Skip to content

fix(deps): update dependency gatsby to v4 [security]#421

Open
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/npm-gatsby-vulnerability
Open

fix(deps): update dependency gatsby to v4 [security]#421
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/npm-gatsby-vulnerability

Conversation

@renovate

@renovate renovate Bot commented Jul 16, 2026

Copy link
Copy Markdown
Contributor

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package Change Age Confidence
gatsby (source, changelog) 2.32.134.25.7 age confidence

Gatsby develop server has Local File Inclusion vulnerability

CVE-2023-34238 / GHSA-c6f8-8r25-c4gc

More information

Details

Impact

The Gatsby framework prior to versions 4.25.7 and 5.9.1 contain a Local File Inclusion vulnerability in the __file-code-frame and __original-stack-frame paths, exposed when running the Gatsby develop server (gatsby develop).

The following steps can be used to reproduce the vulnerability:


##### Create a new Gatsby project
$ npm init gatsby
$ cd my-gatsby-site

##### Start the Gatsby develop server
$ gatsby develop

##### Execute the Local File Inclusion vulnerability in __file-code-frame
$ curl "http://127.0.0.1:8000/__file-code-frame?filePath=/etc/passwd&lineNumber=1"

##### Execute the Local File Inclusion vulnerability in __original-stack-frame
$ curl "http://127.0.0.1:8000/__original-stack-frame?moduleId=/etc/hosts&lineNumber=1&skipSourceMap=1"

It should be noted that by default gatsby develop is only accessible via the localhost 127.0.0.1, and one would need to intentionally expose the server to other interfaces to exploit this vulnerability by using server options such as --host 0.0.0.0, -H 0.0.0.0, or the GATSBY_HOST=0.0.0.0 environment variable.

Patches

A patch has been introduced in gatsby@5.9.1 and gatsby@4.25.7 which mitigates the issue.

Workarounds

As stated above, by default gatsby develop is only exposed to the localhost 127.0.0.1. For those using the develop server in the default configuration no risk is posed. If other ranges are required, preventing the develop server from being exposed to untrusted interfaces or IP address ranges would mitigate the risk from this vulnerability.

We encourage projects to upgrade to the latest major release branch for all Gatsby plugins to ensure the latest security updates and bug fixes are received in a timely manner.

Credits

We would like to thank Maxwell Garrett of Assetnote for bringing the __file-code-frame issue to our attention.

For more information

Email us at security@gatsbyjs.com.

Severity

  • CVSS Score: 4.3 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


Release Notes

gatsbyjs/gatsby (gatsby)

v4.25.7

Compare Source

v4.25.6

Compare Source

v4.25.5

Compare Source

v4.25.4

Compare Source

v4.25.3

Compare Source

v4.25.2

Compare Source

v4.25.1

Compare Source

v4.25.0

Compare Source

v4.24.8

Compare Source

v4.24.7

Compare Source

v4.24.6

Compare Source

v4.24.5

Compare Source

v4.24.4

Compare Source

v4.24.3

Compare Source

v4.24.2

Compare Source

v4.24.1

Compare Source

v4.24.0: v4.24

Compare Source

Welcome to gatsby@4.24.0 release (September 2022 #2)

Key highlights of this release:

Bleeding Edge: Want to try new features as soon as possible? Install gatsby@next and let us know if you have any issues.

Previous release notes

Full changelog

v4.23.1

Compare Source

v4.23.0: v4.23

Compare Source

Welcome to gatsby@4.23.0 release (September 2022 #1)

Key highlights of this release:

Bleeding Edge: Want to try new features as soon as possible? Install gatsby@next and let us know if you have any issues.

Previous release notes

Full changelog

v4.22.1

Compare Source

v4.22.0: v4.22

Compare Source

Welcome to gatsby@4.22.0 release (August 2022 #3)

Key highlights of this release:

Bleeding Edge: Want to try new features as soon as possible? Install gatsby@next and let us know if you have any issues.

Previous release notes

Full changelog

v4.21.1

Compare Source

v4.21.0: v4.21

Compare Source

Welcome to gatsby@4.21.0 release (August 2022 #2)

Key highlights of this release:

Bleeding Edge: Want to try new features as soon as possible? Install gatsby@next and let us know if you have any issues.

Previous release notes

Full changelog

v4.20.0: v4.20

Compare Source

Welcome to gatsby@4.20.0 release (August 2022 #1)

Key highlights of this release:

Bleeding Edge: Want to try new features as soon as possible? Install gatsby@next and let us know if you have any issues.

Previous release notes

Full changelog

v4.19.2

Compare Source

v4.19.1

Compare Source

v4.19.0: v4.19

Compare Source

Welcome to gatsby@4.19.0 release (July 2022 #2)

Key highlights of this release:

Bleeding Edge: Want to try new features as soon as possible? Install gatsby@next and let us know if you have any issues.

Previous release notes

Full changelog

v4.18.2

Compare Source

v4.18.1

Compare Source

v4.18.0: v4.18

Compare Source

Welcome to gatsby@4.18.0 release (July 2022 #1)

Key highlights of this release:

Bleeding Edge: Want to try new features as soon as possible? Install gatsby@next and let us know if you have any issues.

Previous release notes

Full changelog

v4.17.2

Compare Source

v4.17.1

Compare Source

v4.17.0: v4.17

Compare Source

Welcome to gatsby@4.17.0 release (June 2022 #2)

Key highlights of this release:

Bleeding Edge: Want to try new features as soon as possible? Install gatsby@next and let us know if you have any issues.

Previous release notes

Full changelog

v4.16.0: v4.16

Compare Source

Welcome to gatsby@4.16.0 release (June 2022 #1)

Key highlights of this release:

Also check out notable bugfixes.

Bleeding Edge: Want to try new features as soon as possible? Install gatsby@next and let us know if you have any issues.

Previous release notes

Full changelog

v4.15.2

Compare Source

v4.15.1

Compare Source

v4.15.0: v4.15

Compare Source

Welcome to gatsby@4.15.0 release (May 2022 #2)

Key highlights of this release:

Also check out notable bugfixes.

Bleeding Edge: Want to try new features as soon as possible? Install gatsby@next and let us know if you have any issues.

Previous release notes

[Full changelog][full-changelog]

v4.14.1

Compare Source

v4.14.0: v4.14

Compare Source

Welcome to gatsby@4.14.0 release (May 2022 #1)

Key highlights of this release:

Also check out notable bugfixes.

Bleeding Edge: Want to try new features as soon as possible? Install gatsby@next and let us know if you have any issues.

Previous release notes

Full changelog

v4.13.1

Compare Source

v4.13.0: v4.13

Compare Source

Welcome to gatsby@4.13.0 release (April 2022 #2)

Key highlights of this release:

Also check out notable bugfixes.

Bleeding Edge: Want to try new features as soon as possible? Install gatsby@next and let us know
if you have any issues.

Previous release notes

Full changelog

v4.12.1

Compare Source

v4.12.0: v4.12

Compare Source

Welcome to gatsby@4.12.0 release (April 2022 #1)

Key highlights of this release:

Also check out notable bugfixes.

Bleeding Edge: Want to try new features as soon as possible? Install gatsby@next and let us know
if you have any issues.

Previous release notes

Full changelog

v4.11.3

Compare Source

v4.11.2

Compare Source

v4.11.1

Compare Source

v4.11.0: v4.11

Compare Source

Welcome to gatsby@4.11.0 release (March 2022 #3)

Key highlights of this release:

Also check out notable bugfixes.

Bleeding Edge: Want to try new features as soon as possible? Install gatsby@next and let us know
if you have any issues.

Previous release notes

Full changelog

v4.10.3

Compare Source

v4.10.2

Compare Source

v4.10.1

Compare Source

v4.10.0: v4.10

Compare Source

Welcome to gatsby@4.10.0 release (March 2022 #2)

Key highlights of this release:

Also check out notable bugfixes.

Bleeding Edge: Want to try new features as soon as possible? Install gatsby@next and let us know
if you have any issues.

Previous release notes

Full changelog

v4.9.3

Compare Source

v4.9.2

Compare Source

v4.9.1

Compare Source

v4.9.0: v4.9

Compare Source

Welcome to gatsby@4.9.0 release (March 2022 #1)

Key highlights of this release:

Also check out notable bugfixes.

Bleeding Edge: Want to try new features as soon as possible? Install gatsby@next and let us know if you have any issues.

Previous release notes

Full changelog

v4.8.2

Compare Source

v4.8.1

Compare Source

v4.8.0: v4.8

Compare Source

Welcome to gatsby@4.8.0 release (February 2022 #2)

Key highlights of this release:

Also check out notable bugfixes.

Bleeding Edge: Want to try new features as soon as possible? Install gatsby@next and let us know
if you have any issues.

Previous release notes

Full changelog

v4.7.2

Compare Source

v4.7.1

Compare Source

v4.7.0: v4.7

Compare Source

Welcome to gatsby@4.7.0 release (February 2022 #1)

Key highlights of this release:

Also check out notable bugfixes.

Bleeding Edge: Want to try new features as soon as possible? Install gatsby@next and let us know
if you have any issues.

Previous release notes

Full changelog

v4.6.2

Compare Source

v4.6.1

Compare Source

v4.6.0: v4.6

Compare Source

Welcome to gatsby@4.6.0 release (January 2022 #2)

Key highlights of this release:

Also check out notable bugfixes.

Bleeding Edge: Want to try new features as soon as possible? Install gatsby@next and let us know
if you have any issues.

Previous release notes

Full changelog

v4.5.5

Compare Source

v4.5.4

Compare Source

v4.5.3

Compare Source

v4.5.2

Compare Source

v4.5.1

Compare Source

v4.5.0: v4.5

Compare Source

Welcome to gatsby@4.5.0 release (January 2022 #1)

Key highlights of this release:

Also check out notable bugfixes.

Bleeding Edge: Want to try new features as soon as possible? Install gatsby@next and let us know
if you have any issues.

Previous release notes

Full changelog

v4.4.0: v4.4

Compare Source

Welcome to gatsby@4.4.0 release (December 2021 #1)

Key highlights of this release:

Also check out notable bugfixes.

Bleeding Edge: Want to try new features as soon as possible? Install gatsby@next and let us know
if you have any issues.

Previous release notes

Full changelog

v4.3.0: v4.3

Compare Source

Welcome to gatsby@4.3.0 release (November 2021 #​3)

Key highlights of this release:

Also check out notable bugfixes.

Bleeding Edge: Want to try new features as soon as possible? Install gatsby@next and let us know
if you have any issues.

Previous release notes

Full changelog

v4.2.0: v4.2

Compare Source

Welcome to gatsby@4.2.0 release (November 2021 #2).

Key highlights of this release:

Also check out notable bugfixes.

Bleeding Edge: Want to try new features as soon as possible? Install gatsby@next and let us know
if you have any issues.

Previous release notes

Full changelog

v4.1.6

Compare Source

v4.1.5

Compare Source

v4.1.4

Compare Source

v4.1.3

Compare Source

v4.1.2

Compare Source

v4.1.1

Compare Source

v4.1.0: v4.1

Compare Source

Welcome to gatsby@4.1.0 release (November 2021 #1).

Key highlights of this release:

Also check out notable bugfixes.

Bleeding Edge: Want to try new features as soon as possible? Install gatsby@next and let us know
if you have any issues.

Previous release notes

Full changelog

v4.0.2

Compare Source

v4.0.1

Compare Source

v4.0.0: v4.0.0

Compare Source

Welcome to gatsby@4.0.0 release (October 2021 #1).

We've released Gatsby 3 in March 2021 and now have a lot of exciting new features for Gatsby 4!
We’ve tried to make migration smooth. Please refer to the migration guide
and let us know if you encounter any issues when migrating.

Key highlights of this release:

Also check out notable bugfixes and improvements.

Bleeding Edge: Want to try new features as soon as possible? Install gatsby@next and let us know
if you have any issues.

Previous release notes for 3.14

Full changelog

v3.15.0

Compare Source

v3.14.6

Compare Source

v3.14.5

Compare Source

v3.14.4

Compare Source

v3.14.3

Compare Source

v3.14.2

Compare Source

v3.14.1

Compare Source

v3.14.0: v3.14 (September 2021 #​1)

Compare Source

Welcome to gatsby@3.14.0 release (September 2021 #1)

This is the final minor release for gatsby v3. Gatsby v4 beta is already published behind the next npm tag and the next stable release will be gatsby@4.0.0. See what's inside!

We will keep publishing patches for 3.14.x with hotfixes until 4.0.0 stable is published and at least several weeks after.

Key highlights of this release:

Also, check out notable bugfixes.

Bleeding Edge: Want to try new features as soon as possible? Install gatsby@next and let us know
if you have any issues.

Previous release notes

Full changelog

v3.13.1

Compare Source

v3.13.0: v3.13 (August 2021 #​3)

Compare Source

Welcome to gatsby@3.13.0 release (August 2021 #3)

Key highlights of this release:

Also check out notable bugfixes.

Bleeding Edge: Want to try new features as soon as possible? Install gatsby@next and let us know
if you have any issues.

Previous release notes

Full changelog

v3.12.1

Compare Source

v3.12.0: v3.12 (August 2021 #​2)

Compare Source

Welcome to gatsby@3.12.0 release (August 2021 #2)

Key highlights of this release:

Also check out notable bugfixes.

