Deps: upgrade react-dev-utils to get newer immer

[phated]

Issue: #13961

What I did

I upgraded react-dev-utils to the new patch version that includes the immer without prototype pollution.

How to test

• Is this testable with Jest or Chromatic screenshots? ❌
• Does this need a new example in the kitchen sink apps? ❌
• Does this need an update to the documentation? ❌

If your answer is yes to any of these, please make sure to include it in your PR.

[sandrogomez]

👍

[shilman]

LGTM thanks! 🙏

[timbomckay]

We're on Storybook v6.3.8 and getting immer as a critical vulnerability. Does this fix that? Has this been released or is it slated for v6.4 or v7?

[shilman]

@timbomckay this should be in 6.3.x ... 6.2.x even!

[timbomckay]

We just wiped our package-lock and reinstalled. Here's the versions we're on:

• @storybook/addon-essentials: ^6.3.8
• @storybook/addon-knobs: ^6.3.1
• @storybook/theming: ^6.3.8
• @storybook/vue: ^6.3.8

When we run npm audit we get the following 4 criticals:

Critical        This affects the package immer before 9.0.6. A type           
                confusion vulnerability can lead to a bypass of               
                CVE-2020-28477 when the user-provided keys used in the path   
                parameter are arrays. In particular, this bypass is possible  
                because the condition (p === "__proto__" || p ===             
                "constructor") in applyPatches_ returns false if p is         
                ['__proto__'] (or ['constructor']). The === operator (strict  
                equality operator) returns false if the operands have         
                different type.                                               
Package         immer                                                         
Patched in      9.0.6                                                         
Dependency of   @storybook/vue [dev]                                          
Path            @storybook/vue > @storybook/core > @storybook/core-server >   
                @storybook/builder-webpack4 > react-dev-utils > immer         
More info       https://nodesecurity.io/advisories/184711                     

Critical        This affects the package immer before 9.0.6. A type           
                confusion vulnerability can lead to a bypass of               
                CVE-2020-28477 when the user-provided keys used in the path   
                parameter are arrays. In particular, this bypass is possible  
                because the condition (p === "__proto__" || p ===             
                "constructor") in applyPatches_ returns false if p is         
                ['__proto__'] (or ['constructor']). The === operator (strict  
                equality operator) returns false if the operands have         
                different type.                                               
Package         immer                                                         
Patched in      9.0.6                                                         
Dependency of   @storybook/addon-essentials [dev]                             
Path            @storybook/addon-essentials > @storybook/addon-docs >         
                @storybook/core > @storybook/core-server >                    
                @storybook/builder-webpack4 > react-dev-utils > immer         
More info       https://nodesecurity.io/advisories/184711                     

Critical        immer is vulnerable to Improperly Controlled Modification of  
                Object Prototype Attributes ('Prototype Pollution')           
Package         immer                                                         
Patched in      9.0.6                                                         
Dependency of   @storybook/vue [dev]                                          
Path            @storybook/vue > @storybook/core > @storybook/core-server >   
                @storybook/builder-webpack4 > react-dev-utils > immer         
More info       https://nodesecurity.io/advisories/184353                     

Critical        immer is vulnerable to Improperly Controlled Modification of  
                Object Prototype Attributes ('Prototype Pollution')           
Package         immer                                                         
Patched in      9.0.6                                                         
Dependency of   @storybook/addon-essentials [dev]                             
Path            @storybook/addon-essentials > @storybook/addon-docs >         
                @storybook/core > @storybook/core-server >                    
                @storybook/builder-webpack4 > react-dev-utils > immer         
More info       https://nodesecurity.io/advisories/184353       

Which it does appear that react-dev-tools installed latest of version 11.0.4 which still has a hard dependency of "immer": "8.0.4". So it seems like this isn't a matter of Storybook updating a dependency but react-dev-tools. Found a couple issues reported on their github.

Alright, well thanks. Should've dug deeper into this before commenting, as well as posting on the referenced issue haha. Anyways, sorry about that and thanks for the quick reply.

[literalpie]

My understanding is that the update was merged into react-dev-utils, but it hasn't been a new version of 11.x released. Only 12.x prereleases (see here).

This comment suggests that this is not as urgent as the audit suggests, since it is only an issue in a dev tool, which I guess isn't used in any way that exposes the vulnerability to untrusted code.