Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

yarn audit: security vulnerability detected in storybook 6.1.18 -> immer #13961

Closed
binary64 opened this issue Feb 19, 2021 · 5 comments
Closed

yarn audit: security vulnerability detected in storybook 6.1.18 -> immer #13961

binary64 opened this issue Feb 19, 2021 · 5 comments
Assignees
@phated
Labels
dependencies security

Comments

@binary64
Copy link

Describe the bug
immer, used by many of your packages, has had a new Prototype Pollution vulnerability detected: https://www.npmjs.com/advisories/1603 which is patched upstream in >=8.0.1

To Reproduce
yarn install @storybook/react && yarn audit

Expected behavior
revved to secure version
@claezon
Copy link

claezon commented Feb 20, 2021

Also reported in create-react-app.

While we wait, this may be a temporary solution:
https://github.com/rogeriochaves/npm-force-resolutions

@jeremybarbet jeremybarbet mentioned this issue Feb 22, 2021
Merged
@peterkimga
Copy link

peterkimga commented Feb 22, 2021
edited
Loading

This is related to this: ianstormtaylor/slate#4050

And I also have that problem in Storybook

And suggested the temporary solution is actually not working when used as a module.

@jgoyer
Copy link

jgoyer commented Feb 22, 2021

Fixed in create-react-app

@phated phated mentioned this issue Feb 22, 2021
Merged
@shilman
Copy link
Member

shilman commented Feb 23, 2021

Ooh-la-la!! I just released https://github.com/storybookjs/storybook/releases/tag/v6.2.0-beta.1 containing PR #14015 that references this issue. Upgrade today to the @next NPM tag to try it out!

npx sb upgrade --prerelease

Closing this issue. Please re-open if you think there's still more to do.

@shilman shilman closed this as completed Feb 23, 2021
@shilman
Copy link
Member

shilman commented Feb 24, 2021

Boo-yah!! I just released https://github.com/storybookjs/storybook/releases/tag/v6.1.20 containing PR #14015 that references this issue. Upgrade today to the @latest NPM tag to try it out!

npx sb upgrade

@johnnieskywalker johnnieskywalker mentioned this issue Mar 9, 2022
Merged
9 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@phated phated

Labels
dependencies security
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@shilman @phated @jgoyer @binary64 @claezon @peterkimga