Core: Add CJS entries to addon annotations

[yannbf]

Closes #

What I did

This is a remainder work of #26045. The addon annotations files were supposedly CJS, however the content was actually ESM. So this change adds an actual .cjs file to the entrypoint. This is a step backwards to being full ESM in Storybook, but by the time we do the full ESM change, we can tell people that portable stories will also only work for ESM compatible environments, and hopefully it will all be ok!

Checklist for Contributors

Testing

The changes in this PR are covered in the following automated tests:

• stories
• unit tests
• integration tests
• end-to-end tests

Manual testing

This section is mandatory for all contributions. If you believe no manual test is necessary, please state so explicitly. Thanks!

Documentation

• Add or update documentation reflecting your changes
• If you are deprecating/removing a feature, make sure to update
  MIGRATION.MD

Checklist for Maintainers

• When this PR is ready for testing, make sure to add ci:normal, ci:merged or ci:daily GH label to it to run a specific set of sandboxes. The particular set of sandboxes can be found in code/lib/cli/src/sandbox-templates.ts

• Make sure this PR contains one of the labels below:

  Available labels

  • bug: Internal changes that fixes incorrect behavior.
  • maintenance: User-facing maintenance tasks.
  • dependencies: Upgrading (sometimes downgrading) dependencies.
  • build: Internal-facing build tooling & test updates. Will not show up in release changelog.
  • cleanup: Minor cleanup style change. Will not show up in release changelog.
  • documentation: Documentation only changes. Will not show up in release changelog.
  • feature request: Introducing a new feature.
  • BREAKING CHANGE: Changes that break compatibility in some way with current major version.
  • other: Changes that don't fit in the above categories.

🦋 Canary release

This PR does not have a canary release associated. You can request a canary release of this pull request by mentioning the @storybookjs/core team here.

core team members can create a canary release here or locally with gh workflow run --repo storybookjs/storybook canary-release-pr.yml --field pr=<PR_NUMBER>

[socket-security]

New and removed dependencies detected. Learn more about Socket for GitHub ↗︎

Package	New capabilities	Transitives	Size	Publisher
npm/is-map@2.0.2	None	0	12.7 kB	ljharb
npm/is-negative-zero@2.0.3	None	0	27.1 kB	ljharb
npm/is-path-inside@3.0.3	None	0	4.12 kB	sindresorhus
npm/is-plain-obj@2.1.0	None	0	3.69 kB	sindresorhus
npm/is-plain-object@5.0.0	None	0	9.16 kB	trysound
npm/is-regex@1.1.4	Transitive: eval	+13	279 kB	ljharb
npm/is-set@2.0.2	None	0	12.3 kB	ljharb
npm/is-shared-array-buffer@1.0.3	Transitive: eval	+12	250 kB	ljharb
npm/is-stream@3.0.0	None	0	6.23 kB	sindresorhus
npm/is-string@1.0.7	None	+2	57.3 kB	ljharb
npm/is-symbol@1.0.4	None	+1	42.6 kB	ljharb
npm/is-typed-array@1.1.13	Transitive: eval	+16	345 kB	ljharb
npm/is-weakref@1.0.2	Transitive: eval	+12	244 kB	ljharb
npm/isarray@2.0.5	None	0	3.43 kB	juliangruber
npm/istanbul-lib-coverage@3.2.2	None	0	34.4 kB	oss-bot
npm/istanbul-lib-report@3.0.1	filesystem	+4	89 kB	oss-bot
npm/istanbul-lib-source-maps@4.0.1	filesystem Transitive: environment	+3	118 kB	oss-bot
npm/istanbul-reports@3.1.7	Transitive: filesystem	+5	383 kB	oss-bot
npm/iterator.prototype@1.1.2	Transitive: eval	+12	240 kB	ljharb
npm/jackspeak@2.3.6	environment	0	253 kB	isaacs
npm/jake@10.8.7	environment, filesystem, shell	+9	295 kB	mde
npm/jest-get-type@29.6.3	None	0	3.79 kB	simenb
npm/jest-matcher-utils@29.7.0	Transitive: environment, eval	+10	229 kB	simenb
npm/jest-message-util@29.7.0	Transitive: environment, eval, filesystem	+22	497 kB	simenb
npm/jest-util@29.7.0	environment Transitive: filesystem	+9	4.13 MB	simenb
npm/js-tokens@4.0.0	None	0	15.1 kB	lydell
npm/js-yaml@3.14.1	eval Transitive: environment, filesystem	+1	463 kB	vitaly
npm/jsesc@2.5.2	None	0	32 kB	mathias
npm/json-schema-traverse@0.4.1	None	0	19.6 kB	esp
npm/json-stable-stringify-without-jsonify@1.0.1	None	0	14.2 kB	samn
npm/json5@2.2.3	None	0	235 kB	jordanbtucker
npm/jsonfile@6.1.0	filesystem Transitive: environment	+2	57 kB	ryanzim
npm/jsonpointer@5.0.1	None	0	6.75 kB	marcbachmann
npm/jsonwebtoken@9.0.2	None	+4	181 kB	charlesrea
npm/jsx-ast-utils@3.3.5	Transitive: eval	+58	3.51 MB	ljharb
npm/junit-xml@1.2.0	None	0	49.9 kB	vincenttunru
npm/keyv@4.5.4	None	0	27.8 kB	jaredwray
npm/language-tags@1.0.9	None	0	32 kB	mcg
npm/leven@3.1.0	None	0	5.34 kB	sindresorhus
npm/levn@0.4.1	None	0	24.9 kB	gkz
npm/li@1.3.0	None	0	10.8 kB	jfromaniello
npm/lint-staged@10.5.4	environment, filesystem Transitive: shell	+25	813 kB	okonet
npm/locate-path@6.0.0	filesystem	0	7.02 kB	sindresorhus
npm/lodash.debounce@4.0.8	None	0	14 kB	jdalton
npm/lodash.find@4.6.0	None	0	68.9 kB	jdalton
npm/lodash.includes@4.3.0	None	0	21.9 kB	jdalton
npm/lodash.isobject@3.0.2	None	0	3.84 kB	jdalton
npm/lodash.keys@4.2.0	None	0	13.2 kB	jdalton
npm/lodash.mapvalues@4.6.0	None	0	64.8 kB	jdalton
npm/lodash.memoize@4.1.2	None	0	20.1 kB	jdalton
npm/lodash.merge@4.6.2	None	0	54.1 kB	jdalton
npm/lodash@4.17.21	None	0	1.41 MB	bnjmnt4n
npm/lru-cache@5.1.1	None	+1	30.5 kB	isaacs
npm/lz-string@1.5.0	None	0	176 kB	pieroxy
npm/magic-string@0.30.7	None	+1	493 kB	antfu
npm/magicast@0.3.3	filesystem Transitive: environment	+5	5.02 MB	antfu
npm/make-dir@1.3.0	filesystem	+1	12.5 kB	sindresorhus
npm/memfs-or-file-map-to-github-branch@1.2.1	Transitive: network	+16	4.24 MB	orta
npm/memoizerific@1.11.3	environment	0	40.5 kB	thinkloop
npm/merge-descriptors@1.0.1	None	0	4.89 kB	dougwilson
npm/merge-stream@2.0.0	None	0	4.31 kB	stevemao
npm/merge2@1.4.1	None	0	8.9 kB	zensh
npm/methods@1.1.2	network	0	5.29 kB	dougwilson
npm/micromatch@4.0.5	None	0	55.9 kB	jonschlinkert
npm/mime-types@2.1.35	None	0	18.3 kB	dougwilson
npm/mime@3.0.0	None	0	60.1 kB	broofa
npm/minimatch@9.0.3	environment	+2	452 kB	isaacs
npm/minimist@1.2.8	None	0	54.5 kB	ljharb
npm/ms@2.1.2	None	0	6.84 kB	styfle
npm/natural-compare@1.4.0	None	0	5.65 kB	megawac
npm/negotiator@0.6.3	None	0	27.4 kB	dougwilson
npm/node-cleanup@2.1.2	None	0	54.3 kB	jtlapp
npm/node-fetch@2.7.0	network	0	162 kB	node-fetch-bot
npm/node-gyp@9.4.1	environment, shell Transitive: filesystem	+16	3.51 MB	lukekarrys
npm/node-releases@2.0.14	None	0	34 kB	chicoxyzzy
npm/npm-run-path@5.3.0	environment	+1	13 kB	sindresorhus
npm/npmlog@5.0.1	None	0	16.6 kB	gar
npm/nx@17.0.2	environment, filesystem, network, shell, unsafe	+45	5.96 MB	nrwl-jason
npm/object-assign@4.1.1	None	0	5.49 kB	sindresorhus
npm/object-inspect@1.13.1	None	0	97.2 kB	ljharb
npm/object-is@1.1.5	Transitive: eval	+14	294 kB	ljharb
npm/object-keys@1.1.1	None	0	26.5 kB	ljharb
npm/object.assign@4.1.5	Transitive: eval	+14	344 kB	ljharb
npm/object.entries@1.1.7	Transitive: eval	+54	3.22 MB	ljharb
npm/object.fromentries@2.0.7	Transitive: eval	+54	3.21 MB	ljharb
npm/object.groupby@1.0.2	Transitive: eval	+54	3.21 MB	ljharb
npm/object.hasown@1.1.3	Transitive: eval	+54	3.21 MB	ljharb
npm/object.values@1.1.7	Transitive: eval	+54	3.22 MB	ljharb
npm/on-finished@2.4.1	unsafe	0	13.7 kB	dougwilson
npm/once@1.4.0	None	0	4.05 kB	isaacs
npm/onetime@6.0.0	None	0	5.88 kB	sindresorhus
npm/optionator@0.9.3	None	+1	75.1 kB	gkz
npm/ora@5.4.1	None	+8	130 kB	sindresorhus
npm/override-require@1.1.1	unsafe	0	8.59 kB	gajus
npm/p-limit@3.1.0	None	0	7.75 kB	sindresorhus
npm/p-retry@5.1.2	None	+1	45 kB	sindresorhus
npm/p-try@2.2.0	None	0	4.37 kB	sindresorhus
npm/parse-diff@0.7.1	None	0	24.2 kB	sergeyt
npm/parse-git-config@2.0.3	filesystem	0	15.4 kB	jonschlinkert
npm/parse-github-url@1.0.2	None	0	27.4 kB	jonschlinkert
npm/parse-link-header@2.0.0	environment	0	12.7 kB	thlorenz
npm/parseurl@1.3.3	None	0	10.3 kB	dougwilson
npm/path-exists@4.0.0	filesystem	0	3.92 kB	sindresorhus
npm/path-is-absolute@1.0.1	None	0	3.62 kB	sindresorhus
npm/path-key@3.1.1	None	0	4.55 kB	sindresorhus
npm/path-parse@1.0.7	None	0	4.51 kB	jbgutierrez
npm/path-to-regexp@0.1.7	None	0	6.78 kB	blakeembrey
npm/path-type@4.0.0	filesystem	0	5.41 kB	sindresorhus
npm/picocolors@1.0.0	environment	0	5.66 kB	alexeyraspopov
npm/pify@2.3.0	None	0	6.02 kB	sindresorhus
npm/pinkie-promise@2.0.1	None	0	2.58 kB	floatdrop
npm/pinpoint@1.1.0	None	0	5.72 kB	curvedmark
npm/pkg-dir@7.0.0	Transitive: filesystem	+3	28 kB	sindresorhus
npm/playwright-core@1.36.0	environment, eval, filesystem, network, shell, unsafe	0	7.2 MB	aslushnikov
npm/playwright@1.36.0	Transitive: environment, eval, filesystem, network, shell, unsafe	+1	7.23 MB	aslushnikov
npm/prettier-linter-helpers@1.0.0	None	0	9.58 kB	bpscott
npm/prettier@3.2.5	environment, filesystem, unsafe	0	8.39 MB	prettier-bot
npm/pretty-bytes@6.1.1	None	0	11.3 kB	sindresorhus
npm/pretty-format@27.5.1	eval Transitive: environment	+2	99.7 kB	simenb
npm/pretty-hrtime@1.0.3	None	0	6.35 kB	robrich
npm/pretty-ms@8.0.0	None	0	11.8 kB	sindresorhus
npm/prettyjson@1.2.5	None	+1	71.8 kB	rafeca
npm/process@0.11.10	None	0	15.3 kB	cwmma
npm/prompts@2.4.2	None	0	187 kB	terkelg
npm/prop-types@15.8.1	environment	+2	124 kB	ljharb
npm/proxy-addr@2.0.7	None	0	15.4 kB	dougwilson
npm/qs@6.11.2	Transitive: eval	+14	588 kB	ljharb
npm/query-string@7.1.3	None	0	46.2 kB	sindresorhus
npm/range-parser@1.2.1	None	0	8.46 kB	dougwilson
npm/raw-body@2.5.1	network, unsafe Transitive: environment, eval	+8	444 kB	dougwilson
npm/react-dom@18.2.0	environment	+1	4.82 MB	gnoff
npm/react-is@18.2.0	environment	0	24 kB	gnoff
npm/react@18.2.0	environment	0	316 kB	gnoff
npm/read-input@0.3.1	filesystem	0	13.9 kB	rstacruz
npm/read-pkg-up@7.0.1	Transitive: filesystem	+4	231 kB	sindresorhus
npm/readable-stream@3.6.2	environment	+1	128 kB	matteo.collina
npm/readline-sync@1.4.10	environment, filesystem, shell	0	133 kB	anseki
npm/recast@0.23.4	filesystem	+1	328 kB	eventualbuddha
npm/redent@3.0.0	None	0	3.6 kB	sindresorhus
npm/regenerator-runtime@0.14.1	None	0	27.9 kB	benjamn
npm/regenerator-transform@0.15.2	None	+2	412 kB	benjamn
npm/regexp.prototype.flags@1.5.2	Transitive: eval	+14	311 kB	ljharb
npm/regexpu-core@5.3.2	None	0	53.8 kB	google-wombot
npm/remark-cli@12.0.0	None	+1	32.6 kB	wooorm
npm/remark-lint@9.1.2	None	0	6.64 kB	wooorm
npm/remark-preset-lint-recommended@6.1.3	None	+1	17.5 kB	wooorm
npm/remark@14.0.3	None	0	14.1 kB	wooorm
npm/require-from-string@2.0.2	unsafe	0	3.42 kB	floatdrop
npm/requireindex@1.2.0	filesystem	0	6.62 kB	stephenhandley
npm/resolve@1.22.8	environment, filesystem	+5	232 kB	ljharb
npm/retry-request@5.0.2	Transitive: environment	+3	90.9 kB	google-wombot
npm/retry@0.12.0	None	0	32.2 kB	tim-kos
npm/reusify@1.0.4	None	0	9.44 kB	matteo.collina
npm/rimraf@3.0.2	filesystem Transitive: environment, shell	+11	1.29 MB	isaacs
npm/run-parallel@1.2.0	None	0	6.56 kB	feross
npm/safe-array-concat@1.1.0	Transitive: eval	+13	253 kB	ljharb
npm/safe-buffer@5.2.1	None	0	32.1 kB	feross
npm/safe-regex-test@1.0.3	Transitive: eval	+14	289 kB	ljharb
npm/schema-utils@4.2.0	environment Transitive: eval	+6	1.55 MB	evilebottnawi
npm/seek-bzip@1.0.6	Transitive: filesystem, shell	+1	108 kB	cscott
npm/semver@7.6.0	None	+1	109 kB	npm-cli-ops
npm/send@0.18.0	filesystem, network Transitive: environment, eval, unsafe	+15	281 kB	dougwilson
npm/serve-static@1.15.0	Transitive: environment, eval, filesystem, network, unsafe	+17	316 kB	dougwilson
npm/set-function-length@1.2.1	Transitive: eval	+10	209 kB	ljharb
npm/setprototypeof@1.2.0	None	0	4.03 kB	wesleytodd
npm/shebang-command@2.0.0	None	0	2.56 kB	kevva
npm/side-channel@1.0.5	Transitive: eval	+13	347 kB	ljharb
npm/signal-exit@3.0.7	None	0	9.96 kB	isaacs
npm/simple-git@3.22.0	shell Transitive: environment	+2	936 kB	steveukx
npm/slash@3.0.0	None	0	3.51 kB	sindresorhus
npm/sort-object-keys@1.1.3	None	0	2.69 kB	keithamus
npm/sort-package-json@2.8.0	Transitive: filesystem	+22	444 kB	keithamus
npm/statuses@2.0.1	None	0	12.1 kB	dougwilson
npm/std-env@3.7.0	None	0	26.2 kB	pi0
npm/stop-iteration-iterator@1.0.0	Transitive: eval	+15	376 kB	ljharb
npm/stream-events@1.0.5	None	0	3.03 kB	stephenplusplus
npm/stream-shift@1.0.3	None	0	4.46 kB	mafintosh
npm/string-width@5.1.2	None	+3	113 kB	sindresorhus
npm/string.prototype.matchall@4.0.10	Transitive: eval	+54	3.23 MB	ljharb
npm/string.prototype.trim@1.2.8	Transitive: eval	+53	3.19 MB	ljharb
npm/string.prototype.trimend@1.0.7	Transitive: eval	+53	3.19 MB	ljharb
npm/string.prototype.trimstart@1.0.7	Transitive: eval	+53	3.19 MB	ljharb
npm/strip-ansi@6.0.1	None	+1	9.64 kB	sindresorhus
npm/strip-dirs@2.1.0	None	0	6.6 kB	shinnn
npm/strip-final-newline@3.0.0	None	0	3.36 kB	sindresorhus
npm/strip-json-comments@3.1.1	None	0	6.96 kB	sindresorhus
npm/supports-color@5.5.0	environment	+1	11 kB	sindresorhus
npm/supports-hyperlinks@1.0.1	environment	+2	17.4 kB	jamestalmage
npm/supports-preserve-symlinks-flag@1.0.0	None	0	9.18 kB	ljharb
npm/synckit@0.8.8	environment	+1	139 kB	jounqin
npm/syntax-error@1.4.0	eval	0	9.57 kB	goto-bus-stop
npm/tar-stream@1.6.2	filesystem Transitive: environment	+4	165 kB	mafintosh
npm/teeny-request@8.0.3	environment, network	+8	481 kB	google-wombot
npm/tempy@1.0.1	filesystem	+1	214 kB	sindresorhus
npm/test-exclude@6.0.0	Transitive: environment, filesystem, shell	+13	1.31 MB	coreyfarrell
npm/text-table@0.2.0	None	0	11 kB	substack
npm/tiny-invariant@1.3.3	None	0	14.8 kB	alexreardon
npm/tmp@0.2.1	filesystem Transitive: environment, shell	+12	1.34 MB	raszi
npm/to-fast-properties@2.0.0	None	0	3.5 kB	sindresorhus
npm/trash@7.2.0	filesystem, shell	+19	449 kB	sindresorhus
npm/ts-api-utils@1.2.1	None	+1	41.4 MB	joshuakgoldberg
npm/ts-dedent@2.2.0	None	0	26.6 kB	tamino-martinius
npm/ts-loader@9.5.1	filesystem Transitive: environment, eval, network, shell, unsafe	+31	50.6 MB	johnnyreilly
npm/tsconfig-paths@3.15.0	environment, filesystem, unsafe	+2	506 kB	jonaskello
npm/tslib@2.6.2	None	0	84 kB	typescript-bot
npm/tsup@6.7.0	environment, eval, filesystem Transitive: network, shell	+55	249 MB	egoist
npm/tsutils@3.21.0	None	+2	41.1 MB	ajaff
npm/tunnel@0.0.6	environment, network	0	64.9 kB	koichik
npm/type-fest@2.19.0	None	0	202 kB	sindresorhus
npm/type-is@1.6.18	None	+1	36.8 kB	dougwilson
npm/typed-array-buffer@1.0.2	Transitive: eval	+17	358 kB	ljharb
npm/typed-array-byte-length@1.0.1	Transitive: eval	+17	365 kB	ljharb
npm/typed-array-byte-offset@1.0.2	Transitive: eval	+17	366 kB	ljharb
npm/typed-array-length@1.0.5	Transitive: eval	+17	371 kB	ljharb
npm/typescript@5.2.2	None	0	40.6 MB	typescript-bot
npm/unbox-primitive@1.0.2	Transitive: eval	+16	320 kB	ljharb
npm/unbzip2-stream@1.4.3	None	0	133 kB	regular
npm/undici-types@5.26.5	None	0	73.1 kB	ethan_arrowood
npm/undici@5.28.3	environment, network, unsafe	0	1.17 MB	matteo.collina
npm/universalify@2.0.1	None	0	4.67 kB	ryanzim
npm/unpipe@1.0.0	None	0	4.31 kB	dougwilson
npm/update-browserslist-db@1.0.13	filesystem, shell Transitive: environment	+5	2.36 MB	ai
npm/uri-js@4.4.1	None	0	470 kB	garycourt
npm/urlgrey@1.0.0	None	0	318 kB	cainus
npm/util@0.12.5	environment Transitive: eval	+19	412 kB	goto-bus-stop
npm/utils-merge@1.0.1	None	0	3.72 kB	jaredhanson
npm/uuid@9.0.1	None	0	123 kB	ctavan
npm/v8-to-istanbul@9.2.0	filesystem, unsafe	+4	324 kB	oss-bot
npm/vary@1.1.2	None	0	8.75 kB	dougwilson
npm/verdaccio-auth-memory@10.2.2	None	0	21.9 kB	verdaccio.npm
npm/verdaccio@5.29.2	environment, filesystem, network Transitive: eval, unsafe	+66	4.68 MB	verdaccio.npm
npm/vitest@1.3.1	Transitive: environment, filesystem, shell	+21	6.13 MB	antfu, oreanno, patak, ...1 more
npm/vscode-json-languageservice@4.2.1	None	0	507 kB	aeschli
npm/wait-on@7.2.0	filesystem, network	+2	1.5 MB	jeffbski
npm/which-boxed-primitive@1.0.2	None	+4	94.4 kB	ljharb
npm/which-collection@1.0.1	None	+2	35.9 kB	ljharb
npm/which-typed-array@1.1.14	Transitive: eval	+15	322 kB	ljharb
npm/which@2.0.2	environment	0	9.97 kB	isaacs
npm/widest-line@4.0.1	None	+4	117 kB	sindresorhus
npm/window-size@1.1.1	environment, shell	0	12.6 kB	doowb
npm/wrap-ansi@8.1.0	None	+7	171 kB	sindresorhus
npm/xcase@2.0.1	None	0	61.2 kB	rush
npm/yallist@4.0.0	None	0	14.8 kB	isaacs
npm/yaml@2.4.0	None	0	670 kB	eemeli
npm/yargs-parser@21.1.1	environment, filesystem	0	128 kB	oss-bot
npm/yargs@17.7.2	environment, filesystem	+5	484 kB	oss-bot
npm/yauzl@2.10.0	filesystem	0	66.2 kB	thejoshwolfe
npm/zod@3.22.4	None	0	628 kB	colinmcd94

🚮 Removed packages: npm/@aashutoshrathi/word-wrap@1.2.6, npm/@babel/regjsgen@0.8.0, npm/@fastify/busboy@2.1.0, npm/@gar/promisify@1.1.3, npm/@hapi/hoek@9.3.0, npm/@hapi/topo@5.1.0, npm/@isaacs/cliui@8.0.2, npm/@istanbuljs/schema@0.1.3, npm/@jest/types@29.6.3, npm/@kwsites/file-exists@1.1.1, npm/@kwsites/promise-deferred@1.1.1, npm/@npmcli/agent@2.2.0, npm/@npmcli/config@8.1.0, npm/@npmcli/fs@2.1.2, npm/@npmcli/map-workspaces@3.0.4, npm/@npmcli/move-file@2.0.1, npm/@npmcli/name-from-folder@2.0.0, npm/@nrwl/tao@17.0.2, npm/@nx/nx-darwin-arm64@17.0.2, npm/@nx/nx-darwin-x64@17.0.2, npm/@nx/nx-freebsd-x64@17.0.2, npm/@nx/nx-linux-arm-gnueabihf@17.0.2, npm/@nx/nx-linux-arm64-gnu@17.0.2, npm/@nx/nx-linux-arm64-musl@17.0.2, npm/@nx/nx-linux-x64-gnu@17.0.2, npm/@nx/nx-linux-x64-musl@17.0.2, npm/@nx/nx-win32-arm64-msvc@17.0.2, npm/@nx/nx-win32-x64-msvc@17.0.2, npm/@pkgjs/parseargs@0.11.0, npm/@pkgr/core@0.1.1, npm/@rollup/rollup-android-arm-eabi@4.12.0, npm/@rollup/rollup-android-arm64@4.12.0, npm/@rollup/rollup-darwin-arm64@4.12.0, npm/@rollup/rollup-darwin-x64@4.12.0, npm/@rollup/rollup-linux-arm-gnueabihf@4.12.0, npm/@rollup/rollup-linux-arm64-gnu@4.12.0, npm/@rollup/rollup-linux-arm64-musl@4.12.0, npm/@rollup/rollup-linux-x64-gnu@4.12.0, npm/@rollup/rollup-linux-x64-musl@4.12.0, npm/@rollup/rollup-win32-arm64-msvc@4.12.0, npm/@rollup/rollup-win32-ia32-msvc@4.12.0, npm/@rollup/rollup-win32-x64-msvc@4.12.0, npm/@sideway/address@4.1.5, npm/@sideway/formula@3.0.1, npm/@sideway/pinpoint@2.0.0, npm/@sindresorhus/df@3.1.1, npm/@sindresorhus/is@4.6.0, npm/@stroncium/procfs@1.2.1, npm/@szmarczak/http-timer@4.0.6, npm/@types/cacheable-request@6.0.3, npm/@types/concat-stream@2.0.3, npm/@types/debug@4.1.12, npm/@types/estree-jsx@1.0.5, npm/@types/estree@1.0.5, npm/@types/hast@2.3.10, npm/@types/http-cache-semantics@4.0.4, npm/@types/is-empty@1.2.3, npm/@types/istanbul-lib-coverage@2.0.6, npm/@types/istanbul-lib-report@3.0.3, npm/@types/istanbul-reports@3.0.4, npm/@types/json5@0.0.29, npm/@types/keyv@3.1.4, npm/@types/mdast@3.0.15, npm/@types/ms@0.7.34, npm/@types/normalize-package-data@2.4.4, npm/@types/parse-json@4.0.2, npm/@types/responselike@1.0.3, npm/@types/retry@0.12.1, npm/@types/stack-utils@2.0.3, npm/@types/supports-color@8.1.3, npm/@types/text-table@0.2.5, npm/@types/unist@2.0.10, npm/@types/yargs-parser@21.0.3, npm/@types/yargs@17.0.32, npm/@verdaccio/commons-api@10.2.0, npm/@verdaccio/config@7.0.0-next-7.10, npm/@verdaccio/core@7.0.0-next-7.10, npm/@verdaccio/file-locking@10.3.1, npm/@verdaccio/local-storage@10.3.3, npm/@verdaccio/logger-7@7.0.0-next-7.10, npm/@verdaccio/logger-commons@7.0.0-next-7.10, npm/@verdaccio/logger-prettify@7.0.0-next.1, npm/@verdaccio/middleware@7.0.0-next-7.10, npm/@verdaccio/search@7.0.0-next.2, npm/@verdaccio/signature@7.0.0-next.3, npm/@verdaccio/streams@10.2.1, npm/@verdaccio/tarball@12.0.0-next-7.10, npm/@verdaccio/ui-theme@7.0.0-next-7.10, npm/@verdaccio/url@12.0.0-next-7.10, npm/@verdaccio/utils@7.0.0-next-7.10, npm/@vitest/expect@1.3.1, npm/@vitest/runner@1.3.1, npm/@vitest/snapshot@1.3.1, npm/@vitest/spy@1.3.1, npm/@vitest/utils@1.3.1, npm/@yarnpkg/lockfile@1.1.0, npm/@yarnpkg/parsers@3.0.0-rc.46, npm/@zkochan/js-yaml@0.0.6, npm/abbrev@1.1.1, npm/abort-controller@3.0.0, npm/acorn-node@1.8.2, npm/acorn-walk@7.2.0, npm/agentkeepalive@4.5.0, npm/aggregate-error@3.1.0, npm/ajv-formats@2.1.1, npm/ajv-keywords@5.1.0, npm/ansi-escapes@4.3.2, npm/any-promise@1.3.0, npm/anymatch@3.1.3, npm/apache-md5@1.1.8, npm/aproba@2.0.0, npm/are-we-there-yet@3.0.1, npm/array-uniq@1.0.3, npm/asn1@0.2.6, npm/assert-plus@1.0.0, npm/assert@2.1.0, npm/assertion-error@1.1.0, npm/ast-types@0.16.1, npm/astral-regex@2.0.0, npm/async@3.2.5, npm/atomic-sleep@1.0.0, npm/aws-sign2@0.7.0, npm/aws4@1.12.0, npm/axios@1.6.7, npm/bail@2.0.2, npm/base64-js@1.5.1, npm/basic-auth@2.0.1, npm/bcrypt-pbkdf@1.0.2, npm/bcryptjs@2.4.3, npm/bignumber.js@9.1.2, npm/binary-extensions@2.2.0, npm/bl@4.1.0, npm/braces@3.0.2, npm/buffer-alloc-unsafe@1.1.0, npm/buffer-alloc@1.2.0, npm/buffer-crc32@0.2.13, npm/buffer-equal-constant-time@1.0.1, npm/buffer-fill@1.0.0, npm/buffer-from@1.1.2, npm/buffer@5.7.1, npm/bundle-require@4.0.2, npm/cac@6.7.14, npm/cacache@16.1.3, npm/cacheable-lookup@5.0.4, npm/cacheable-request@7.0.4, npm/callsites@3.1.0, npm/caseless@0.12.0, npm/chai@4.4.1, npm/character-entities@2.0.2, npm/check-error@1.0.3, npm/checkup@1.3.0, npm/chokidar@3.6.0, npm/chownr@2.0.0, npm/ci-info@2.0.0, npm/clean-stack@2.2.0, npm/cli-cursor@3.1.0, npm/cli-spinners@2.6.1, npm/cli-truncate@2.1.0, npm/clipanion@3.2.1, npm/cliui@8.0.1, npm/clone-response@1.0.3, npm/clone@1.0.4, npm/color-support@1.1.3, npm/colorette@2.0.20, npm/colors@1.4.0, npm/comma-separated-tokens@2.0.3, npm/compare-versions@3.6.0, npm/compressible@2.0.18, npm/compression@1.7.4, npm/concat-stream@2.0.0, npm/console-control-strings@1.1.0, npm/cookies@0.9.1, npm/core-util-is@1.0.3, npm/cors@2.8.5, npm/corser@2.0.1, npm/cosmiconfig@7.1.0, npm/crypto-random-string@2.0.0, npm/dashdash@1.14.1, npm/dayjs@1.11.7, npm/decode-named-character-reference@1.0.2, npm/decode-uri-component@0.2.2, npm/decompress-response@6.0.0, npm/dedent@0.7.0, npm/deep-eql@4.1.3, npm/deep-is@0.1.4, npm/defaults@1.0.4, npm/defer-to-connect@2.0.1, npm/define-lazy-prop@2.0.0, npm/define-property@1.0.0, npm/del@6.1.1, npm/delegates@1.0.0, npm/devlop@1.1.0, npm/diff-sequences@29.6.3, npm/diff@5.2.0, npm/dom-serializer@1.4.1, npm/domelementtype@2.3.0, npm/domhandler@4.3.1, npm/domutils@2.8.0, npm/dotenv-expand@10.0.0, npm/dotenv@16.3.2, npm/duplexer@0.1.2, npm/eastasianwidth@0.2.0, npm/ecc-jsbn@0.1.2, npm/ecdsa-sig-formatter@1.0.11, npm/ee-first@1.1.1, npm/encoding@0.1.13, npm/enhanced-resolve@5.15.0, npm/entities@3.0.1, npm/env-paths@2.2.1, npm/envinfo@7.11.0, npm/err-code@2.0.3, npm/error-ex@1.3.2, npm/escalade@3.1.2, npm/esprima@4.0.1, npm/estree-walker@3.0.3, npm/event-target-shim@5.0.1, npm/eventemitter3@4.0.7, npm/events@3.3.0, npm/expand-tilde@2.0.2, npm/exponential-backoff@3.1.1, npm/express-rate-limit@5.5.1, npm/extend-shallow@2.0.1, npm/extsprintf@1.3.0, npm/fast-diff@1.3.0, npm/fast-levenshtein@2.0.6, npm/fast-redact@3.3.0, npm/fast-safe-stringify@2.1.1, npm/fast-text-encoding@1.0.6, npm/fd-slicer@1.1.0, npm/figures@3.2.0, npm/filelist@1.0.4, npm/fill-range@7.0.1, npm/filter-obj@1.1.0, npm/find-versions@4.0.0, npm/flat@5.0.2, npm/follow-redirects@1.15.5, npm/for-each@0.3.3, npm/forever-agent@0.6.1, npm/forwarded@0.2.0, npm/fs-constants@1.0.0, npm/fs-exists-sync@0.1.0, npm/fs-minipass@2.1.0, npm/fsevents@2.3.3, npm/gauge@4.0.4, npm/gaxios@5.1.3, npm/gcp-metadata@5.3.0, npm/get-caller-file@2.0.5, npm/get-func-name@2.0.2, npm/get-own-enumerable-property-symbols@3.0.2, npm/getpass@0.1.7, npm/git-config-path@1.0.1, npm/google-p12-pem@4.0.1, npm/gtoken@6.1.2, npm/handlebars@4.7.8, npm/har-schema@2.0.0, npm/har-validator@5.1.5, npm/has-bigints@1.0.2, npm/has-unicode@2.0.1, npm/he@1.2.0, npm/homedir-polyfill@1.0.3, npm/hosted-git-info@2.8.9, npm/html-encoding-sniffer@3.0.0, npm/html-escaper@2.0.2, npm/http-cache-semantics@4.1.1, npm/http-proxy@1.18.1, npm/http-signature@1.3.6, npm/http-status-codes@2.3.0, npm/http2-wrapper@1.0.3, npm/humanize-ms@1.2.1, npm/ieee754@1.2.1, npm/import-meta-resolve@3.1.1, npm/indent-string@4.0.0, npm/infer-owner@1.0.4, npm/ini@1.3.8, npm/ip@2.0.0, npm/ipaddr.js@1.9.1, npm/is-accessor-descriptor@1.0.1, npm/is-arrayish@0.2.1, npm/is-async-function@2.0.0, npm/is-bigint@1.0.4, npm/is-binary-path@2.1.0, npm/is-boolean-object@1.1.2, npm/is-buffer@2.0.5, npm/is-descriptor@1.0.3, npm/is-docker@2.2.1, npm/is-empty@1.2.0, npm/is-extendable@0.1.1, npm/is-extglob@2.1.1, npm/is-finalizationregistry@1.0.2, npm/is-generator-function@1.0.10, npm/is-interactive@1.0.0, npm/jsonstream@1.3.5

View full report↗︎

[socket-security]

🚨 Potential security issues detected. Learn more about Socket for GitHub ↗︎

To accept the risk, merge this PR and you will not be notified again.

Alert	Package	Note	Source
Shell access	npm/readline-sync@1.4.10	Module: child_process Location: Package overview	Source
Uses eval	npm/js-yaml@3.14.1	Eval Type: Function Location: Package overview	Source
Uses eval	npm/js-yaml@3.14.1	Eval Type: Function Location: Package overview	Source
New author	npm/ms@2.1.2	New Author: styfle Previous Author: leo	Source
New author	npm/istanbul-lib-report@3.0.1	New Author: oss-bot Previous Author: coreyfarrell	Source
New author	npm/istanbul-lib-source-maps@4.0.1	New Author: oss-bot Previous Author: coreyfarrell	Source
Shell access	npm/update-browserslist-db@1.0.13	Module: child_process Location: Package overview	Source
New author	npm/merge-stream@2.0.0	New Author: stevemao Previous Author: shinnn	Source
New author	npm/react-is@18.2.0	New Author: gnoff Previous Author: acdlite	Source
Uses eval	npm/pretty-format@27.5.1	Eval Type: Function Location: Package overview	Source
New author	npm/react@18.2.0	New Author: gnoff Previous Author: acdlite	scripts/package.json
New author	npm/react-dom@18.2.0	New Author: gnoff Previous Author: acdlite	scripts/package.json
Shell access	npm/jake@10.8.7	Module: child_process Location: Package overview	Source
New author	npm/syntax-error@1.4.0	New Author: goto-bus-stop Previous Author: substack	Source
Uses eval	npm/syntax-error@1.4.0	Eval Type: eval Location: Package overview	Source
New author	npm/jsonwebtoken@9.0.2	New Author: charlesrea Previous Author: jake.lacey	Source
Uses eval	npm/tsup@6.7.0	Eval Type: Function Location: Package overview	scripts/package.json
Shell access	npm/window-size@1.1.1	Module: child_process Location: Package overview	scripts/package.json
Uses eval	npm/playwright-core@1.36.0	Eval Type: Function Location: Package overview	scripts/package.json
Shell access	npm/playwright-core@1.36.0	Module: child_process Location: Package overview	scripts/package.json
Shell access	npm/nx@17.0.2	Module: child_process Location: Package overview	scripts/package.json
Shell access	npm/nx@17.0.2	Module: child_process Location: Package overview	scripts/package.json
Install scripts	npm/nx@17.0.2	Install script: postinstall Source: node ./bin/post-install	scripts/package.json
Shell access	npm/trash@7.2.0	Module: child_process Location: Package overview	scripts/package.json
New author	npm/node-gyp@9.4.1	New Author: lukekarrys Previous Author: rvagg	scripts/package.json
Shell access	npm/node-gyp@9.4.1	Module: child_process Location: Package overview	scripts/package.json
Install scripts	npm/playwright@1.36.0	Install script: install Source: node install.js	scripts/package.json
New author	npm/json-parse-even-better-errors@3.0.1	New Author: npm-cli-ops Previous Author: lukekarrys	orphan: npm/json-parse-even-better-errors@3.0.1
Shell access	npm/simple-git@3.22.0	Module: child_process Location: Package overview	scripts/package.json

View full report↗︎

Next steps

What is shell access?

This module accesses the system shell. Accessing the system shell increases the risk of executing arbitrary code.

Packages should avoid accessing the shell which can reduce portability, and make it easier for malicious shell access to be introduced.

What is eval?

Package uses eval() which is a dangerous function. This prevents the code from running in certain environments and increases the risk that the code may contain exploits or malicious behavior.

Avoid packages that use eval, since this could potentially execute any code.

What is new author?

A new npm collaborator published a version of the package for the first time. New collaborators are usually benign additions to a project, but do indicate a change to the security surface area of a package.

Scrutinize new collaborator additions to packages because they now have the ability to publish code into your dependency tree. Packages should avoid frequent or unnecessary additions or changes to publishing rights.

What is an install script?

Install scripts are run when the package is installed. The majority of malware in npm is hidden in install scripts.

Packages should not be running non-essential scripts during install and there are often solutions to problems people solve with install scripts that can be run at publish time instead.

Take a deeper look at the dependency

Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support [AT] socket [DOT] dev.

Remove the package

If you happen to install a dependency that Socket reports as Known Malware you should immediately remove it and select a different dependency. For other alert types, you may may wish to investigate alternative packages or consider if there are other ways to mitigate the specific risk posed by the dependency.

Mark a package as acceptable risk

To ignore an alert, reply with a comment starting with @SocketSecurity ignore followed by a space separated list of ecosystem/package-name@version specifiers. e.g. @SocketSecurity ignore npm/foo@1.0.0 or ignore all packages with @SocketSecurity ignore-all

• @SocketSecurity ignore npm/readline-sync@1.4.10
• @SocketSecurity ignore npm/js-yaml@3.14.1
• @SocketSecurity ignore npm/ms@2.1.2
• @SocketSecurity ignore npm/istanbul-lib-report@3.0.1
• @SocketSecurity ignore npm/istanbul-lib-source-maps@4.0.1
• @SocketSecurity ignore npm/update-browserslist-db@1.0.13
• @SocketSecurity ignore npm/merge-stream@2.0.0
• @SocketSecurity ignore npm/react-is@18.2.0
• @SocketSecurity ignore npm/pretty-format@27.5.1
• @SocketSecurity ignore npm/react@18.2.0
• @SocketSecurity ignore npm/react-dom@18.2.0
• @SocketSecurity ignore npm/jake@10.8.7
• @SocketSecurity ignore npm/syntax-error@1.4.0
• @SocketSecurity ignore npm/jsonwebtoken@9.0.2
• @SocketSecurity ignore npm/tsup@6.7.0
• @SocketSecurity ignore npm/window-size@1.1.1
• @SocketSecurity ignore npm/playwright-core@1.36.0
• @SocketSecurity ignore npm/nx@17.0.2
• @SocketSecurity ignore npm/trash@7.2.0
• @SocketSecurity ignore npm/node-gyp@9.4.1
• @SocketSecurity ignore npm/playwright@1.36.0
• @SocketSecurity ignore npm/json-parse-even-better-errors@3.0.1
• @SocketSecurity ignore npm/simple-git@3.22.0