Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

browserslist Security Vulnerability #15173

Closed
zpeterson opened this issue Jun 8, 2021 · 1 comment
Closed

browserslist Security Vulnerability #15173

zpeterson opened this issue Jun 8, 2021 · 1 comment

Comments

@zpeterson
Copy link

Describe the bug

NPM Advisory 1747

I know this isn't really a bug, but Storybook has several dependencies on react-dev-utils, which is using a vulnerable version of browserlist. I've opened an issue in create-react-app, and once it is addressed, you'll want to upgrade.

  • @storybook/addon-essentials > @storybook/addon-docs > @storybook/builder-webpack4 > react-dev-utils > browserslist
  • @storybook/addon-essentials > @storybook/addon-docs > @storybook/core > @storybook/core-server > @storybook/builder-webpack4 > react-dev-utils > browserslist
  • @storybook/react > @storybook/core > @storybook/core-server > @storybook/builder-webpack4 > react-dev-utils > browserslist
  • @storybook/react > react-dev-utils > browserslist

To Reproduce

Run npm audit

System

Environment Info:

  System:
    OS: Linux 5.10 Ubuntu 20.04 LTS (Focal Fossa)
    CPU: (8) x64 Intel(R) Core(TM) i7-1065G7 CPU @ 1.30GHz
  Binaries:
    Node: 10.13.0 - ~/.nvm/versions/node/v10.13.0/bin/node
    npm: 6.4.1 - ~/.nvm/versions/node/v10.13.0/bin/npm
  npmPackages:
    @storybook/addon-a11y: 6.2.9 => 6.2.9 
    @storybook/addon-essentials: 6.2.9 => 6.2.9 
    @storybook/addon-links: 6.2.9 => 6.2.9 
    @storybook/addons: 6.2.9 => 6.2.9 
    @storybook/preset-scss: 1.0.3 => 1.0.3 
    @storybook/react: 6.2.9 => 6.2.9 
    @storybook/theming: 6.2.9 => 6.2.9 

Additional context

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Regular Expression Denial of Service                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ browserslist                                                 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=4.16.5                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @storybook/addon-essentials [dev]                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ @storybook/addon-essentials > @storybook/addon-docs >        │
│               │ @storybook/builder-webpack4 > react-dev-utils > browserslist │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/1747                      │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Regular Expression Denial of Service                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ browserslist                                                 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=4.16.5                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @storybook/addon-essentials [dev]                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ @storybook/addon-essentials > @storybook/addon-docs >        │
│               │ @storybook/core > @storybook/core-server >                   │
│               │ @storybook/builder-webpack4 > react-dev-utils > browserslist │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/1747                      │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Regular Expression Denial of Service                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ browserslist                                                 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=4.16.5                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @storybook/react [dev]                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ @storybook/react > @storybook/core > @storybook/core-server  │
│               │ > @storybook/builder-webpack4 > react-dev-utils >            │
│               │ browserslist                                                 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/1747                      │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Regular Expression Denial of Service                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ browserslist                                                 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=4.16.5                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @storybook/react [dev]                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ @storybook/react > react-dev-utils > browserslist            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/1747                      │
└───────────────┴──────────────────────────────────────────────────────────────┘
leotm added a commit to leotm/react-native-template-new-architecture that referenced this issue Feb 3, 2022
Prompted by Dependabot false positive Security vulnerabilities of dev build tools

RN Storybook v5.3
- Remove old /storybook config
- Keep old /stories for now

RN Storybook v6
- Setup in .storybook for now
- Add minimal config w/o stories for now

Jest setup mocks
- Remove stale RN mocks
- Add new RN Storybook mocks
- Doc @storybook/addon-ondevice-notes/register parsing issue
- Doc @storybook/addon-actions ES forEach proto parsing issue

Metro
- Config resolver for modern storybook build, vs polyfilled versions
- Keep inlineRequires optimisation on, disable later if blocking

App
- Update gitignore with Storybook
- Update app Storybook require to import with new path
- Add react-native-slider and RNDateTimePicker pods
- Add get-stories script to codegen storybook.requires.js
- Update RNCAsyncStorage pod
- Remove deprecated @react-native-community/async-storage later and update Reactotron config

Relevant Dependabot Security alerts
- Upgrading Storybook should clear some, resolve remaining after
- browserslist: storybookjs/storybook#15173
- glob-parent : storybookjs/storybook#15174
- Vulnerabilities: storybookjs/storybook#16063
- immer: storybookjs/storybook#16093
- immer: storybookjs/storybook#16556

storybookjs/react-native#240
- Old v5.3 warnings no longer present, in this v6 no-stories but with addons upgrade so far
leotm added a commit to leotm/react-native-template-new-architecture that referenced this issue Feb 3, 2022
Prompted by Dependabot false positive Security vulnerabilities of dev build tools

RN Storybook v5.3
- Remove old /storybook config
- Keep old /stories for now

RN Storybook v6
- Setup in .storybook for now
- Add minimal config w/o stories for now

Jest setup mocks
- Remove stale RN mocks
- Add new RN Storybook mocks
- Doc @storybook/addon-ondevice-notes/register parsing issue
- Doc @storybook/addon-actions ES forEach proto parsing issue

Metro
- Config resolver for modern storybook build, vs polyfilled versions
- Keep inlineRequires optimisation on, disable later if blocking

App
- Update gitignore with Storybook
- Update app Storybook require to import with new path
- Add react-native-slider and RNDateTimePicker pods
- Add get-stories script to codegen storybook.requires.js
- Update RNCAsyncStorage pod
- Remove deprecated @react-native-community/async-storage later and update Reactotron config

Relevant Dependabot Security alerts
- Upgrading Storybook should clear some, resolve remaining after
- browserslist: storybookjs/storybook#15173
- glob-parent : storybookjs/storybook#15174
- Vulnerabilities: storybookjs/storybook#16063
- immer: storybookjs/storybook#16093
- immer: storybookjs/storybook#16556

storybookjs/react-native#240
- Old v5.3 warnings no longer present, in this v6 no-stories but with addons upgrade so far

After figured @storybook/addon-ondevice-notes/register Jest parsing issue
- Add generated storybook.requires.js to gitignore
- Add prestart script to get-stories first

Consider splitting/decoupling App/Storybook Jest parsing
- env var with dynamic import
- npm workspaces / lerna
- multiple modules
@shilman
Copy link
Member

shilman commented Jun 7, 2023

We’re cleaning house! Storybook has changed a lot since this issue was created and we don’t know if it’s still valid.

Please open a new issue referencing this one if:

@shilman shilman closed this as not planned Won't fix, can't repro, duplicate, stale Jun 7, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants