Should NPM audit security vulnerabilities taken seriously? #17220
Comments
|
There is an interesting article about this topic: npm audit: Broken by Design |
|
IMHO, 18 high and 2 critical MUST be fixed. |
|
I do think they should be taken seriously. Right now I am seeing a huge amount of npm vulnerabilities coming from storybook's packages... from this PR forumone/gesso#564 looks like it will be included in 6.5 is that it? |
|
Any news on this? The list is growing, a lot of high severity vulnerabilities |
|
@humarkx we're upgrading everything as part of 7.0 and will clear the decks with that. furthermore, we'll be doing more frequent major releases after 7.0 to keep the list down. thanks for your patience! |
|
Sounds really great, @shilman. One note, though: If you want to get to the bottom of this, it won't be enough to just upgrade the packages. You will also have to shred some of the old packages that Storybook relies on. Example: The just released Storybook 6.5 adds |
|
@janaagaard75 yes, we will be dealing with it e.g. #18277 |
|
@shilman how long before 7 ships? Storybook packages are getting flagged by our internal audit process, and if this is still going to take months we may need to bin storybook entirely. |
|
Storybook 7 improves on the number of vulnerabilities, but they do remove them all.
We were able to keep using Storybook by arguing that our Storybook pages are deployed separately from the rest of the app, that they aren't critical, and that a lot of Storybook's logic is done in the compilation step, so a vulnerable dependency isn't necessarily included in the compiled code, and mentioning some of points from npm audit: Broken by Design. |
|
Are there any updates yet? It would be great if there would be 0 vulnerabilities with version 7.0. :-) |
|
I am currently showing 21 High vulnerabilities. |
|
@janaagaard75 storybook 7 is still WIP. i hope to get rid of the high severity vulnerabilities before we ship. |
|
Remember that you only have to have Storybook as a dev dependency, so aslong as you skip dev when doing audits, your repos should be fine. |
|
AFAIK all high severity npm audit issues are fixed in SB7 To upgrade to the latest prerelease: |
|
your upgrade process is amazing |
I am as well. 6 from create-react-app and 21 from |
|
Same happened to me today after |
I discussed with a maintainer on the official Storybook discord server about the vulnerabilities. If you upgrade to Storybook 7.0 beta, it reduces the amount of errors from 21 high severity errors, down to 3 moderate & 3 high severity errors. There is currently a PR in the works about updating some modules to remove these security vulnerabilities. See: #18155 (comment). |
Describe the bug
I made a package.json setup that installs the latest packages of storybook for my webapp and I get an
alarming number of security issues.
To Reproduce
I set up a node project that installs the following packages:
"@storybook/addon-actions": "^6.4.9",
"@storybook/addon-essentials": "^6.4.9",
"@storybook/addon-links": "^6.4.9",
"@storybook/node-logger": "^6.4.9",
"@storybook/preset-create-react-app": "^3.2.0",
"@storybook/react": "^6.4.9"
and got
43 vulnerabilities (23 moderate, 18 high, 2 critical)
The text was updated successfully, but these errors were encountered: