security] May 9, 2024
@renovate renovate bot force-pushed the renovate/npm-gatsby-transformer-remark-vulnerability branch from dc9f124 to a31585b Compare May 15, 2024 17:03
@renovate renovate bot changed the title fix(deps): update dependency gatsby-transformer-remark to v5 [security] fix(deps): update dependency gatsby-transformer-remark to v6 [security] May 15, 2024
@renovate renovate bot force-pushed the renovate/npm-gatsby-transformer-remark-vulnerability branch from a31585b to 706faab Compare May 16, 2024 00:09
@renovate renovate bot changed the title fix(deps): update dependency gatsby-transformer-remark to v6 [security] fix(deps): update dependency gatsby-transformer-remark to v5 [security] May 16, 2024
@renovate renovate bot force-pushed the renovate/npm-gatsby-transformer-remark-vulnerability branch from 706faab to 7f09231 Compare June 4, 2024 13:32
@renovate renovate bot changed the title fix(deps): update dependency gatsby-transformer-remark to v5 [security] fix(deps): update dependency gatsby-transformer-remark to v6 [security] Jun 4, 2024
@renovate renovate bot force-pushed the renovate/npm-gatsby-transformer-remark-vulnerability branch from 7f09231 to 7e7a19f Compare June 4, 2024 16:58
@renovate renovate bot changed the title fix(deps): update dependency gatsby-transformer-remark to v6 [security] fix(deps): update dependency gatsby-transformer-remark to v5 [security] Jun 4, 2024
@renovate renovate bot force-pushed the renovate/npm-gatsby-transformer-remark-vulnerability branch from 7e7a19f to e137143 Compare June 27, 2024 10:20
@renovate renovate bot changed the title fix(deps): update dependency gatsby-transformer-remark to v5 [security] fix(deps): update dependency gatsby-transformer-remark to v6 [security] Jun 27, 2024
@renovate renovate bot force-pushed the renovate/npm-gatsby-transformer-remark-vulnerability branch from e137143 to b3462dc Compare June 27, 2024 12:03
@renovate renovate bot changed the title fix(deps): update dependency gatsby-transformer-remark to v6 [security] fix(deps): update dependency gatsby-transformer-remark to v5 [security] Jun 27, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
0 participants