web
web copied to clipboard
[dev-server-storybook] Fix potential security vulnerabilities
With a fresh install of the @web/dev-server-storybook
we have this warning:
![Screenshot 2022-01-07 at 12 25 32](https://user-images.githubusercontent.com/1007051/148537768-b6584042-a44d-417e-8bad-a4e6b6f01f80.png)
Because these two dependencies:
![Screenshot 2022-01-07 at 12 25 47](https://user-images.githubusercontent.com/1007051/148537818-d3eaa174-ffb4-4477-8a46-d3d287419ddb.png)
@web/[email protected] requires [email protected] via a transitive dependency on [email protected]
Show trim details
![Screenshot 2022-01-07 at 12 26 03](https://user-images.githubusercontent.com/1007051/148538139-2966551d-fc82-4a05-94e8-ae4d20b78d8f.png)
@web/[email protected] requires prismjs@~1.17.0 via a transitive dependency on [email protected]
Show prismjs details
![Screenshot 2022-01-07 at 12 26 23](https://user-images.githubusercontent.com/1007051/148538346-6d7ac354-6c65-46d3-867b-ec2f6756812d.png)
We already talk about this in the past with @Westbrook & @daKmoR:
https://lit-and-friends.slack.com/archives/C01JH6K4XFA/p1627390927451800
@daKmoR much of this derives from @mdjs/core
issues in Rocket...
After update to the new @mdjs/[email protected]
we have this:
Good that we’re making some progress here. Did we get @mdjs/core added to open-wc? That means we’re close, but I’m not sure there’s a path to reducing those last two yet. I’ll try to get another look this week, but then I’m on vacation for a while and might not be able to get into the deep deep spelunking I’ve been doing so far until I get back.
Ops! The first one is from lit-analyzer
, not from @web/dev-server-storybook
.
glob-parent@^3.1.0
=>fast-glob@^2.2.6
=>lit-analyzer
And the second one:
[email protected]
=>[email protected]
=>@mdx-js/mdx@^1.6.22
=>@storybook/csf-tools
[email protected]
=>[email protected]
=>@mdx-js/mdx@^1.6.22
=>@web/dev-server-storybook
[email protected]
=>[email protected]
=>@mdx-js/mdx@^1.6.22
=>storybook-addon-markdown-docs
[email protected]
=>[email protected]
=>[email protected]
=>@mdx-js/mdx
Enjoy your vacation! 🎉
Right now we just have:
![Screen Shot 2022-06-07 at 10 02 53](https://user-images.githubusercontent.com/1007051/172328494-591a4e4e-f8a9-4afa-a20b-340a13df28e9.png)
There remain several vulnerabilities in @web/[email protected]
- including trim
. These are with transitive dependencies so not straightforward to resolve but worth tracking.
The npm audit output I see:
Severity: high
Regular Expression Denial of Service in trim - https://github.com/advisories/GHSA-w5p7-h5w8-2hfq
fix available via `npm audit fix --force`
Will install @web/[email protected], which is a breaking change
node_modules/trim
remark-parse <=8.0.3
Depends on vulnerable versions of trim
node_modules/remark-parse
@mdx-js/mdx <=1.6.22
Depends on vulnerable versions of remark-mdx
Depends on vulnerable versions of remark-parse
node_modules/@mdx-js/mdx
@storybook/mdx1-csf *
Depends on vulnerable versions of @mdx-js/mdx
node_modules/@storybook/mdx1-csf
@storybook/csf-tools 6.5.0-alpha.1 - 6.5.17-alpha.0
Depends on vulnerable versions of @storybook/mdx1-csf
node_modules/@storybook/csf-tools
@web/dev-server-storybook <=0.0.0-canary-20230420104136 || >=0.1.0
Depends on vulnerable versions of @mdx-js/mdx
Depends on vulnerable versions of storybook-addon-markdown-docs
node_modules/@web/dev-server-storybook
storybook-addon-markdown-docs <=0.0.0-canary-20221203831 || >=0.1.0
Depends on vulnerable versions of @mdx-js/mdx
node_modules/storybook-addon-markdown-docs
remark-mdx <=1.6.22
Depends on vulnerable versions of remark-parse
node_modules/remark-mdx
We’ll be publishing more about this soon, but the current suggestion is to upgrade to our brand new storybook builder that supports storybook@7: https://modern-web.dev/docs/storybook-builder/overview/