Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security Vulnerabilities #16063

Closed
cimbis opened this issue Sep 15, 2021 · 6 comments
Closed

Security Vulnerabilities #16063

cimbis opened this issue Sep 15, 2021 · 6 comments
Labels
bug dependencies security

Comments

@cimbis
Copy link

cimbis commented Sep 15, 2021

Hi there!

npm audit reports a ton of vulnerabilities with @storybook/* packages.

This is already mentioned in #15173 #15174 #15175 .

By judging #15174 (comment) glob-parent issue will be solved on next minor version release.

However, others related to mdx parsing still would persist.

One possible solution, at least to my understanding, would be to bump mdx-js/mdx version mdx-js/mdx#1041, which not only would fix some of the issues but also add few more features for those writing mdx docs.
@shilman
Copy link
Member

shilman commented Sep 15, 2021

Given that mdx-js/mdx#1041 is a major version bump, I think upgrading would be a breaking change that would necessitate a major version bump in Storybook as well.

@FreakinWard FreakinWard mentioned this issue Oct 8, 2021
Merged
@Jackques
Copy link

I tried 6.5.0-alpha.4 but it seems to use the same packages which cause issues. Anyone know when or if this will be fixed?

@landsman
Copy link

landsman commented Feb 1, 2022

Would be nice to update this 🙏

leotm added a commit to leotm/react-native-template-new-architecture that referenced this issue Feb 3, 2022
@leotm
Upgrade RN Storybook/addons/deps from v5.3 to v6.0.1-alpha.7/v6.4.1
085879e 
Prompted by Dependabot false positive Security vulnerabilities of dev build tools

RN Storybook v5.3
- Remove old /storybook config
- Keep old /stories for now

RN Storybook v6
- Setup in .storybook for now
- Add minimal config w/o stories for now

Jest setup mocks
- Remove stale RN mocks
- Add new RN Storybook mocks
- Doc @storybook/addon-ondevice-notes/register parsing issue
- Doc @storybook/addon-actions ES forEach proto parsing issue

Metro
- Config resolver for modern storybook build, vs polyfilled versions
- Keep inlineRequires optimisation on, disable later if blocking

App
- Update gitignore with Storybook
- Update app Storybook require to import with new path
- Add react-native-slider and RNDateTimePicker pods
- Add get-stories script to codegen storybook.requires.js
- Update RNCAsyncStorage pod
- Remove deprecated @react-native-community/async-storage later and update Reactotron config

Relevant Dependabot Security alerts
- Upgrading Storybook should clear some, resolve remaining after
- browserslist: storybookjs/storybook#15173
- glob-parent : storybookjs/storybook#15174
- Vulnerabilities: storybookjs/storybook#16063
- immer: storybookjs/storybook#16093
- immer: storybookjs/storybook#16556

storybookjs/react-native#240
- Old v5.3 warnings no longer present, in this v6 no-stories but with addons upgrade so far
leotm added a commit to leotm/react-native-template-new-architecture that referenced this issue Feb 3, 2022
@leotm
Upgrade RN Storybook/addons/deps from v5.3 to v6.0.1-alpha.7/v6.4.1
6113db4 
Prompted by Dependabot false positive Security vulnerabilities of dev build tools

RN Storybook v5.3
- Remove old /storybook config
- Keep old /stories for now

RN Storybook v6
- Setup in .storybook for now
- Add minimal config w/o stories for now

Jest setup mocks
- Remove stale RN mocks
- Add new RN Storybook mocks
- Doc @storybook/addon-ondevice-notes/register parsing issue
- Doc @storybook/addon-actions ES forEach proto parsing issue

Metro
- Config resolver for modern storybook build, vs polyfilled versions
- Keep inlineRequires optimisation on, disable later if blocking

App
- Update gitignore with Storybook
- Update app Storybook require to import with new path
- Add react-native-slider and RNDateTimePicker pods
- Add get-stories script to codegen storybook.requires.js
- Update RNCAsyncStorage pod
- Remove deprecated @react-native-community/async-storage later and update Reactotron config

Relevant Dependabot Security alerts
- Upgrading Storybook should clear some, resolve remaining after
- browserslist: storybookjs/storybook#15173
- glob-parent : storybookjs/storybook#15174
- Vulnerabilities: storybookjs/storybook#16063
- immer: storybookjs/storybook#16093
- immer: storybookjs/storybook#16556

storybookjs/react-native#240
- Old v5.3 warnings no longer present, in this v6 no-stories but with addons upgrade so far

After figured @storybook/addon-ondevice-notes/register Jest parsing issue
- Add generated storybook.requires.js to gitignore
- Add prestart script to get-stories first

Consider splitting/decoupling App/Storybook Jest parsing
- env var with dynamic import
- npm workspaces / lerna
- multiple modules
@asvetlenko
Copy link

asvetlenko commented Feb 11, 2022
edited
Loading

Hi there!

We have some vulnerabilities issues related with storybook.

image

Other one:
image

Could your please update your packages and dependencies ?

@vish01
Copy link

vish01 commented May 5, 2022

Is there any update on this? I'm seeing this security issue when I run npm run audit as well.

@ndelangen
Copy link
Member

Fixed in 7.0 where we've updated to MDX2

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug dependencies security
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@shilman @ndelangen @landsman @cimbis @Jackques @asvetlenko @vish01