Security warning on react-dev-utils that depends on immer

[erbunao]

Describe the bug

I noticed from our pipeline that a critical vulnerability has been raised stemming from immer not on the latest version 9.0.6. immer is a dependency of react-dev-utils.

At the moment, react-dev-utils is being updated to use immer's latest version.facebook/create-react-app#11364.

Happy to upgrade this once the PR above has been merged.

[snjnlsn]

That PR has been merged, storybook can now depend on react-dev-utils@11.0.4 to resolve this security vulnerability

[shilman]

Crikey!! I just released https://github.com/storybookjs/storybook/releases/tag/v6.4.0-beta.2 containing PR #16196 that references this issue. Upgrade today to the @next NPM tag to try it out!

npx sb upgrade --prerelease

Closing this issue. Please re-open if you think there's still more to do.

[hawkticehurst]

I'm unfortunately still getting a critical severity warning despite having 6.4.0-beta.4 installed.

After some snooping, it looks like despite having bumped immer to the correct version in this PR, react-dev-utils has not yet actually published this change in a new package version (i.e. v11.0.4 is the latest release, but does not contain the security fix).

I would suggest potentially reopening this issue and tracking the conversation in the aforementioned PR until a published change comes down the line.

[fernandopasik]

Unfortunately we are stuck on this until facebook publishes the version 12 that resolve the issue. Unless we feel adventurous to move now to that beta version

version: '12.0.0-next.47',
  engines: {
    node: '>=14'
  },
  dependencies: {
    '@babel/code-frame': '^7.10.4',
    address: '^1.1.2',
    browserslist: '^4.16.5',
    chalk: '^2.4.2',
    'cross-spawn': '^7.0.3',
    'detect-port-alt': '^1.1.6',
    'escape-string-regexp': '^2.0.0',
    filesize: '^6.1.0',
    'find-up': '^4.1.0',
    'fork-ts-checker-webpack-plugin': '^6.0.5',
    'global-modules': '^2.0.0',
    globby: '^11.0.1',
    'gzip-size': '^5.1.1',
    immer: '^9.0.6',
    'is-root': '^2.1.0',
    'loader-utils': '^2.0.0',
    open: '^7.0.2',
    'pkg-up': '^3.1.0',
    prompts: '^2.4.0',
    'react-error-overlay': '7.0.0-next.54+1465357b',
    'recursive-readdir': '^2.2.2',
    'shell-quote': '^1.7.2',
    'strip-ansi': '^6.0.0',
    'text-table': '^0.2.0'
  },

[fernandopasik]

One "small" detail, we are using react-dev-utils for WatchMissingNodeModulesPlugin, and that is going to be removed in next version

facebook/create-react-app#11201 (comment)

facebook/create-react-app#11170 (comment)

@mrmckeb saw your comment there, are there any plans already to replace react-dev-utils?

[simonsmith]

Are you planning to release a new version of 5.x to address this?

[shilman]

@simonsmith No, Storybook 5.3 is almost 2 years old now and I'd strongly prefer if people upgrade to the latest

https://storybook.js.org/blog/storybook-6-migration-guide/

[mukundkatpatal]

Any update on this guys?

[erbunao]

Is there a temporary workaround to use the version "react-dev-utils": "12.0.0-next.47"?

[fernandopasik]

you could try yarn resolutions in package.json

{
  "react-dev-utils": "^12.0.0-next.47"
}

[jonsalvas]

got it working this way: facebook/create-react-app#11660 (comment)

[robertwbradford]

react-dev-utils has published v12. Could @storybook/react now be updated to use it?

[andig]

Since vulnerability has been solved- could this be released?

[furdzik]

react-dev-utils has been published to version 12. Could @storybook/angular be updated?

[shilman]

Jiminy cricket!! I just released https://github.com/storybookjs/storybook/releases/tag/v6.5.0-alpha.6 containing PR #17022 that references this issue. Upgrade today to the @next NPM tag to try it out!

npx sb upgrade --prerelease

Closing this issue. Please re-open if you think there's still more to do.

[shilman]

Yo-ho-ho!! I just released https://github.com/storybookjs/storybook/releases/tag/v6.4.13 containing PR #17022 that references this issue. Upgrade today to the @latest NPM tag to try it out!

npx sb upgrade