storybook-deployer icon indicating copy to clipboard operation
storybook-deployer copied to clipboard

Published 20 hours ago verified publisher icon storybook-eol

Upgrading git-url-parse fixing vulnerability

Open georgewrmarshall opened this issue 2 years ago • 3 comments

Description

Upgrading git-url-parse fixing vulnerability. Full disclosure I haven't done testing nor do I know how one might test this so any suggestions welcome

Fixes: #124

Screenshots

Before

Screen Shot 2022-08-24 at 9 17 09 AM

After

Still one remaining critical vulnerability but it concerns a dev dependency

Screen Shot 2022-08-24 at 9 16 45 AM

georgewrmarshall avatar Aug 24 '22 16:08 georgewrmarshall

Looking at the breaking changes in git-url-parse, which stems from https://github.com/IonicaBizau/parse-url/releases/tag/8.0.0, storybook-deployed does not seem to be affected by any breaking change. The only use of git-url-parse I can find is here: https://github.com/storybookjs/storybook-deployer/blob/master/bin/storybook_to_ghpages#L96. We should be quite confident in that the URL:

  • Does not contain a port
  • Is not a file path
  • Is not longer than 2048 characters

pstenstrm avatar Sep 09 '22 14:09 pstenstrm

Any chance this will get merged? There are 3 security advisories currently related to this outdated dependency.

pjaws avatar Sep 20 '22 21:09 pjaws

I too would like to get this merged to remove those audit problems

enfcyco avatar Sep 22 '22 13:09 enfcyco

@jimmyandrade and @hipstersmoothie can you please take a look?

MichaelArestad avatar Sep 26 '22 15:09 MichaelArestad

@jimmyandrade are there plans to cut a release that includes this update?

jwoldan avatar Oct 19 '22 16:10 jwoldan

@jimmyandrade are there plans to cut a release that includes this update?

@jwoldan I don't have permissions or access to generate a new release. @hipstersmoothie could you help us with this?

jimmyandrade avatar Oct 19 '22 20:10 jimmyandrade

I'm sorry I tried but can't push tags to the repo anymore

hipstersmoothie avatar Oct 19 '22 20:10 hipstersmoothie

Oof, is there someone else that might be able to help?

(Thanks for the quick response)

jwoldan avatar Oct 19 '22 20:10 jwoldan

It looks like the release attempts at least partially worked? Did some part of the release process fail after those important steps?

There are tags in the repo: https://github.com/storybookjs/storybook-deployer/tags, https://github.com/storybookjs/storybook-deployer/releases/tag/v2.8.16 And the package is updated in npm: https://www.npmjs.com/package/@storybook/storybook-deployer

And renovate's package diff shows a fairly reasonable diff, showing the git-url-parse bump: https://app.renovatebot.com/package-diff?name=@storybook/storybook-deployer&from=2.8.12&to=2.8.16

cysp avatar Oct 19 '22 21:10 cysp

I'll try to upgrade to 2.8.16, thanks @cysp!

jwoldan avatar Oct 19 '22 21:10 jwoldan