fix(deps): update dependency gatsby to v4 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
gatsby (source, changelog)	^3.0.0 -> ^4.25.7

GitHub Vulnerability Alerts

CVE-2023-34238

Impact

The Gatsby framework prior to versions 4.25.7 and 5.9.1 contain a Local File Inclusion vulnerability in the __file-code-frame and __original-stack-frame paths, exposed when running the Gatsby develop server (gatsby develop).

The following steps can be used to reproduce the vulnerability:

# Create a new Gatsby project
$ npm init gatsby
$ cd my-gatsby-site

# Start the Gatsby develop server
$ gatsby develop

# Execute the Local File Inclusion vulnerability in __file-code-frame
$ curl "http://127.0.0.1:8000/__file-code-frame?filePath=/etc/passwd&lineNumber=1"

# Execute the Local File Inclusion vulnerability in __original-stack-frame
$ curl "http://127.0.0.1:8000/__original-stack-frame?moduleId=/etc/hosts&lineNumber=1&skipSourceMap=1"

It should be noted that by default gatsby develop is only accessible via the localhost 127.0.0.1, and one would need to intentionally expose the server to other interfaces to exploit this vulnerability by using server options such as --host 0.0.0.0, -H 0.0.0.0, or the GATSBY_HOST=0.0.0.0 environment variable.

Patches

A patch has been introduced in gatsby@5.9.1 and gatsby@4.25.7 which mitigates the issue.

Workarounds

As stated above, by default gatsby develop is only exposed to the localhost 127.0.0.1. For those using the develop server in the default configuration no risk is posed. If other ranges are required, preventing the develop server from being exposed to untrusted interfaces or IP address ranges would mitigate the risk from this vulnerability.

We encourage projects to upgrade to the latest major release branch for all Gatsby plugins to ensure the latest security updates and bug fixes are received in a timely manner.

Credits

We would like to thank Maxwell Garrett of Assetnote for bringing the __file-code-frame issue to our attention.

For more information

Email us at security@gatsbyjs.com.

---

Release Notes

gatsbyjs/gatsby (gatsby)

v4.25.7

Compare Source

v4.25.6

Compare Source

v4.25.5

Compare Source

v4.25.4

Compare Source

v4.25.3

Compare Source

v4.25.2

Compare Source

v4.25.1

Compare Source

v4.25.0

Compare Source

v4.24.8

Compare Source

v4.24.7

Compare Source

v4.24.6

Compare Source

v4.24.5

Compare Source

v4.24.4

Compare Source

v4.24.3

Compare Source

v4.24.2

Compare Source

v4.24.1

Compare Source

v4.24.0: v4.24

Compare Source

Welcome to gatsby@4.24.0 release (September 2022 #2)

Key highlights of this release:

• Gatsby 5 Alpha
• Updating File System Routes on data changes

Bleeding Edge: Want to try new features as soon as possible? Install gatsby@next and let us know if you have any issues.

Previous release notes

Full changelog

v4.23.1

Compare Source

v4.23.0: v4.23

Compare Source

Welcome to gatsby@4.23.0 release (September 2022 #1)

Key highlights of this release:

• Open RFCs

Bleeding Edge: Want to try new features as soon as possible? Install gatsby@next and let us know if you have any issues.

Previous release notes

Full changelog

v4.22.1

Compare Source

v4.22.0: v4.22

Compare Source

Welcome to gatsby@4.22.0 release (August 2022 #3)

Key highlights of this release:

• Open RFCs

Bleeding Edge: Want to try new features as soon as possible? Install gatsby@next and let us know if you have any issues.

Previous release notes

Full changelog

v4.21.1

Compare Source

v4.21.0: v4.21

Compare Source

Welcome to gatsby@4.21.0 release (August 2022 #2)

Key highlights of this release:

• gatsby-plugin-mdx v4
• Open RFCs

Bleeding Edge: Want to try new features as soon as possible? Install gatsby@next and let us know if you have any issues.

Previous release notes

Full changelog

v4.20.0: v4.20

Compare Source

Welcome to gatsby@4.20.0 release (August 2022 #1)

Key highlights of this release:

• RFC for changes in sort and aggregation fields in Gatsby GraphQL Schema
• Release Candidate for gatsby-plugin-mdx v4 - Support for MDX v2 and more!

Bleeding Edge: Want to try new features as soon as possible? Install gatsby@next and let us know if you have any issues.

Previous release notes

Full changelog

v4.19.2

Compare Source

v4.19.1

Compare Source

v4.19.0: v4.19

Compare Source

Welcome to gatsby@4.19.0 release (July 2022 #2)

Key highlights of this release:

• Gatsby Head API - Better performance & more future-proof than react-helmet
• Release Candidate for gatsby-plugin-mdx v4 - Support for MDX v2 and more!

Bleeding Edge: Want to try new features as soon as possible? Install gatsby@next and let us know if you have any issues.

Previous release notes

Full changelog

v4.18.2

Compare Source

v4.18.1

Compare Source

v4.18.0: v4.18

Compare Source

Welcome to gatsby@4.18.0 release (July 2022 #1)

Key highlights of this release:

• typesOutputPath option for GraphQL Typegen - Configure the location of the generated TypeScript types
• Server Side Rendering (SSR) in development - Find bugs & hydration errors more easily during gatsby develop
• Open RFCs - MDX v2 & Metadata management

Bleeding Edge: Want to try new features as soon as possible? Install gatsby@next and let us know if you have any issues.

Previous release notes

Full changelog

v4.17.2

Compare Source

v4.17.1

Compare Source

v4.17.0: v4.17

Compare Source

Welcome to gatsby@4.17.0 release (June 2022 #2)

Key highlights of this release:

• JavaScript and CSS bundling performance improvements
• Incremental builds performance improvements
• Open RFCs

Bleeding Edge: Want to try new features as soon as possible? Install gatsby@next and let us know if you have any issues.

Previous release notes

Full changelog

v4.16.0: v4.16

Compare Source

Welcome to gatsby@4.16.0 release (June 2022 #1)

Key highlights of this release:

• Speed Improvements for Image Processing
• useContentfulImage hook
• Node 18 Compatibility

Also check out notable bugfixes.

Bleeding Edge: Want to try new features as soon as possible? Install gatsby@next and let us know if you have any issues.

Previous release notes

Full changelog

v4.15.2

Compare Source

v4.15.1

Compare Source

v4.15.0: v4.15

Compare Source

Welcome to gatsby@4.15.0 release (May 2022 #2)

Key highlights of this release:

• Script Component
• GraphQL Typegen

Also check out notable bugfixes.

Bleeding Edge: Want to try new features as soon as possible? Install gatsby@next and let us know if you have any issues.

Previous release notes

[Full changelog][full-changelog]

v4.14.1

Compare Source

v4.14.0: v4.14

Compare Source

Welcome to gatsby@4.14.0 release (May 2022 #1)

Key highlights of this release:

• Experimental: GraphQL Typgen
• Improvements in Image and Font Loading Times
• Gatsby Functions Body Parsing Configuration
• gatsby-source-drupal: Image CDN Support
• Updated Default Starter

Also check out notable bugfixes.

Bleeding Edge: Want to try new features as soon as possible? Install gatsby@next and let us know if you have any issues.

Previous release notes

Full changelog

v4.13.1

Compare Source

v4.13.0: v4.13

Compare Source

Welcome to gatsby@4.13.0 release (April 2022 #2)

Key highlights of this release:

• Traced SVG option for Image CDN
• Open RFCs

Also check out notable bugfixes.

Bleeding Edge: Want to try new features as soon as possible? Install gatsby@next and let us know
if you have any issues.

Previous release notes

Full changelog

v4.12.1

Compare Source

v4.12.0: v4.12

Compare Source

Welcome to gatsby@4.12.0 release (April 2022 #1)

Key highlights of this release:

• New RFCs

Also check out notable bugfixes.

Bleeding Edge: Want to try new features as soon as possible? Install gatsby@next and let us know
if you have any issues.

Previous release notes

Full changelog

v4.11.3

Compare Source

v4.11.2

Compare Source

v4.11.1

Compare Source

v4.11.0: v4.11

Compare Source

Welcome to gatsby@4.11.0 release (March 2022 #3)

Key highlights of this release:

• gatsby-source-shopify v7
• React 18

Also check out notable bugfixes.

Bleeding Edge: Want to try new features as soon as possible? Install gatsby@next and let us know
if you have any issues.

Previous release notes

Full changelog

v4.10.3

Compare Source

v4.10.2

Compare Source

v4.10.1

Compare Source

v4.10.0: v4.10

Compare Source

Welcome to gatsby@4.10.0 release (March 2022 #2)

Key highlights of this release:

• Image CDN

Also check out notable bugfixes.

Bleeding Edge: Want to try new features as soon as possible? Install gatsby@next and let us know
if you have any issues.

Previous release notes

Full changelog

v4.9.3

Compare Source

v4.9.2

Compare Source

v4.9.1

Compare Source

v4.9.0: v4.9

Compare Source

Welcome to gatsby@4.9.0 release (March 2022 #1)

Key highlights of this release:

• Support for TypeScript in gatsby-config and gatsby-node

Also check out notable bugfixes.

Bleeding Edge: Want to try new features as soon as possible? Install gatsby@next and let us know if you have any issues.

Previous release notes

Full changelog

v4.8.2

Compare Source

v4.8.1

Compare Source

v4.8.0: v4.8

Compare Source

Welcome to gatsby@4.8.0 release (February 2022 #2)

Key highlights of this release:

• Support for TypeScript in gatsby-browser and gatsby-ssr
• New TypeScript option when creating Gatsby projects from the CLI
• Significant memory usage reduction when filtering and sorting nodes
• New APIs in gatsby-core-utils and gatsby-plugin-utils

Also check out notable bugfixes.

Bleeding Edge: Want to try new features as soon as possible? Install gatsby@next and let us know
if you have any issues.

Previous release notes

Full changelog

v4.7.2

Compare Source

v4.7.1

Compare Source

v4.7.0: v4.7

Compare Source

Welcome to gatsby@4.7.0 release (February 2022 #1)

Key highlights of this release:

• trailingSlash Option - Now built into the Framework itself
• Faster Schema Creation & createPages - Speed improvements of at least 30%

Also check out notable bugfixes.

Bleeding Edge: Want to try new features as soon as possible? Install gatsby@next and let us know
if you have any issues.

Previous release notes

Full changelog

v4.6.2

Compare Source

v4.6.1

Compare Source

v4.6.0: v4.6

Compare Source

Welcome to gatsby@4.6.0 release (January 2022 #2)

Key highlights of this release:

• Speeding Up Subsequent Queries
• Tracking Image Changes in Markdown Files
• New Major Version for gatsby-plugin-utils

Also check out notable bugfixes.

Bleeding Edge: Want to try new features as soon as possible? Install gatsby@next and let us know
if you have any issues.

Previous release notes

Full changelog

v4.5.5

Compare Source

v4.5.4

Compare Source

v4.5.3

Compare Source

v4.5.2

Compare Source

v4.5.1

Compare Source

v4.5.0: v4.5

Compare Source

Welcome to gatsby@4.5.0 release (January 2022 #1)

Key highlights of this release:

• Gracefully Handling Browser Cache Issues
• TypeScript Types for getServerData
• Deprecation of gatsby-recipes

Also check out notable bugfixes.

Bleeding Edge: Want to try new features as soon as possible? Install gatsby@next and let us know
if you have any issues.

Previous release notes

Full changelog

v4.4.0: v4.4

Compare Source

Welcome to gatsby@4.4.0 release (December 2021 #1)

Key highlights of this release:

• Detect Node Mutations

Also check out notable bugfixes.

Bleeding Edge: Want to try new features as soon as possible? Install gatsby@next and let us know
if you have any issues.

Previous release notes

Full changelog

v4.3.0: v4.3

Compare Source

Welcome to gatsby@4.3.0 release (November 2021 #​3)

Key highlights of this release:

• Content Sync Improvement
• Use renderToPipeableStream React 18 API

Also check out notable bugfixes.

Bleeding Edge: Want to try new features as soon as possible? Install gatsby@next and let us know
if you have any issues.

Previous release notes

Full changelog

v4.2.0: v4.2

Compare Source

Welcome to gatsby@4.2.0 release (November 2021 #2).

Key highlights of this release:

• gatsby-source-contentful v7
• getServerData improvements
• Framework Version Support

Also check out notable bugfixes.

Bleeding Edge: Want to try new features as soon as possible? Install gatsby@next and let us know
if you have any issues.

Previous release notes

Full changelog

v4.1.6

Compare Source

v4.1.5

Compare Source

v4.1.4

Compare Source

v4.1.3

Compare Source

v4.1.2

Compare Source

v4.1.1

Compare Source

v4.1.0: v4.1

Compare Source

Welcome to gatsby@4.1.0 release (November 2021 #1).

Key highlights of this release:

• Support for Deferred Static Generation in File System Route API
• JSX Runtime Options in gatsby-config.js

Also check out notable bugfixes.

Bleeding Edge: Want to try new features as soon as possible? Install gatsby@next and let us know
if you have any issues.

Previous release notes

Full changelog

v4.0.2

Compare Source

v4.0.1

Compare Source

v4.0.0: v4.0.0

Compare Source

Welcome to gatsby@4.0.0 release (October 2021 #1).

We've released Gatsby 3 in March 2021 and now have a lot of exciting new features for Gatsby 4!
We’ve tried to make migration smooth. Please refer to the migration guide
and let us know if you encounter any issues when migrating.

Key highlights of this release:

• Parallel Query Running - up to 40% reduction in build times
• Deferred Static Generation (DSG) - defer page generation to user request, speeding up build times
• Server-Side Rendering (SSR) - pre-render a page with data that is fetched when a user visits the page

Also check out notable bugfixes and improvements.

Bleeding Edge: Want to try new features as soon as possible? Install gatsby@next and let us know
if you have any issues.

Previous release notes for 3.14

Full changelog

v3.15.0

Compare Source

v3.14.6

Compare Source

v3.14.5

Compare Source

v3.14.4

Compare Source

v3.14.3

Compare Source

v3.14.2

Compare Source

v3.14.1

Compare Source

v3.14.0: v3.14 (September 2021 #​1)

Compare Source

Welcome to gatsby@3.14.0 release (September 2021 #1)

This is the final minor release for gatsby v3. Gatsby v4 beta is already published behind the next npm tag and the next stable release will be gatsby@4.0.0. See what's inside!

We will keep publishing patches for 3.14.x with hotfixes until 4.0.0 stable is published and at least several weeks after.

Key highlights of this release:

• Better UX for navigation in the middle of deployment
• New developer tools - createPages snippet in GraphiQL and new GraphQL capability
• Preparations for gatsby v4 - API deprecations; migration guide; docs
• Improvements for gatsby-source-drupal
• New home for gatsby-plugin-netlify

Also, check out notable bugfixes.

Bleeding Edge: Want to try new features as soon as possible? Install gatsby@next and let us know
if you have any issues.

Previous release notes

Full changelog

v3.13.1

Compare Source

v3.13.0: v3.13 (August 2021 #​3)

Compare Source

Welcome to gatsby@3.13.0 release (August 2021 #3)

Key highlights of this release:

• Improved Changelogs - Better structured and easier to read
• sharp v0.29 - Reduced install size, improved encoding time, and improved AVIF image quality
• Faster Sourcing for gatsby-source-drupal - Speed up fetching data by around 4x
• webpack Caching in Development for Everyone - Activating it for all users

Also check out notable bugfixes.

Bleeding Edge: Want to try new features as soon as possible? Install gatsby@next and let us know
if you have any issues.

Previous release notes

Full changelog

v3.12.1

Compare Source

v3.12.0: v3.12 (August 2021 #​2)

Compare Source

Welcome to gatsby@3.12.0 release (August 2021 #2)

Key highlights of this release:

• webpack dev server caching - opt-in 20% of users
• Improvements to gatsby-source-shopify - Add compat for breaking change in Shopify's API
• Improvements to gatsby-source-wordpress - Support for generating WebP images in HTML fields

Also check out notable bugfixes.

Bleeding Edge: Want to try new features as soon as possible? Install gatsby@next and let us know
if you have any issues.

Previous release notes

Full changelog

v3.11.1

Compare Source

v3.11.0: v3.11 (August 2021 #​1)

Compare Source

Welcome to gatsby@3.11.0 release (August 2021 #​1)

Key highlights of this release:

• Improvements to Parallel Query Running - Better performance and more configurable

Also check out notable bugfixes.

Bleeding Edge: Want to try new features as soon as possible? Install gatsby@next and let us know
if you have any issues.

Previous release notes

Full changelog

v3.10.2

Compare Source

v3.10.1

Compare Source

v3.10.0: v3.10 (July 2021 #​2)

Compare Source

Welcome to gatsby@3.10.0 release (July 2021 #​2)

Key highlights of this release:

• Experimental: Parallel Query Running - Improves time it takes to run queries during gatsby build
• Experimental: webpack persistent caching for gatsby develop - significantly speed up start of webpack server

Also check out notable bugfixes.

Bleeding Edge: Want to try new features as soon as possible? Install gatsby@next and let us know
if you have any issues.

Previous release notes

Full changelog

v3.9.1

Compare Source

v3.9.0: v3.9 (July 2021 #​1)

Compare Source

Welcome to gatsby@3.9.0 release (July 2021 #​1)

Key highlights of this release:

• React 18 - New Suspense SSR Architecture - Enables SSR support for Suspense when using React 18 (Alpha)
• Shopify App for Gatsby Cloud
• gatsby-source-contentful - quality of life improvements

Also check out notable bugfixes.

Bleeding Edge: Want to try new features as soon as possible? Install gatsby@next and let us know
if you have any issues.

Previous release notes

Full changelog

v3.8.1

Compare Source

v3.8.0: v3.8 (June 2021 #​2)

Compare Source

Welcome to gatsby@3.8.0 release (June 2021 #2)

Key highlights of this release:

• React 18 - Alpha - React 18 Alpha is available in Gatsby
• gatsby-source-shopify v5
• Web Vitals Tracking - Analytics Plugins now support tracking Web Vitals
• webpack caching - built-in persistent caching activated for everyone
• [Improvements to Drupal integration](https://www.gatsb

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 93.82%. Comparing base (d6a81c4) to head (cf77c36).
Report is 1 commits behind head on master.

❗ Current head cf77c36 differs from pull request most recent head 1d689e5

Please upload reports for the commit 1d689e5 to get more accurate results.

Additional details and impacted files

@@           Coverage Diff           @@
##           master     #117   +/-   ##
=======================================
  Coverage   93.82%   93.82%           
=======================================
  Files          14       14           
  Lines         356      356           
  Branches       81       81           
=======================================
  Hits          334      334           
  Misses         21       21           
  Partials        1        1           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.