Skip to content

fix(deps): update dependency gatsby-plugin-mdx to v2 [security] #195

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
renovate wants to merge 1 commit into
base: master
Choose a base branch
from
Open

fix(deps): update dependency gatsby-plugin-mdx to v2 [security] #195

renovate wants to merge 1 commit into from
+1,274 −19

Conversation

@renovate
Copy link
Contributor

@renovate renovate bot commented Jun 4, 2022
edited
Loading

This PR contains the following updates:

Package Change Age Confidence
gatsby-plugin-mdx (source) ^1.10.1^2.0.0 age confidence

GitHub Vulnerability Alerts

CVE-2022-25863

Impact

The gatsby-plugin-mdx plugin prior to versions 3.15.2 and 2.14.1 passes input through to the gray-matter npm package, which is vulnerable to JavaScript injection in its default configuration, unless input is sanitized. The vulnerability is present when passing input in both webpack (MDX files in src/pages or MDX file imported as component in frontend / React code) and data mode (querying MDX nodes via GraphQL). Injected JavaScript executes in the context of the build server.

To exploit this vulnerability untrusted/unsanitized input would need to be sourced or added into an MDX file. The following MDX payload demonstrates a vulnerable configuration:

---js
((require("child_process")).execSync("id >> /tmp/rce"))
---

Patches

A patch has been introduced in [email protected] and [email protected] which mitigates the issue by disabling the gray-matter JavaScript Frontmatter engine. The patch introduces a new option, JSFrontmatterEngine which is set to false by default. When setting JSFrontmatterEngine to true, input passed to gatsby-plugin-mdx must be sanitized before processing to avoid a security risk. Warnings are displayed when enabling JSFrontmatterEngine to true or if it appears that the MDX input is attempting to use the Frontmatter engine.

Workarounds

If an older version of gatsby-plugin-mdx must be used, input passed into the plugin should be sanitized ahead of processing.

We encourage projects to upgrade to the latest major release branch for all Gatsby plugins to ensure the latest security updates and bug fixes are received in a timely manner.

Credits

We would like to thank Snyk [snyk.io] for initially bringing the issue to our attention, as well as Feng Xiao and Zhongfu Su, who reported the issue to Snyk.

For more information

Email us at [email protected].

Release Notes

gatsbyjs/gatsby (gatsby-plugin-mdx)

v2.14.1

Compare Source

v2.14.0

Compare Source

🧾 Release notes

Bug Fixes
Chores

v2.13.0

Compare Source

🧾 Release notes

Chores

v2.12.0

Compare Source

🧾 Release notes

Chores

v2.11.0

Compare Source

🧾 Release notes

Bug Fixes
2.10.1 (2021-07-26)
Bug Fixes

v2.10.1

Compare Source

🧾 Release notes

Bug Fixes
2.10.1 (2021-07-26)
Bug Fixes

v2.10.0

Compare Source

🧾 Release notes

Chores

v2.9.0

Compare Source

🧾 Release notes

Features
Chores

v2.8.0

Compare Source

🧾 Release notes

Chores
2.7.1 (2021-06-10)
Chores

v2.7.1

Compare Source

🧾 Release notes

Chores
2.7.1 (2021-06-10)
Chores

v2.7.0

Compare Source

🧾 Release notes

Chores

v2.6.0

Compare Source

🧾 Release notes

Bug Fixes
2.5.1 (2021-05-19)
Bug Fixes

v2.5.1

Compare Source

🧾 Release notes

Bug Fixes
2.5.1 (2021-05-19)
Bug Fixes

v2.5.0

Compare Source

🧾 Release notes

Bug Fixes

v2.4.0

Compare Source

🧾 Release notes

Bug Fixes
Chores

v2.3.0

Compare Source

🧾 Release notes

Bug Fixes

v2.2.0

Compare Source

🧾 Release notes

Bug Fixes

v2.1.0

Compare Source

🧾 Release notes

Bug Fixes
  • fix html field resolver to work with webpack@​5 (0a6c6eb)
  • update lodash monorepo to ^4.17.21 #​29382 (9fd287b)
Chores
2.0.1 (2021-03-11)
Bug Fixes
  • fix html field resolver to work with webpack@​5 (b7d82da)

v2.0.1

Compare Source

🧾 Release notes

Bug Fixes
  • fix html field resolver to work with webpack@​5 (0a6c6eb)
  • update lodash monorepo to ^4.17.21 #​29382 (9fd287b)
Chores
2.0.1 (2021-03-11)
Bug Fixes
  • fix html field resolver to work with webpack@​5 (b7d82da)

v2.0.0

Compare Source

🧾 Release notes

Bug Fixes
Other Changes
1.10.1 (2021-02-24)

Note: Version bump only for package gatsby-plugin-mdx

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot added the renovate label Jun 4, 2022
@renovate renovate bot force-pushed the renovate/npm-gatsby-plugin-mdx-vulnerability branch from 447c81d to cb9910b Compare June 27, 2022 03:38
@renovate renovate bot changed the title fix(deps): update dependency gatsby-plugin-mdx to v2 [security] fix(deps): update dependency gatsby-plugin-mdx to v2 [SECURITY] Jun 27, 2022
@renovate renovate bot changed the title fix(deps): update dependency gatsby-plugin-mdx to v2 [SECURITY] fix(deps): update dependency gatsby-plugin-mdx to v2 [security] Jun 28, 2022
@renovate renovate bot force-pushed the renovate/npm-gatsby-plugin-mdx-vulnerability branch from cb9910b to 5723ca7 Compare July 25, 2022 04:49
@renovate renovate bot force-pushed the renovate/npm-gatsby-plugin-mdx-vulnerability branch 2 times, most recently from 6ec66bd to ba3f831 Compare August 13, 2025 14:11
@renovate renovate bot force-pushed the renovate/npm-gatsby-plugin-mdx-vulnerability branch from ba3f831 to c426310 Compare August 19, 2025 14:35
@renovate renovate bot force-pushed the renovate/npm-gatsby-plugin-mdx-vulnerability branch from c426310 to 6487d88 Compare August 31, 2025 14:24
@renovate renovate bot force-pushed the renovate/npm-gatsby-plugin-mdx-vulnerability branch from 6487d88 to bb06f6d Compare September 25, 2025 18:33
@renovate renovate bot force-pushed the renovate/npm-gatsby-plugin-mdx-vulnerability branch from bb06f6d to 0d3661a Compare October 21, 2025 09:15
@renovate renovate bot force-pushed the renovate/npm-gatsby-plugin-mdx-vulnerability branch from 0d3661a to e5df7fd Compare November 10, 2025 18:59
@renovate renovate bot force-pushed the renovate/npm-gatsby-plugin-mdx-vulnerability branch from e5df7fd to c027d06 Compare November 18, 2025 13:02
@renovate renovate bot force-pushed the renovate/npm-gatsby-plugin-mdx-vulnerability branch from c027d06 to 5163f86 Compare December 3, 2025 17:27
@renovate renovate bot force-pushed the renovate/npm-gatsby-plugin-mdx-vulnerability branch from 5163f86 to 5e16818 Compare December 31, 2025 16:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

renovate

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant