storybook icon indicating copy to clipboard operation
storybook copied to clipboard

Published 20 hours ago verified publisher icon storybookjs

Please upgrade dependencies to fix audit failures

Open liftyourgame opened this issue 2 years ago • 1 comments

Describe the bug Storybook triggering 13 audit failures in my project

To Reproduce Just install the latest @storybook. In particular upgrade@mdx-js/mdx

System

Environment Info:

System: OS: macOS 12.3.1 CPU: (10) arm64 Apple M1 Max Binaries: Node: 14.19.1 - ~/.nvm/versions/node/v14.19.1/bin/node npm: 6.14.16 - ~/.nvm/versions/node/v14.19.1/bin/npm Browsers: Chrome: 101.0.4951.54 Safari: 15.4 npmPackages: @storybook/addon-actions: ^6.4.22 => 6.4.22 @storybook/addon-essentials: ^6.4.22 => 6.4.22 @storybook/addon-interactions: ^6.4.22 => 6.4.22 @storybook/addon-links: ^6.4.22 => 6.4.22 @storybook/react: ^6.4.22 => 6.4.22 @storybook/testing-library: 0.0.9 => 0.0.9

Additional context Add any other context about the problem here.

liftyourgame avatar May 06 '22 08:05 liftyourgame

Up to 22

KyleTryon avatar Sep 17 '22 16:09 KyleTryon

There are security errors in @storybook/cli package (in version 7, that is in beta) too:

# npm audit report

got  <=11.8.3
Severity: high
Got allows a redirect to a UNIX socket - https://github.com/advisories/GHSA-pfrx-2q88-qq97
Depends on vulnerable versions of cacheable-request
fix available via `npm audit fix --force`
Will install @storybook/[email protected], which is a breaking change
node_modules/got
  download-tarball  *
  Depends on vulnerable versions of got
  node_modules/download-tarball
    @storybook/cli  >=7.0.0-alpha.0
    Depends on vulnerable versions of download-tarball
    node_modules/@storybook/cli

http-cache-semantics  <4.1.1
Severity: high
http-cache-semantics vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-rc47-6667-2j5j
fix available via `npm audit fix --force`
Will install @storybook/[email protected], which is a breaking change
node_modules/http-cache-semantics
  cacheable-request  0.1.0 - 2.1.4
  Depends on vulnerable versions of http-cache-semantics
  node_modules/cacheable-request

5 vulnerabilities (2 moderate, 3 high)

luanmm avatar Feb 15 '23 20:02 luanmm

And according to

└─┬ [email protected]
  └─┬ @storybook/[email protected]
    └─┬ [email protected]
      └─┬ [email protected]
        └─┬ [email protected]
          └── [email protected]

It seems to be caused by download-tarball that has not been updated in 4 years

(edit: which seems to be a new addition in 7.0.0-beta.48: https://github.com/storybookjs/storybook/commit/62e37c08822b8d849079c384a89682e0b34690f0)

chartinger avatar Feb 16 '23 10:02 chartinger

@chartinger thank you for reporting, if you wouldn't mind giving the issue upstream a thumbs-up?

If there's any other way you could assist to get this resolved, any help would be appreciated!

ndelangen avatar Feb 16 '23 12:02 ndelangen

I opened a PR to modernize the dependency: https://github.com/kesla/download-tarball/pull/6

ndelangen avatar Feb 16 '23 13:02 ndelangen

As the package code is about 26 lines, I wonder if it would be easier to just have a helper function :)

chartinger avatar Feb 20 '23 08:02 chartinger

Jeepers creepers!! I just released https://github.com/storybookjs/storybook/releases/tag/v7.0.0-beta.58 containing PR #21201 that references this issue. Upgrade today to the @next NPM tag to try it out!

npx sb@next upgrade --prerelease

shilman avatar Mar 01 '23 12:03 shilman