Skip to content

fix(deps): update dependency gatsby-source-wordpress to v4 [security]#59

Open
renovate[bot] wants to merge 1 commit intomasterfrom
renovate/npm-gatsby-source-wordpress-vulnerability
Open

fix(deps): update dependency gatsby-source-wordpress to v4 [security]#59
renovate[bot] wants to merge 1 commit intomasterfrom
renovate/npm-gatsby-source-wordpress-vulnerability

Conversation

@renovate
Copy link
Copy Markdown

@renovate renovate Bot commented Aug 6, 2024
edited
Loading

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package Change Age Confidence
gatsby-source-wordpress (source) ^3.2.5^4.0.0 age confidence

Basic-auth app bundle credential exposure in gatsby-source-wordpress

CVE-2021-32770 / GHSA-rqjw-p5vr-c695

More information

Details

Impact

The gatsby-source-wordpress plugin prior to versions 4.0.8 and 5.9.2 leaks .htaccess HTTP Basic Authentication variables into the app.js bundle during build-time. Users who are not initializing basic authentication credentials in the gatsby-config.js are not affected.

Example affected gatsby-config.js:

      resolve: 'gatsby-source-wordpress',
        auth: {
          htaccess: {
            username: leaked_username
            password: leaked_password,
          },
        },
Patches

A patch has been introduced in gatsby-source-wordpress@4.0.8 and gatsby-source-wordpress@5.9.2 which mitigates the issue by filtering all variables specified in the auth: { } section. Users that depend on this functionality are advised to upgrade to the latest release of gatsby-source-wordpress, run gatsby clean followed by a gatsby build.

Workarounds

There is no known workaround at this time, other than manually editing the app.js file post-build.

For more information

Email us at security@gatsbyjs.com

Severity

  • CVSS Score: 7.5 / 10 (High)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Release Notes

gatsbyjs/gatsby (gatsby-source-wordpress)

v4.0.8

Compare Source

🧾 Release notes

Features
Bug Fixes
Chores
Other Changes
4.0.8 (2021-07-13)
Other Changes
  • run setGatsbyApiToState in onPreInit to delete auth options #​32339 (f49a976)
4.0.7 (2021-07-10)
Bug Fixes
4.0.6 (2021-04-07)
Bug Fixes
4.0.5 (2021-03-08)
Bug Fixes
4.0.4 (2021-03-01)
Bug Fixes
4.0.3 (2021-02-24)
Other Changes
4.0.2 (2021-02-24)

Note: Version bump only for package gatsby-source-wordpress

4.0.1 (2021-02-05)

Note: Version bump only for package gatsby-source-wordpress

v4.0.7

Compare Source

🧾 Release notes

Features
Bug Fixes
Chores
Other Changes
4.0.8 (2021-07-13)
Other Changes
  • run setGatsbyApiToState in onPreInit to delete auth options #​32339 (f49a976)
4.0.7 (2021-07-10)
Bug Fixes
4.0.6 (2021-04-07)
Bug Fixes
4.0.5 (2021-03-08)
Bug Fixes
4.0.4 (2021-03-01)
Bug Fixes
4.0.3 (2021-02-24)
Other Changes
4.0.2 (2021-02-24)

Note: Version bump only for package gatsby-source-wordpress

4.0.1 (2021-02-05)

Note: Version bump only for package gatsby-source-wordpress

v4.0.6

Compare Source

🧾 Release notes

Features
Bug Fixes
Chores
Other Changes
4.0.8 (2021-07-13)
Other Changes
  • run setGatsbyApiToState in onPreInit to delete auth options #​32339 (f49a976)
4.0.7 (2021-07-10)
Bug Fixes
4.0.6 (2021-04-07)
Bug Fixes
4.0.5 (2021-03-08)
Bug Fixes
4.0.4 (2021-03-01)
Bug Fixes
4.0.3 (2021-02-24)
Other Changes
4.0.2 (2021-02-24)

Note: Version bump only for package gatsby-source-wordpress

4.0.1 (2021-02-05)

Note: Version bump only for package gatsby-source-wordpress

v4.0.5

Compare Source

🧾 Release notes

Features
Bug Fixes
Chores
Other Changes
4.0.8 (2021-07-13)
Other Changes
  • run setGatsbyApiToState in onPreInit to delete auth options #​32339 (f49a976)
4.0.7 (2021-07-10)
Bug Fixes
4.0.6 (2021-04-07)
Bug Fixes
4.0.5 (2021-03-08)
Bug Fixes
4.0.4 (2021-03-01)
Bug Fixes
4.0.3 (2021-02-24)
Other Changes
4.0.2 (2021-02-24)

Note: Version bump only for package gatsby-source-wordpress

4.0.1 (2021-02-05)

Note: Version bump only for package gatsby-source-wordpress

v4.0.4

Compare Source

🧾 Release notes

Features
Bug Fixes
Chores
Other Changes
4.0.8 (2021-07-13)
Other Changes
  • run setGatsbyApiToState in onPreInit to delete auth options #​32339 (f49a976)
4.0.7 (2021-07-10)
Bug Fixes
4.0.6 (2021-04-07)
Bug Fixes
4.0.5 (2021-03-08)
Bug Fixes
4.0.4 (2021-03-01)
Bug Fixes
4.0.3 (2021-02-24)
Other Changes
4.0.2 (2021-02-24)

