Skip to content

fix(deps): update dependency gatsby-plugin-sharp to v5 [security]#839

Open
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/npm-gatsby-plugin-sharp-vulnerability
Open

fix(deps): update dependency gatsby-plugin-sharp to v5 [security]#839
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/npm-gatsby-plugin-sharp-vulnerability

Conversation

@renovate

@renovate renovate Bot commented Apr 15, 2026

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Change Age Confidence
gatsby-plugin-sharp (source) ^4.25.0^5.0.0 age confidence

Path traversal vulnerability in gatsby-plugin-sharp

CVE-2023-30548 / GHSA-h2pm-378c-pcxx

More information

Details

Impact

The gatsby-plugin-sharp plugin prior to versions 5.8.1 and 4.25.1 contains a path traversal vulnerability exposed when running the Gatsby develop server (gatsby develop).

The following steps can be used to reproduce the vulnerability:


##### Create a new Gatsby project, and install gatsby-plugin-sharp
$ npm init gatsby
$ cd my-gatsby-site
$ npm install gatsby-plugin-sharp

##### Add the plugin to gatsby-config.js
module.exports = {
  plugins: [
    {
      resolve: `gatsby-plugin-sharp`,
    },
  ]
}

##### Start the Gatsby develop server
$ gatsby develop

##### Execute the path traversal vulnerability
$ curl "http://127.0.0.1:8000/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd"

It should be noted that by default gatsby develop is only accessible via the localhost 127.0.0.1, and one would need to intentionally expose the server to other interfaces to exploit this vulnerability by using server options such as --host 0.0.0.0, -H 0.0.0.0, or the GATSBY_HOST=0.0.0.0 environment variable.

Patches

A patch has been introduced in gatsby-plugin-sharp@5.8.1 and gatsby-plugin-sharp@4.25.1 which mitigates the issue by ensuring that included paths remain within the project directory.

Workarounds

As stated above, by default gatsby develop is only exposed to the localhost 127.0.0.1. For those using the develop server in the default configuration no risk is posed. If other ranges are required, preventing the develop server from being exposed to untrusted interfaces or IP address ranges would mitigate the risk from this vulnerability.

We encourage projects to upgrade to the latest major release branch for all Gatsby plugins to ensure the latest security updates and bug fixes are received in a timely manner.

Credits

We would like to thank Patrick Rombouts and Bart Veneman [drukwerkdeal.nl] for bringing the issue to our attention.

For more information

Email us at security@gatsbyjs.com.

Severity

  • CVSS Score: 4.3 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


Release Notes

gatsbyjs/gatsby (gatsby-plugin-sharp)

v5.8.1

Compare Source

🧾 Release notes

Bug Fixes
  • update dependency fs-extra to ^11.1.1 #​37827 (3e9a590)
  • don't serve static assets that are not result of currently triggered deferred job #​37796 (6539860)
5.8.1 (2023-03-29)
Bug Fixes

v5.8.0

Compare Source

🧾 Release notes

Note: Version bump only for package gatsby-plugin-sharp

v5.7.0

Compare Source

🧾 Release notes

Note: Version bump only for package gatsby-plugin-sharp

v5.6.0

Compare Source

🧾 Release notes

Bug Fixes
Chores

v5.5.0

Compare Source

🧾 Release notes

Chores

v5.4.0

Compare Source

🧾 Release notes

Bug Fixes
Chores
5.3.2 (2022-12-14)

Note: Version bump only for package gatsby-plugin-sharp

5.3.1 (2022-12-14)

Note: Version bump only for package gatsby-plugin-sharp

v5.3.2

Compare Source

🧾 Release notes

Bug Fixes
Chores
5.3.2 (2022-12-14)

Note: Version bump only for package gatsby-plugin-sharp

5.3.1 (2022-12-14)

Note: Version bump only for package gatsby-plugin-sharp

v5.3.1

Compare Source

🧾 Release notes

Bug Fixes
Chores
5.3.2 (2022-12-14)

Note: Version bump only for package gatsby-plugin-sharp

5.3.1 (2022-12-14)

Note: Version bump only for package gatsby-plugin-sharp

v5.3.0

Compare Source

🧾 Release notes

Bug Fixes
Chores

v5.2.0

Compare Source

🧾 Release notes

Chores
Other Changes

v5.1.0

Compare Source

🧾 Release notes

Note: Version bump only for package gatsby-plugin-sharp

v5.0.0

Compare Source

🧾 Release notes

Chores

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • ""
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot requested a review from a team as a code owner April 15, 2026 18:34
@netlify

netlify Bot commented Apr 15, 2026

Copy link
Copy Markdown

Deploy Preview for netlify-plugin-gatsby-demo-v5 ready!

Name Link
🔨 Latest commit 6cef260
🔍 Latest deploy log https://app.netlify.com/projects/netlify-plugin-gatsby-demo-v5/deploys/69dfda1f75fe510008ec28cb
😎 Deploy Preview https://deploy-preview-839--netlify-plugin-gatsby-demo-v5.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

@netlify

netlify Bot commented Apr 15, 2026

Copy link
Copy Markdown

Deploy Preview for netlify-plugin-gatsby-demo failed. Why did it fail? →

Name Link
🔨 Latest commit 6cef260
🔍 Latest deploy log https://app.netlify.com/projects/netlify-plugin-gatsby-demo/deploys/69dfda1fe280bf0008b106f5

@renovate renovate Bot force-pushed the renovate/npm-gatsby-plugin-sharp-vulnerability branch from 6cef260 to 5183ada Compare April 29, 2026 19:10
@netlify

netlify Bot commented Apr 29, 2026

Copy link
Copy Markdown

Deploy Preview for netlify-plugin-gatsby-demo-v5 ready!

Name Link
🔨 Latest commit 5183ada
🔍 Latest deploy log https://app.netlify.com/projects/netlify-plugin-gatsby-demo-v5/deploys/69f2579f908e990008a2627b
😎 Deploy Preview https://deploy-preview-839--netlify-plugin-gatsby-demo-v5.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.
🤖 Make changes Run an agent on this branch

To edit notification comments on pull requests, go to your Netlify project configuration.

@netlify

netlify Bot commented Apr 29, 2026

Copy link
Copy Markdown

Deploy Preview for netlify-plugin-gatsby-demo failed. Why did it fail? →

Name Link
🔨 Latest commit 5183ada
🔍 Latest deploy log https://app.netlify.com/projects/netlify-plugin-gatsby-demo/deploys/69f2579fc5fff80008635ac7

@renovate renovate Bot force-pushed the renovate/npm-gatsby-plugin-sharp-vulnerability branch from 5183ada to f34afd6 Compare May 12, 2026 14:55
@netlify

netlify Bot commented May 12, 2026

Copy link
Copy Markdown

Deploy Preview for netlify-plugin-gatsby-demo-v5 ready!

Name Link
🔨 Latest commit 0b3fb86
🔍 Latest deploy log https://app.netlify.com/projects/netlify-plugin-gatsby-demo-v5/deploys/6a2a84bb751b6a000863d7cf
😎 Deploy Preview https://deploy-preview-839--netlify-plugin-gatsby-demo-v5.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.
🤖 Make changes Run an agent on this branch

To edit notification comments on pull requests, go to your Netlify project configuration.

@netlify

netlify Bot commented May 12, 2026

Copy link
Copy Markdown

Deploy Preview for netlify-plugin-gatsby-demo failed. Why did it fail? →

Name Link
🔨 Latest commit 0b3fb86
🔍 Latest deploy log https://app.netlify.com/projects/netlify-plugin-gatsby-demo/deploys/6a2a84bb87240d00089d98a6

@renovate renovate Bot force-pushed the renovate/npm-gatsby-plugin-sharp-vulnerability branch from f34afd6 to f97d0bb Compare May 18, 2026 16:58
@renovate renovate Bot force-pushed the renovate/npm-gatsby-plugin-sharp-vulnerability branch from f97d0bb to 3f57e8c Compare May 28, 2026 17:11
@netlify-staging-app

netlify-staging-app Bot commented May 28, 2026

Copy link
Copy Markdown

Deploy Preview for gatsby-adapter-functions ready!

Name Link
🔨 Latest commit 0b3fb86
🔍 Latest deploy log https://app.netlifystg.com/projects/gatsby-adapter-functions/deploys/6a2a84bb92626200081555f8
😎 Deploy Preview https://deploy-preview-839--gatsby-adapter-functions.netlifystg.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.
🤖 Make changes Run an agent on this branch

To edit notification comments on pull requests, go to your Netlify project configuration.

@renovate renovate Bot force-pushed the renovate/npm-gatsby-plugin-sharp-vulnerability branch from 3f57e8c to f04f258 Compare June 2, 2026 00:54
@renovate renovate Bot force-pushed the renovate/npm-gatsby-plugin-sharp-vulnerability branch from f04f258 to 0b3fb86 Compare June 11, 2026 09:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants