[Snyk] Security upgrade gatsby from 2.23.20 to 2.31.0 by snyk-bot · Pull Request #89 · turkdevops/node

snyk-bot · 2021-01-20T06:43:43Z

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

✨ Snyk has automatically assigned this pull request, set who gets assigned.

Changes included in this PR

Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
- deps/npm/docs/package.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	616/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.9	Server-Side Request Forgery (SSRF) SNYK-JS-AXIOS-1038255	No	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: gatsby

The new version differs by 250 commits.

fbc5893 chore(release): Publish
e693b62 chore: update yarn.lock (http: remove redundant condition nodejs/node#29078)
e998870 fix(gatsby): Always render the body component to ensure needed head & pre/post body components are added (stream: improve read() performance further nodejs/node#29077)
a1921b5 feat(gatsby): bump opt-in % to dev-ssr to 20% (Assorted typo fixes. nodejs/node#29075)
2439b44 feat(gatsby-codemods): Handle or warn on nested options changes ([x] stream: properties cleanup nodejs/node#29046)
c0e6c92 fix(gatsby-plugin-typescript): add missing options validations (buffer: improve copy() performance nodejs/node#29066)
3163ca6 fix(gatsby-plugin-mdx): Add `root` to plugin validation (stream: writableError & readableError nodejs/node#29010)
6233382 fix(gatsby-plugin-image): Fix onload race condition ([x] stream: error multiple iterators nodejs/node#29064)
c76c175 benchmark(gabe-fs-markdown-images): add img benchmark (stream: readable error emitted nodejs/node#29009)
bd5b5f7 feat(gatsby): allow to skip cache persistence (UDP/Datagram: Can't send messages while bind is done to 127.0.0.1 must bind to 0.0.0.0 nodejs/node#29047)
48db6ac fix(gatsby): fix broken GraphQL resolver tracing (http: replace superfluous property with getter/setter nodejs/node#29015)
90b6e3d fix(gatsby): Use fast-refresh for React 17 (HTTP2 compatibility layer tries to write the header multiple times. nodejs/node#28930)
9a55d12 feat(gatsby): Add eslint rules to warn against bad patterns in pageTemplates (for Fast Refresh) ([Website Generator] Links must be .html for nodejs.org/api but they're actually .md on github nodejs/node#28689)
b9978e1 fix(gatsby-plugin-image): Handle imgStyle in SSR (fs: unecessary argument validation nodejs/node#29043)
f23ba4b fix(gatsby-source-contentful): Improve base64 placeholders (stream: suggestion stream._writeMany nodejs/node#29034)
18b5f30 fix(security): update vulnerable packages, include React 17 in peerDeps (Fully decorated fs.promises for complete fs replacement? nodejs/node#28545)
f8bbc06 docs: edit search documentation (src: add public virtual destructor for KVStore nodejs/node#28737)
004acf0 fix(sharp) wrap sharp calls in try/catch to avoid crashing on bad images (http2: report memory allocated by nghttp2 to V8 nodejs/node#28645)
bf6f264 Hydrate when the page was server rendered (#29016)
e72533d chore(gatsby-plugin-image): Unflag remote images (V12.x staging nodejs/node#29032)
332543c chore(docs): adjust Contentful Rich Text example codes (assert.deepEqual: fix bug with faked boxed primitives nodejs/node#29029)
9bcc12c feat(gatsby-plugin-image): Change fullWidth to use breakpoints (http: ClientRequest streamlike nodejs/node#29002)
168ff60 Fix/contentful add header (stream: don't flush destroyed writable nodejs/node#29028)
a3ad6d7 fix(gatsbu-source-contentful): apply useNameForId when creating the graphql schema (deps: update acorn to 6.2.0 nodejs/node#28649)

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

👩‍💻 Set who automatically gets assigned

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-AXIOS-1038255

github-actions

Scan Summary

Tool	Critical	High	Low	Status
Dependency Scan (nodejs)	0	7	5	❌
Python Security Analysis	209	3	0	❌
Python Source Analyzer	0	0	0	✅
Shell Script Analysis	0	0	8	✅
Security Audit for Infrastructure	0	0	0	✅

Recommendation

Please review the findings from Code scanning alerts before approving this pull request. You can also configure the build rules or add suppressions to customize this bot 👍

fix: deps/npm/docs/package.json to reduce vulnerabilities

be183c7

The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-AXIOS-1038255

github-actions Bot reviewed Jan 20, 2021

View reviewed changes

github-actions Bot added the security findings label Jan 20, 2021

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[Snyk] Security upgrade gatsby from 2.23.20 to 2.31.0#89

[Snyk] Security upgrade gatsby from 2.23.20 to 2.31.0#89
snyk-bot wants to merge 1 commit into
masterfrom
snyk-fix-84b25daf4d00ece6fd3d235b3643cd9c

snyk-bot commented Jan 20, 2021

github-actions Bot left a comment

Labels

1 participant

Conversation