-
-
Notifications
You must be signed in to change notification settings - Fork 9.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Critical Security Vulnerabilities while npm Audit #16556
Labels
Comments
The 2 effected packages are |
@mittyesque is that a fix? Could you make a PR? |
@sarahannnicholson storybook 6.4 is on the latest stable version of
|
I guess this issue should really be raised with react-dev-utils
|
leotm
added a commit
to leotm/react-native-template-new-architecture
that referenced
this issue
Feb 3, 2022
Prompted by Dependabot false positive Security vulnerabilities of dev build tools RN Storybook v5.3 - Remove old /storybook config - Keep old /stories for now RN Storybook v6 - Setup in .storybook for now - Add minimal config w/o stories for now Jest setup mocks - Remove stale RN mocks - Add new RN Storybook mocks - Doc @storybook/addon-ondevice-notes/register parsing issue - Doc @storybook/addon-actions ES forEach proto parsing issue Metro - Config resolver for modern storybook build, vs polyfilled versions - Keep inlineRequires optimisation on, disable later if blocking App - Update gitignore with Storybook - Update app Storybook require to import with new path - Add react-native-slider and RNDateTimePicker pods - Add get-stories script to codegen storybook.requires.js - Update RNCAsyncStorage pod - Remove deprecated @react-native-community/async-storage later and update Reactotron config Relevant Dependabot Security alerts - Upgrading Storybook should clear some, resolve remaining after - browserslist: storybookjs/storybook#15173 - glob-parent : storybookjs/storybook#15174 - Vulnerabilities: storybookjs/storybook#16063 - immer: storybookjs/storybook#16093 - immer: storybookjs/storybook#16556 storybookjs/react-native#240 - Old v5.3 warnings no longer present, in this v6 no-stories but with addons upgrade so far
leotm
added a commit
to leotm/react-native-template-new-architecture
that referenced
this issue
Feb 3, 2022
Prompted by Dependabot false positive Security vulnerabilities of dev build tools RN Storybook v5.3 - Remove old /storybook config - Keep old /stories for now RN Storybook v6 - Setup in .storybook for now - Add minimal config w/o stories for now Jest setup mocks - Remove stale RN mocks - Add new RN Storybook mocks - Doc @storybook/addon-ondevice-notes/register parsing issue - Doc @storybook/addon-actions ES forEach proto parsing issue Metro - Config resolver for modern storybook build, vs polyfilled versions - Keep inlineRequires optimisation on, disable later if blocking App - Update gitignore with Storybook - Update app Storybook require to import with new path - Add react-native-slider and RNDateTimePicker pods - Add get-stories script to codegen storybook.requires.js - Update RNCAsyncStorage pod - Remove deprecated @react-native-community/async-storage later and update Reactotron config Relevant Dependabot Security alerts - Upgrading Storybook should clear some, resolve remaining after - browserslist: storybookjs/storybook#15173 - glob-parent : storybookjs/storybook#15174 - Vulnerabilities: storybookjs/storybook#16063 - immer: storybookjs/storybook#16093 - immer: storybookjs/storybook#16556 storybookjs/react-native#240 - Old v5.3 warnings no longer present, in this v6 no-stories but with addons upgrade so far After figured @storybook/addon-ondevice-notes/register Jest parsing issue - Add generated storybook.requires.js to gitignore - Add prestart script to get-stories first Consider splitting/decoupling App/Storybook Jest parsing - env var with dynamic import - npm workspaces / lerna - multiple modules
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
When I npm audit using npm audit --audit-level=critical --registry=https://registry.npmjs.org
I get below critical vulnerabilities. I am not sure How I can get rid of it. I have an Angular mono repo.
Angular version 11
npm version 6.14.6
node: 12.18.3
Storybook versions
"@storybook/angular": "^6.4.0-beta.25",
"@storybook/addon-essentials": "^6.4.0-beta.25",
"@storybook/addon-links": "^6.4.0-beta.25",
"@storybook/addon-storysource": "^6.4.0-beta.25",
"@storybook/addons": "^6.4.0-beta.25",
"@storybook/builder-webpack5": "^6.4.0-beta.25",
"@storybook/manager-webpack5": "^6.4.0-beta.25",
A clear and concise description of what the bug is.
