addon-jsx icon indicating copy to clipboard operation
addon-jsx copied to clipboard
verified publisher icon storybookjs

[Security] Critical Warnings on react-dev-utils that depends on immer

Open coderwurst opened this issue 3 years ago • 0 comments

Describe the bug

I noticed from our pipeline that a critical vulnerability has been raised stemming from immer not on at least version 9.0.6.

Steps to reproduce the behavior

  1. Run OWASP Checks

Screenshots

NPM-1067715 Fix from 9.0.6 image

NPM-1067720Fix from 9.0.6 image

NPM-1068264 Fix from 8.0.1 image

Result of npm list immer

─┬ @types/[email protected]
│ └─┬ @storybook/[email protected]
│   └─┬ [email protected]
│     └── [email protected]

Additional context

Updating to @storybook/react to v6.4.13 should solve this issue. Are there any plans to update this package, or any known reasons not to update to the next major version?

coderwurst avatar Apr 28 '22 16:04 coderwurst