Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Critical Security Vulnerabilities while npm Audit #16556

Closed
priti-vyawahare opened this issue Nov 2, 2021 · 5 comments
Closed

Critical Security Vulnerabilities while npm Audit #16556

priti-vyawahare opened this issue Nov 2, 2021 · 5 comments

Comments

@priti-vyawahare
Copy link

When I npm audit using npm audit --audit-level=critical --registry=https://registry.npmjs.org

I get below critical vulnerabilities. I am not sure How I can get rid of it. I have an Angular mono repo.
Angular version 11
npm version 6.14.6
node: 12.18.3
Storybook versions
"@storybook/angular": "^6.4.0-beta.25",
"@storybook/addon-essentials": "^6.4.0-beta.25",
"@storybook/addon-links": "^6.4.0-beta.25",
"@storybook/addon-storysource": "^6.4.0-beta.25",
"@storybook/addons": "^6.4.0-beta.25",
"@storybook/builder-webpack5": "^6.4.0-beta.25",
"@storybook/manager-webpack5": "^6.4.0-beta.25",

A clear and concise description of what the bug is.

To Reproduce
npm audit --audit-level=critical --registry=https://registry.npmjs.org

│ More info │ GHSA-33f9-j839-rf8h
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Critical │ Prototype Pollution in immer │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ immer │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=9.0.6 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @storybook/angular [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ @storybook/angular > @storybook/core > │
│ │ @storybook/core-server > @storybook/builder-webpack4 > │
│ │ react-dev-utils > immer │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ GHSA-33f9-j839-rf8h
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Critical │ Prototype Pollution in immer │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ immer │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=9.0.6 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @storybook/addon-essentials [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ @storybook/addon-essentials > @storybook/addon-docs > │
│ │ @storybook/core > @storybook/core-server > │
│ │ @storybook/builder-webpack4 > react-dev-utils > immer │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ GHSA-33f9-j839-rf8h

System
Please paste the results of npx sb@next info here.

Environment Info:

System:
OS: Windows 10 10.0.18363
CPU: (8) x64 Intel(R) Core(TM) i7-6820HQ CPU @ 2.70GHz
Binaries:
Node: 12.18.3 - C:\Program Files\nodejs\node.EXE
npm: 6.14.6 - C:\Program Files\nodejs\npm.CMD
Browsers:
Edge: Spartan (44.18362.1593.0)
npmPackages:
@storybook/addon-essentials: ^6.4.0-beta.25 => 6.4.0-beta.25
@storybook/addon-links: ^6.4.0-beta.25 => 6.4.0-beta.25
@storybook/addon-storysource: ^6.4.0-beta.25 => 6.4.0-beta.25
@storybook/addons: ^6.4.0-beta.25 => 6.4.0-beta.25
@storybook/angular: ^6.4.0-beta.25 => 6.4.0-beta.25
@storybook/builder-webpack5: ^6.4.0-beta.25 => 6.4.0-beta.25
@storybook/manager-webpack5: ^6.4.0-beta.25 => 6.4.0-beta.25

C:\Program Files\nodejs\node_modules\npm\node_modules\rimraf\rimraf.js:321
throw er
^

Error: ENOTEMPTY: directory not empty, rmdir 'C:\Users\vv002e\AppData\Roaming\npm-cache_npx\8448\node_modules\sb\node_modules\shelljs'
at Object.rmdirSync (fs.js:850:3)
at rmkidsSync (C:\Program Files\nodejs\node_modules\npm\node_modules\rimraf\rimraf.js:364:25)
at rmdirSync (C:\Program Files\nodejs\node_modules\npm\node_modules\rimraf\rimraf.js:342:7)
at rimrafSync (C:\Program Files\nodejs\node_modules\npm\node_modules\rimraf\rimraf.js:312:9)
at C:\Program Files\nodejs\node_modules\npm\node_modules\rimraf\rimraf.js:350:5
at Array.forEach ()
at rmkidsSync (C:\Program Files\nodejs\node_modules\npm\node_modules\rimraf\rimraf.js:349:26)
at rmdirSync (C:\Program Files\nodejs\node_modules\npm\node_modules\rimraf\rimraf.js:342:7)
at rimrafSync (C:\Program Files\nodejs\node_modules\npm\node_modules\rimraf\rimraf.js:312:9)
at C:\Program Files\nodejs\node_modules\npm\node_modules\rimraf\rimraf.js:350:5
at Array.forEach ()
at rmkidsSync (C:\Program Files\nodejs\node_modules\npm\node_modules\rimraf\rimraf.js:349:26)
at rmdirSync (C:\Program Files\nodejs\node_modules\npm\node_modules\rimraf\rimraf.js:342:7)
at rimrafSync (C:\Program Files\nodejs\node_modules\npm\node_modules\rimraf\rimraf.js:312:9)
at C:\Program Files\nodejs\node_modules\npm\node_modules\rimraf\rimraf.js:350:5
at Array.forEach () {
errno: -4051,
syscall: 'rmdir',
code: 'ENOTEMPTY',
path: 'C:\Users\vv002e\AppData\Roaming\npm-cache\_npx\8448\node_modules\sb\node_modules\shelljs'

Additional context
Add any other context about the problem here.

@mittyesque
Copy link

The 2 effected packages are

  1. builder-webpack4
  2. core-common

@mittyesque
Copy link

https://github.com/feedmypixel/backstage/commit/8d1461cee3e36351bfc57afa742cadf231abd10b

@sarahannnicholson
Copy link

sarahannnicholson commented Nov 29, 2021

@mittyesque is that a fix? Could you make a PR?

+@shilman

@shilman
Copy link
Member

shilman commented Nov 29, 2021

@sarahannnicholson storybook 6.4 is on the latest stable version of react-dev-utils

npx sb upgrade

@shilman shilman closed this as completed Nov 29, 2021
@sarahannnicholson
Copy link

sarahannnicholson commented Nov 30, 2021

I guess this issue should really be raised with react-dev-utils

> npm list immer

[my project dir]
└─┬ @storybook/[email protected]
  └─┬ [email protected]
    └── [email protected]

facebook/create-react-app#11641

leotm added a commit to leotm/react-native-template-new-architecture that referenced this issue Feb 3, 2022
Prompted by Dependabot false positive Security vulnerabilities of dev build tools

RN Storybook v5.3
- Remove old /storybook config
- Keep old /stories for now

RN Storybook v6
- Setup in .storybook for now
- Add minimal config w/o stories for now

Jest setup mocks
- Remove stale RN mocks
- Add new RN Storybook mocks
- Doc @storybook/addon-ondevice-notes/register parsing issue
- Doc @storybook/addon-actions ES forEach proto parsing issue

Metro
- Config resolver for modern storybook build, vs polyfilled versions
- Keep inlineRequires optimisation on, disable later if blocking

App
- Update gitignore with Storybook
- Update app Storybook require to import with new path
- Add react-native-slider and RNDateTimePicker pods
- Add get-stories script to codegen storybook.requires.js
- Update RNCAsyncStorage pod
- Remove deprecated @react-native-community/async-storage later and update Reactotron config

Relevant Dependabot Security alerts
- Upgrading Storybook should clear some, resolve remaining after
- browserslist: storybookjs/storybook#15173
- glob-parent : storybookjs/storybook#15174
- Vulnerabilities: storybookjs/storybook#16063
- immer: storybookjs/storybook#16093
- immer: storybookjs/storybook#16556

storybookjs/react-native#240
- Old v5.3 warnings no longer present, in this v6 no-stories but with addons upgrade so far
leotm added a commit to leotm/react-native-template-new-architecture that referenced this issue Feb 3, 2022
Prompted by Dependabot false positive Security vulnerabilities of dev build tools

RN Storybook v5.3
- Remove old /storybook config
- Keep old /stories for now

RN Storybook v6
- Setup in .storybook for now
- Add minimal config w/o stories for now

Jest setup mocks
- Remove stale RN mocks
- Add new RN Storybook mocks
- Doc @storybook/addon-ondevice-notes/register parsing issue
- Doc @storybook/addon-actions ES forEach proto parsing issue

Metro
- Config resolver for modern storybook build, vs polyfilled versions
- Keep inlineRequires optimisation on, disable later if blocking

App
- Update gitignore with Storybook
- Update app Storybook require to import with new path
- Add react-native-slider and RNDateTimePicker pods
- Add get-stories script to codegen storybook.requires.js
- Update RNCAsyncStorage pod
- Remove deprecated @react-native-community/async-storage later and update Reactotron config

Relevant Dependabot Security alerts
- Upgrading Storybook should clear some, resolve remaining after
- browserslist: storybookjs/storybook#15173
- glob-parent : storybookjs/storybook#15174
- Vulnerabilities: storybookjs/storybook#16063
- immer: storybookjs/storybook#16093
- immer: storybookjs/storybook#16556

storybookjs/react-native#240
- Old v5.3 warnings no longer present, in this v6 no-stories but with addons upgrade so far

After figured @storybook/addon-ondevice-notes/register Jest parsing issue
- Add generated storybook.requires.js to gitignore
- Add prestart script to get-stories first

Consider splitting/decoupling App/Storybook Jest parsing
- env var with dynamic import
- npm workspaces / lerna
- multiple modules
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

4 participants