[Bug] Critical vulnerability in due to outdated dependency git-url-parse

[siminino]

Describe the bug

Critical vulnerability related to git-url-parse sub dependency parse-url. It is not possible to fix it in my projects by yarn resolutions since is related to major version upgrades containing Breaking Changes. To fix it, git-url-parse must be upgraded to version 12.

Obs: also high and moderate vulnerabilities are going to be fixed by this dependency upgrade.

Steps to reproduce the behaviour

1. clone repo;
2. run yarn;
3. run yarn audit;

Expected behaviour

No critical and high vulnerabilities.

Screenshots and/or logs

Environment

• Node.js version: v16.13.1
• NPM version: 8.1.2

[cysp]

Great to see that this dependency update was merged a few weeks ago! 👏
@jimmyandrade is there an upcoming release scheduled that will include that change?

[pjaws]

3 weeks later and still no release... Storybook is currently responsible for every single vulnerability in my project.

[nedredmond]

@cysp @pjaws it looks like this may have been deployed on NPM but it is not reflected on GitHub:
https://www.npmjs.com/package/@storybook/storybook-deployer

see the thread here:
#127

[pjaws]

@nedredmond My apologies, there is a separate vulnerability in parse-url via git-parse-url that is also a SSRF vulnerability. This is fixed in git-url-parse version 13+. I think this might be where the confusion is coming from.

[nedredmond]

I see. Well, at least the fix for this issue with a bump to v12 was released on NPM. It looks like the GitHub release info on the repo isn't synced. I thought that might have thrown off dependabot. I guess I dismissed that alert too early. 😮‍💨

[nedredmond]

#131