Note: Version bump only for package gatsby-source-wordpress

4.0.1 (2021-02-05)

Note: Version bump only for package gatsby-source-wordpress

v4.0.3

Compare Source

🧾 Release notes

Features
Bug Fixes
Chores
Other Changes
4.0.8 (2021-07-13)
Other Changes
  • run setGatsbyApiToState in onPreInit to delete auth options #​32339 (f49a976)
4.0.7 (2021-07-10)
Bug Fixes
4.0.6 (2021-04-07)
Bug Fixes
4.0.5 (2021-03-08)
Bug Fixes
4.0.4 (2021-03-01)
Bug Fixes
4.0.3 (2021-02-24)
Other Changes
4.0.2 (2021-02-24)

Note: Version bump only for package gatsby-source-wordpress

[4.0.1](https://redirect.github.com/gatsbyjs/gatsby/commits/gatsby-source-wordpress@4.0.1/packages/gatsby-source-wo

Note

PR body was truncated to here.

Configuration

📅 Schedule: (in timezone Asia/Tokyo)

  • Branch creation
    • ""
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot force-pushed the renovate/npm-gatsby-source-wordpress-vulnerability branch from 819a163 to aa0d94d Compare August 10, 2025 14:57
@renovate renovate Bot force-pushed the renovate/npm-gatsby-source-wordpress-vulnerability branch from aa0d94d to cd14f80 Compare August 19, 2025 13:13
@renovate renovate Bot force-pushed the renovate/npm-gatsby-source-wordpress-vulnerability branch from cd14f80 to f83306e Compare September 25, 2025 15:41
@renovate renovate Bot force-pushed the renovate/npm-gatsby-source-wordpress-vulnerability branch from f83306e to 32c13be Compare November 11, 2025 02:34
@renovate renovate Bot force-pushed the renovate/npm-gatsby-source-wordpress-vulnerability branch from 32c13be to 09f9039 Compare November 18, 2025 13:04
@renovate renovate Bot force-pushed the renovate/npm-gatsby-source-wordpress-vulnerability branch from 09f9039 to 2dfa7f2 Compare January 19, 2026 16:36
@renovate renovate Bot changed the title fix(deps): update dependency gatsby-source-wordpress to v4 [security] fix(deps): update dependency gatsby-source-wordpress to v4 [security] - autoclosed Jan 22, 2026
@renovate renovate Bot closed this Jan 22, 2026
@renovate renovate Bot deleted the renovate/npm-gatsby-source-wordpress-vulnerability branch January 22, 2026 14:14
@renovate renovate Bot changed the title fix(deps): update dependency gatsby-source-wordpress to v4 [security] - autoclosed fix(deps): update dependency gatsby-source-wordpress to v4 [security] Jan 22, 2026
@renovate renovate Bot reopened this Jan 22, 2026
@renovate renovate Bot force-pushed the renovate/npm-gatsby-source-wordpress-vulnerability branch 2 times, most recently from 2dfa7f2 to b21ee49 Compare January 22, 2026 17:15
@renovate renovate Bot force-pushed the renovate/npm-gatsby-source-wordpress-vulnerability branch from b21ee49 to efca92f Compare February 2, 2026 20:57
@renovate renovate Bot force-pushed the renovate/npm-gatsby-source-wordpress-vulnerability branch 2 times, most recently from 734b712 to 2ed368c Compare February 17, 2026 20:43
@renovate renovate Bot force-pushed the renovate/npm-gatsby-source-wordpress-vulnerability branch from 2ed368c to 019952e Compare March 5, 2026 19:51
@renovate renovate Bot force-pushed the renovate/npm-gatsby-source-wordpress-vulnerability branch from 019952e to a26b503 Compare March 13, 2026 12:11
@renovate renovate Bot changed the title fix(deps): update dependency gatsby-source-wordpress to v4 [security] fix(deps): update dependency gatsby-source-wordpress to v4 [security] - autoclosed Mar 27, 2026
@renovate renovate Bot closed this Mar 27, 2026
@renovate renovate Bot changed the title fix(deps): update dependency gatsby-source-wordpress to v4 [security] - autoclosed fix(deps): update dependency gatsby-source-wordpress to v4 [security] Mar 30, 2026
@renovate renovate Bot reopened this Mar 30, 2026
@renovate renovate Bot force-pushed the renovate/npm-gatsby-source-wordpress-vulnerability branch 2 times, most recently from a26b503 to 243d2ab Compare March 30, 2026 18:02
@renovate renovate Bot force-pushed the renovate/npm-gatsby-source-wordpress-vulnerability branch from 243d2ab to 90d98bb Compare April 8, 2026 18:37
@renovate renovate Bot force-pushed the renovate/npm-gatsby-source-wordpress-vulnerability branch from 90d98bb to f8f7dce Compare April 29, 2026 13:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants