[dev-server-storybook] Fix potential security vulnerabilities

[abdonrd]

With a fresh install of the @web/dev-server-storybook we have this warning:

Because these two dependencies:

@web/[email protected] requires [email protected] via a transitive dependency on [email protected]

Show trim details

@web/[email protected] requires prismjs@~1.17.0 via a transitive dependency on [email protected]

Show prismjs details

[abdonrd]

We already talk about this in the past with @Westbrook & @daKmoR:

https://lit-and-friends.slack.com/archives/C01JH6K4XFA/p1627390927451800

[Westbrook]

@daKmoR much of this derives from @mdjs/core issues in Rocket...

[abdonrd]

After update to the new @web/[email protected] we have this:

[abdonrd]

After update to the new @mdjs/[email protected] we have this:

[Westbrook]

Good that we’re making some progress here. Did we get @mdjs/core added to open-wc? That means we’re close, but I’m not sure there’s a path to reducing those last two yet. I’ll try to get another look this week, but then I’m on vacation for a while and might not be able to get into the deep deep spelunking I’ve been doing so far until I get back.

[abdonrd]

Ops! The first one is from lit-analyzer, not from @web/dev-server-storybook.

glob-parent@^3.1.0 => fast-glob@^2.2.6 => lit-analyzer

And the second one:

[email protected] => [email protected] => @mdx-js/mdx@^1.6.22 => @storybook/csf-tools [email protected] => [email protected] => @mdx-js/mdx@^1.6.22 => @web/dev-server-storybook [email protected] => [email protected] => @mdx-js/mdx@^1.6.22 => storybook-addon-markdown-docs [email protected] => [email protected] => [email protected] => @mdx-js/mdx

Enjoy your vacation! 🎉

[abdonrd]

Right now we just have:

[johnhunter]

There remain several vulnerabilities in @web/[email protected] - including trim. These are with transitive dependencies so not straightforward to resolve but worth tracking.

The npm audit output I see:

Severity: high
Regular Expression Denial of Service in trim - https://github.com/advisories/GHSA-w5p7-h5w8-2hfq
fix available via `npm audit fix --force`
Will install @web/[email protected], which is a breaking change
node_modules/trim
  remark-parse  <=8.0.3
  Depends on vulnerable versions of trim
  node_modules/remark-parse
    @mdx-js/mdx  <=1.6.22
    Depends on vulnerable versions of remark-mdx
    Depends on vulnerable versions of remark-parse
    node_modules/@mdx-js/mdx
      @storybook/mdx1-csf  *
      Depends on vulnerable versions of @mdx-js/mdx
      node_modules/@storybook/mdx1-csf
        @storybook/csf-tools  6.5.0-alpha.1 - 6.5.17-alpha.0
        Depends on vulnerable versions of @storybook/mdx1-csf
        node_modules/@storybook/csf-tools
      @web/dev-server-storybook  <=0.0.0-canary-20230420104136 || >=0.1.0
      Depends on vulnerable versions of @mdx-js/mdx
      Depends on vulnerable versions of storybook-addon-markdown-docs
      node_modules/@web/dev-server-storybook
      storybook-addon-markdown-docs  <=0.0.0-canary-20221203831 || >=0.1.0
      Depends on vulnerable versions of @mdx-js/mdx
      node_modules/storybook-addon-markdown-docs
    remark-mdx  <=1.6.22
    Depends on vulnerable versions of remark-parse
    node_modules/remark-mdx

[Westbrook]

We’ll be publishing more about this soon, but the current suggestion is to upgrade to our brand new storybook builder that supports storybook@7: https://modern-web.dev/docs/storybook-builder/overview/