To Reproduce
npm audit --audit-level=critical --registry=https://registry.npmjs.org
│ More info │ GHSA-33f9-j839-rf8h │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Critical │ Prototype Pollution in immer │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ immer │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=9.0.6 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @storybook/angular [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ @storybook/angular > @storybook/core > │
│ │ @storybook/core-server > @storybook/builder-webpack4 > │
│ │ react-dev-utils > immer │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ GHSA-33f9-j839-rf8h │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Critical │ Prototype Pollution in immer │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ immer │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=9.0.6 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @storybook/addon-essentials [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ @storybook/addon-essentials > @storybook/addon-docs > │
│ │ @storybook/core > @storybook/core-server > │
│ │ @storybook/builder-webpack4 > react-dev-utils > immer │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ GHSA-33f9-j839-rf8h │
System
Please paste the results of
npx sb@next info
here.Environment Info:
System:
OS: Windows 10 10.0.18363
CPU: (8) x64 Intel(R) Core(TM) i7-6820HQ CPU @ 2.70GHz
Binaries:
Node: 12.18.3 - C:\Program Files\nodejs\node.EXE
npm: 6.14.6 - C:\Program Files\nodejs\npm.CMD
Browsers:
Edge: Spartan (44.18362.1593.0)
npmPackages:
@storybook/addon-essentials: ^6.4.0-beta.25 => 6.4.0-beta.25
@storybook/addon-links: ^6.4.0-beta.25 => 6.4.0-beta.25
@storybook/addon-storysource: ^6.4.0-beta.25 => 6.4.0-beta.25
@storybook/addons: ^6.4.0-beta.25 => 6.4.0-beta.25
@storybook/angular: ^6.4.0-beta.25 => 6.4.0-beta.25
@storybook/builder-webpack5: ^6.4.0-beta.25 => 6.4.0-beta.25
@storybook/manager-webpack5: ^6.4.0-beta.25 => 6.4.0-beta.25
C:\Program Files\nodejs\node_modules\npm\node_modules\rimraf\rimraf.js:321
throw er
^
Error: ENOTEMPTY: directory not empty, rmdir 'C:\Users\vv002e\AppData\Roaming\npm-cache_npx\8448\node_modules\sb\node_modules\shelljs'
at Object.rmdirSync (fs.js:850:3)
at rmkidsSync (C:\Program Files\nodejs\node_modules\npm\node_modules\rimraf\rimraf.js:364:25)
at rmdirSync (C:\Program Files\nodejs\node_modules\npm\node_modules\rimraf\rimraf.js:342:7)
at rimrafSync (C:\Program Files\nodejs\node_modules\npm\node_modules\rimraf\rimraf.js:312:9)
at C:\Program Files\nodejs\node_modules\npm\node_modules\rimraf\rimraf.js:350:5
at Array.forEach ()
at rmkidsSync (C:\Program Files\nodejs\node_modules\npm\node_modules\rimraf\rimraf.js:349:26)
at rmdirSync (C:\Program Files\nodejs\node_modules\npm\node_modules\rimraf\rimraf.js:342:7)
at rimrafSync (C:\Program Files\nodejs\node_modules\npm\node_modules\rimraf\rimraf.js:312:9)
at C:\Program Files\nodejs\node_modules\npm\node_modules\rimraf\rimraf.js:350:5
at Array.forEach ()
at rmkidsSync (C:\Program Files\nodejs\node_modules\npm\node_modules\rimraf\rimraf.js:349:26)
at rmdirSync (C:\Program Files\nodejs\node_modules\npm\node_modules\rimraf\rimraf.js:342:7)
at rimrafSync (C:\Program Files\nodejs\node_modules\npm\node_modules\rimraf\rimraf.js:312:9)
at C:\Program Files\nodejs\node_modules\npm\node_modules\rimraf\rimraf.js:350:5
at Array.forEach () {
errno: -4051,
syscall: 'rmdir',
code: 'ENOTEMPTY',
path: 'C:\Users\vv002e\AppData\Roaming\npm-cache\_npx\8448\node_modules\sb\node_modules\shelljs'
Additional context
Add any other context about the problem here.
The text was updated successfully, but these errors were encountered: