fix: update dependency gatsby to ^4.25.7 [security] by renovate[bot] · Pull Request #187 · gatsbyjs/themes

renovate · 2026-04-15T10:31:22Z

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
gatsby (source, changelog)	`^4.3.0` → `^4.25.7`

Gatsby develop server has Local File Inclusion vulnerability

CVE-2023-34238 / GHSA-c6f8-8r25-c4gc

More information

Details

Impact

The Gatsby framework prior to versions 4.25.7 and 5.9.1 contain a Local File Inclusion vulnerability in the __file-code-frame and __original-stack-frame paths, exposed when running the Gatsby develop server (gatsby develop).

The following steps can be used to reproduce the vulnerability:


##### Create a new Gatsby project
$ npm init gatsby
$ cd my-gatsby-site

##### Start the Gatsby develop server
$ gatsby develop

##### Execute the Local File Inclusion vulnerability in __file-code-frame
$ curl "http://127.0.0.1:8000/__file-code-frame?filePath=/etc/passwd&lineNumber=1"

##### Execute the Local File Inclusion vulnerability in __original-stack-frame
$ curl "http://127.0.0.1:8000/__original-stack-frame?moduleId=/etc/hosts&lineNumber=1&skipSourceMap=1"

It should be noted that by default gatsby develop is only accessible via the localhost 127.0.0.1, and one would need to intentionally expose the server to other interfaces to exploit this vulnerability by using server options such as --host 0.0.0.0, -H 0.0.0.0, or the GATSBY_HOST=0.0.0.0 environment variable.

Patches

A patch has been introduced in gatsby@5.9.1 and gatsby@4.25.7 which mitigates the issue.

Workarounds

As stated above, by default gatsby develop is only exposed to the localhost 127.0.0.1. For those using the develop server in the default configuration no risk is posed. If other ranges are required, preventing the develop server from being exposed to untrusted interfaces or IP address ranges would mitigate the risk from this vulnerability.

We encourage projects to upgrade to the latest major release branch for all Gatsby plugins to ensure the latest security updates and bug fixes are received in a timely manner.

Credits

We would like to thank Maxwell Garrett of Assetnote for bringing the __file-code-frame issue to our attention.

For more information

Email us at security@gatsbyjs.com.

Severity

CVSS Score: 4.3 / 10 (Medium)
Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Release Notes

gatsbyjs/gatsby (gatsby)

Welcome to gatsby@4.24.0 release (September 2022 #2)

Key highlights of this release:

Bleeding Edge: Want to try new features as soon as possible? Install gatsby@next and let us know if you have any issues.

Previous release notes

Full changelog

`v4.23.1`

Compare Source

`v4.23.0`: v4.23

Compare Source

Welcome to gatsby@4.23.0 release (September 2022 #1)

Key highlights of this release:

Open RFCs

Bleeding Edge: Want to try new features as soon as possible? Install gatsby@next and let us know if you have any issues.

Previous release notes

Full changelog

`v4.22.1`

Compare Source

`v4.22.0`: v4.22

Compare Source

Welcome to gatsby@4.22.0 release (August 2022 #3)

Key highlights of this release:

Open RFCs

Bleeding Edge: Want to try new features as soon as possible? Install gatsby@next and let us know if you have any issues.

Previous release notes

Full changelog

`v4.21.1`

Compare Source

`v4.21.0`: v4.21

Compare Source

Welcome to gatsby@4.21.0 release (August 2022 #2)

Key highlights of this release:

Bleeding Edge: Want to try new features as soon as possible? Install gatsby@next and let us know if you have any issues.

Previous release notes

Full changelog

`v4.20.0`: v4.20

Compare Source

Welcome to gatsby@4.20.0 release (August 2022 #1)

Key highlights of this release:

RFC for changes in sort and aggregation fields in Gatsby GraphQL Schema
Release Candidate for gatsby-plugin-mdx v4 - Support for MDX v2 and more!

Bleeding Edge: Want to try new features as soon as possible? Install gatsby@next and let us know if you have any issues.

Previous release notes

Full changelog

`v4.19.2`

Compare Source

`v4.19.1`

Compare Source

`v4.19.0`: v4.19

Compare Source

Welcome to gatsby@4.19.0 release (July 2022 #2)

Key highlights of this release:

Gatsby Head API - Better performance & more future-proof than react-helmet
Release Candidate for gatsby-plugin-mdx v4 - Support for MDX v2 and more!

Bleeding Edge: Want to try new features as soon as possible? Install gatsby@next and let us know if you have any issues.

Previous release notes

Full changelog

`v4.18.2`

Compare Source

`v4.18.1`

Compare Source

`v4.18.0`: v4.18

Compare Source

Welcome to gatsby@4.18.0 release (July 2022 #1)

Key highlights of this release:

typesOutputPath option for GraphQL Typegen - Configure the location of the generated TypeScript types
Server Side Rendering (SSR) in development - Find bugs & hydration errors more easily during gatsby develop
Open RFCs - MDX v2 & Metadata management

Bleeding Edge: Want to try new features as soon as possible? Install gatsby@next and let us know if you have any issues.

Previous release notes

Full changelog

`v4.17.2`

Compare Source

`v4.17.1`

Compare Source

`v4.17.0`: v4.17

Compare Source

Welcome to gatsby@4.17.0 release (June 2022 #2)

Key highlights of this release:

Bleeding Edge: Want to try new features as soon as possible? Install gatsby@next and let us know if you have any issues.

Previous release notes

Full changelog

`v4.16.0`: v4.16

Compare Source

Welcome to gatsby@4.16.0 release (June 2022 #1)

Key highlights of this release:

Also check out notable bugfixes.

Bleeding Edge: Want to try new features as soon as possible? Install gatsby@next and let us know if you have any issues.

Previous release notes

Full changelog

`v4.15.2`

Compare Source

`v4.15.1`

Compare Source

`v4.15.0`: v4.15

Compare Source

Welcome to gatsby@4.15.0 release (May 2022 #2)

Key highlights of this release:

Also check out notable bugfixes.

Bleeding Edge: Want to try new features as soon as possible? Install gatsby@next and let us know if you have any issues.

Previous release notes

[Full changelog][full-changelog]

`v4.14.1`

Compare Source

`v4.14.0`: v4.14

Compare Source

Welcome to gatsby@4.14.0 release (May 2022 #1)

Key highlights of this release:

Also check out notable bugfixes.

Bleeding Edge: Want to try new features as soon as possible? Install gatsby@next and let us know if you have any issues.

Previous release notes

Full changelog

`v4.13.1`

Compare Source

`v4.13.0`: v4.13

Compare Source

Welcome to gatsby@4.13.0 release (April 2022 #2)

Key highlights of this release:

Also check out notable bugfixes.

Bleeding Edge: Want to try new features as soon as possible? Install gatsby@next and let us know
if you have any issues.

Previous release notes

Full changelog

`v4.12.1`

Compare Source

`v4.12.0`: v4.12

Compare Source

Welcome to gatsby@4.12.0 release (April 2022 #1)

Key highlights of this release:

New RFCs

Also check out notable bugfixes.

Bleeding Edge: Want to try new features as soon as possible? Install gatsby@next and let us know
if you have any issues.

Previous release notes

Full changelog

`v4.11.3`

Compare Source

`v4.11.2`

Compare Source

`v4.11.1`

Compare Source

`v4.11.0`: v4.11

Compare Source

Welcome to gatsby@4.11.0 release (March 2022 #3)

Key highlights of this release:

Also check out notable bugfixes.

Bleeding Edge: Want to try new features as soon as possible? Install gatsby@next and let us know
if you have any issues.

Previous release notes

Full changelog

`v4.10.3`

Compare Source

`v4.10.2`

Compare Source

`v4.10.1`

Compare Source

`v4.10.0`: v4.10

Compare Source

Welcome to gatsby@4.10.0 release (March 2022 #2)

Key highlights of this release:

Image CDN

Also check out notable bugfixes.

Bleeding Edge: Want to try new features as soon as possible? Install gatsby@next and let us know
if you have any issues.

Previous release notes

Full changelog

`v4.9.3`

Compare Source

`v4.9.2`

Compare Source

`v4.9.1`

Compare Source

`v4.9.0`: v4.9

Compare Source

Welcome to gatsby@4.9.0 release (March 2022 #1)

Key highlights of this release:

Support for TypeScript in gatsby-config and gatsby-node

Also check out notable bugfixes.

Bleeding Edge: Want to try new features as soon as possible? Install gatsby@next and let us know if you have any issues.

Previous release notes

Full changelog

`v4.8.2`

Compare Source

`v4.8.1`

Compare Source

`v4.8.0`: v4.8

Compare Source

Welcome to gatsby@4.8.0 release (February 2022 #2)

Key highlights of this release:

Also check out notable bugfixes.

Bleeding Edge: Want to try new features as soon as possible? Install gatsby@next and let us know
if you have any issues.

Previous release notes

Full changelog

`v4.7.2`

Compare Source

`v4.7.1`

Compare Source

`v4.7.0`: v4.7

Compare Source

Welcome to gatsby@4.7.0 release (February 2022 #1)

Key highlights of this release:

trailingSlash Option - Now built into the Framework itself
Faster Schema Creation & createPages - Speed improvements of at least 30%

Also check out notable bugfixes.

Bleeding Edge: Want to try new features as soon as possible? Install gatsby@next and let us know
if you have any issues.

Previous release notes

Full changelog

`v4.6.2`

Compare Source

`v4.6.1`

Compare Source

`v4.6.0`: v4.6

Compare Source

Welcome to gatsby@4.6.0 release (January 2022 #2)

Key highlights of this release:

Also check out notable bugfixes.

Bleeding Edge: Want to try new features as soon as possible? Install gatsby@next and let us know
if you have any issues.

Previous release notes

Full changelog

`v4.5.5`

Compare Source

`v4.5.4`

Compare Source

`v4.5.3`

Compare Source

`v4.5.2`

Compare Source

`v4.5.1`

Compare Source

`v4.5.0`: v4.5

Compare Source

Welcome to gatsby@4.5.0 release (January 2022 #1)

Key highlights of this release:

Also check out notable bugfixes.

Bleeding Edge: Want to try new features as soon as possible? Install gatsby@next and let us know
if you have any issues.

Previous release notes

Full changelog

`v4.4.0`: v4.4

Compare Source

Welcome to gatsby@4.4.0 release (December 2021 #1)

Key highlights of this release:

Detect Node Mutations

Also check out notable bugfixes.

Bleeding Edge: Want to try new features as soon as possible? Install gatsby@next and let us know
if you have any issues.

Previous release notes

Full changelog

Configuration

📅 Schedule: (in timezone GMT)

Branch creation
- ""
Automerge
- At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

renovate Bot force-pushed the renovate/npm-gatsby-vulnerability branch from 8015268 to bb1c072 Compare April 16, 2026 08:52

renovate Bot changed the title ~~fix: update dependency gatsby to ^4.25.9 [security]~~ fix: update dependency gatsby to ^4.25.7 [security] Apr 16, 2026

renovate Bot force-pushed the renovate/npm-gatsby-vulnerability branch from bb1c072 to 535779f Compare April 16, 2026 15:47

renovate Bot changed the title ~~fix: update dependency gatsby to ^4.25.7 [security]~~ fix: update dependency gatsby to ^4.25.9 [security] Apr 16, 2026

renovate Bot force-pushed the renovate/npm-gatsby-vulnerability branch from 535779f to ea38d4e Compare April 16, 2026 20:33

renovate Bot changed the title ~~fix: update dependency gatsby to ^4.25.9 [security]~~ fix: update dependency gatsby to ^4.25.7 [security] Apr 16, 2026

renovate Bot force-pushed the renovate/npm-gatsby-vulnerability branch from ea38d4e to ce9a682 Compare April 23, 2026 16:13

renovate Bot changed the title ~~fix: update dependency gatsby to ^4.25.7 [security]~~ fix: update dependency gatsby to ^4.25.9 [security] Apr 23, 2026

renovate Bot force-pushed the renovate/npm-gatsby-vulnerability branch from ce9a682 to 2a6ae30 Compare April 23, 2026 18:11

renovate Bot changed the title ~~fix: update dependency gatsby to ^4.25.9 [security]~~ fix: update dependency gatsby to ^4.25.7 [security] Apr 23, 2026

renovate Bot changed the title ~~fix: update dependency gatsby to ^4.25.7 [security]~~ fix: update dependency gatsby to ^4.25.7 [security] - autoclosed Apr 27, 2026

renovate Bot closed this Apr 27, 2026

renovate Bot deleted the renovate/npm-gatsby-vulnerability branch April 27, 2026 18:43

renovate Bot changed the title ~~fix: update dependency gatsby to ^4.25.7 [security] - autoclosed~~ fix: update dependency gatsby to ^4.25.7 [security] Apr 28, 2026

renovate Bot reopened this Apr 28, 2026

renovate Bot force-pushed the renovate/npm-gatsby-vulnerability branch 3 times, most recently from a3f5253 to 89a35f2 Compare April 29, 2026 15:14

renovate Bot changed the title ~~fix: update dependency gatsby to ^4.25.7 [security]~~ fix: update dependency gatsby to ^4.25.9 [security] Apr 29, 2026

renovate Bot force-pushed the renovate/npm-gatsby-vulnerability branch from 89a35f2 to d167be7 Compare April 29, 2026 21:55

renovate Bot changed the title ~~fix: update dependency gatsby to ^4.25.9 [security]~~ fix: update dependency gatsby to ^4.25.7 [security] Apr 29, 2026

renovate Bot force-pushed the renovate/npm-gatsby-vulnerability branch from d167be7 to 9f30e75 Compare April 30, 2026 14:54

renovate Bot changed the title ~~fix: update dependency gatsby to ^4.25.7 [security]~~ fix: update dependency gatsby to ^4.25.9 [security] Apr 30, 2026

fix: update dependency gatsby to ^4.25.7 [security]

1209fdd

renovate Bot force-pushed the renovate/npm-gatsby-vulnerability branch from 9f30e75 to 1209fdd Compare April 30, 2026 19:04

renovate Bot changed the title ~~fix: update dependency gatsby to ^4.25.9 [security]~~ fix: update dependency gatsby to ^4.25.7 [security] Apr 30, 2026

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

fix: update dependency gatsby to ^4.25.7 [security]#187

fix: update dependency gatsby to ^4.25.7 [security]#187
renovate[bot] wants to merge 1 commit intomasterfrom
renovate/npm-gatsby-vulnerability

renovate Bot commented Apr 15, 2026 •

edited

Loading

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Conversation

renovate Bot commented Apr 15, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Gatsby develop server has Local File Inclusion vulnerability

Details

Impact

Patches

Workarounds

Credits

For more information

Severity

References

Release Notes

v4.24.0: v4.24

v4.23.0: v4.23

v4.22.0: v4.22

v4.21.0: v4.21

v4.20.0: v4.20

v4.19.0: v4.19

v4.18.0: v4.18

v4.17.0: v4.17

v4.16.0: v4.16

v4.15.0: v4.15

v4.14.0: v4.14

v4.13.0: v4.13

v4.12.0: v4.12

v4.11.0: v4.11

v4.10.0: v4.10

v4.9.0: v4.9

v4.8.0: v4.8

v4.7.0: v4.7

v4.6.0: v4.6

v4.5.0: v4.5

v4.4.0: v4.4

Configuration

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

renovate Bot commented Apr 15, 2026 •

edited

Loading

`v4.24.0`: v4.24

`v4.23.0`: v4.23

`v4.22.0`: v4.22

`v4.21.0`: v4.21

`v4.20.0`: v4.20

`v4.19.0`: v4.19

`v4.18.0`: v4.18

`v4.17.0`: v4.17

`v4.16.0`: v4.16

`v4.15.0`: v4.15

`v4.14.0`: v4.14

`v4.13.0`: v4.13

`v4.12.0`: v4.12

`v4.11.0`: v4.11

`v4.10.0`: v4.10

`v4.9.0`: v4.9

`v4.8.0`: v4.8

`v4.7.0`: v4.7

`v4.6.0`: v4.6

`v4.5.0`: v4.5

`v4.4.0`: v4.4