Bleeding Edge: Want to try new features as soon as possible? Install gatsby@next and let us know
if you have any issues.

Previous release notes

Full changelog

v3.11.1

Compare Source

v3.11.0: v3.11 (August 2021 #​1)

Compare Source

Welcome to gatsby@3.11.0 release (August 2021 #​1)

Key highlights of this release:

Also check out notable bugfixes.

Bleeding Edge: Want to try new features as soon as possible? Install gatsby@next and let us know
if you have any issues.

Previous release notes

Full changelog

v3.10.2

Compare Source

v3.10.1

Compare Source

v3.10.0: v3.10 (July 2021 #​2)

[Compare Source](https://redirect.github.com/gatsbyjs/gatsby/comp

Note

PR body was truncated to here.


Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate

renovate Bot commented Jul 16, 2026

Copy link
Copy Markdown
Contributor Author

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

  • any of the package files in this branch needs updating, or
  • the branch becomes conflicted, or
  • you click the rebase/retry checkbox if found above, or
  • you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: package-lock.json
npm warn Unknown env config "store". This will stop working in the next major version of npm. See `npm help npmrc` for supported config options.
npm error code ERESOLVE
npm error ERESOLVE could not resolve
npm error
npm error While resolving: @hot-loader/react-dom@17.0.0
npm error Found: react@17.0.1
npm error node_modules/react
npm error   react@"17.0.1" from the root project
npm error   peer react@"*" from @testing-library/react@11.2.7
npm error   node_modules/@testing-library/react
npm error     dev @testing-library/react@"11.2.7" from the root project
npm error   7 more (react-dom, react-helmet, react-hot-loader, ...)
npm error
npm error Could not resolve dependency:
npm error peer react@"17.0.0" from @hot-loader/react-dom@17.0.0
npm error node_modules/@hot-loader/react-dom
npm error   dev @hot-loader/react-dom@"17.0.0" from the root project
npm error
npm error Conflicting peer dependency: react@17.0.0
npm error node_modules/react
npm error   peer react@"17.0.0" from @hot-loader/react-dom@17.0.0
npm error   node_modules/@hot-loader/react-dom
npm error     dev @hot-loader/react-dom@"17.0.0" from the root project
npm error
npm error Fix the upstream dependency conflict, or retry this command with --force or --legacy-peer-deps to accept an incorrect (and potentially broken) dependency resolution.
npm error
npm error
npm error For a full report see:
npm error /runner/cache/others/npm/_logs/2026-07-16T14_14_05_643Z-eresolve-report.txt
npm error A complete log of this run can be found in: /runner/cache/others/npm/_logs/2026-07-16T14_14_05_643Z-debug-0.log

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This Renovate security PR attempts to address CVE-2023-34238 by upgrading the project’s Gatsby dependency to a patched release on the v4 line.

Changes:

  • Bump gatsby from 2.32.13 to 4.25.7 in package.json.
Comments suppressed due to low confidence (1)

package.json:65

  • Upgrading gatsby to v4 while keeping Gatsby plugins on v2 (e.g. gatsby-plugin-sharp is still 2.14.4) introduces incompatible peer dependencies (the current lockfile shows gatsby-plugin-sharp@2.14.4 requires gatsby: ^2.0.0). Either upgrade the Gatsby plugin ecosystem to versions compatible with Gatsby 4 (and migrate off deprecated packages like gatsby-image if needed), or keep Gatsby on the v2 line and apply a backported security patch (if available).
    "gatsby": "4.25.7",
    "gatsby-image": "2.11.0",
    "gatsby-plugin-canonical-urls": "2.10.0",
    "gatsby-plugin-layout": "1.10.0",
    "gatsby-plugin-manifest": "2.12.1",

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread package.json
Comment on lines 60 to 62
"clsx": "1.1.1",
"gatsby": "2.32.13",
"gatsby": "4.25.7",
"gatsby-image": "2.11.0",

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Agreed that the lockfile is stale on the Renovate branch. I am not regenerating it as a package-only bump because moving gatsby from 2.x to 4.x requires a coordinated migration of the Gatsby plugin family, build/runtime behavior, and compatibility testing.

Leaving this blocked for a dedicated Gatsby major migration rather than merging the PR as-is.

@jimmyandrade

Copy link
Copy Markdown
Member

Blocked in oldest-PR triage: Gatsby 2 -> 4 is a major migration, not a safe isolated package bump. This needs coordinated plugin upgrades (including #413) and build/runtime verification before merge.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants