Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CLI: Fix security report around download-tarball package #21201

Merged
merged 4 commits into from
Mar 1, 2023
Merged

CLI: Fix security report around download-tarball package #21201

merged 4 commits into from
Mar 1, 2023

Conversation

ndelangen
Copy link
Member

Closes #18155

What I did

I forked the package, and released a modern version to npm
This upgrades storybook to use that fork

@ndelangen ndelangen changed the title Norbert/download-tarball-security-fork Fix: security report around download-tarball package Feb 22, 2023
@ndelangen ndelangen self-assigned this Feb 22, 2023
@ndelangen ndelangen added the maintenance User-facing maintenance tasks label Feb 22, 2023
@shilman shilman changed the title Fix: security report around download-tarball package CLI: Fix security report around download-tarball package Mar 1, 2023
@shilman shilman added the cli label Mar 1, 2023
@socket-security
Copy link

socket-security bot commented Mar 1, 2023
edited
Loading

Socket Security Pull Request Report

Dependency issues detected: If you merge this pull request, you will not be alerted to the instances of these issues again.

⚠️ Uses eval

Package uses eval() which is a dangerous function. This prevents the code from running in certain environments and increases the risk that the code may contain exploits or malicious behavior.

Avoid packages that use eval, since this could potentially execute any code.

Package Eval Type Location Source
[email protected] (added) eval dist/docs/assets/js/main.js code/lib/cli/package.json via @ndelangen/[email protected]
[email protected] (added) eval dist/docs/assets/js/main.js code/lib/cli/package.json via @ndelangen/[email protected]
[email protected] (added) eval js/release/util.js code/package.json via @storybook/[email protected], @storybook/[email protected], @storybook/[email protected], @storybook/[email protected], @storybook/[email protected], @storybook/[email protected], @storybook/[email protected], @storybook/[email protected], @storybook/[email protected], @storybook/[email protected], @storybook/[email protected], @storybook/[email protected], @storybook/[email protected], @storybook/[email protected], @storybook/[email protected], @storybook/[email protected], @storybook/[email protected], @storybook/[email protected], @storybook/[email protected], @storybook/[email protected], @storybook/[email protected], @storybook/[email protected], @storybook/[email protected], code/addons/storyshots-core/package.json via [email protected], code/addons/storyshots-puppeteer/package.json via @storybook/[email protected], code/frameworks/vue-webpack5/package.json via @storybook/[email protected], [email protected], code/frameworks/vue3-webpack5/package.json via @storybook/[email protected], @vue/[email protected], code/presets/create-react-app/package.json via [email protected], code/presets/vue-webpack/package.json via [email protected], test-storybooks/ember-cli/package.json via [email protected], test-storybooks/external-docs/package.json via [email protected]
[email protected] (added) eval lib/RedisConnection.js code/lib/cli/package.json via @ndelangen/[email protected]
[email protected] (added) eval dist/index.js test-storybooks/external-docs/package.json via [email protected]
[email protected] (added) eval index.js code/package.json via @storybook/[email protected], @storybook/[email protected], @storybook/[email protected], @storybook/[email protected], @storybook/[email protected], [email protected], [email protected], code/addons/storyshots-core/package.json via @storybook/[email protected], [email protected], code/addons/storyshots-puppeteer/package.json via @storybook/[email protected], code/frameworks/angular/package.json via @angular-devkit/[email protected], @angular/[email protected], [email protected], code/frameworks/nextjs/package.json via @storybook/[email protected], code/frameworks/react-webpack5/package.json via @storybook/[email protected], code/presets/create-react-app/package.json via @pmmmwh/[email protected], [email protected], code/presets/react-webpack/package.json via @pmmmwh/[email protected], scripts/package.json via [email protected], [email protected], test-storybooks/ember-cli/package.json via [email protected]
[email protected] (added) eval index.js test-storybooks/external-docs/package.json via [email protected]
[email protected] (added) eval index.js code/package.json via @storybook/[email protected], @storybook/[email protected], @storybook/[email protected], @storybook/[email protected], @storybook/[email protected], @storybook/[email protected], @storybook/[email protected], @storybook/[email protected], @storybook/[email protected], @storybook/[email protected], @storybook/[email protected], @storybook/[email protected], @storybook/[email protected], @storybook/[email protected], @storybook/[email protected], @storybook/[email protected], @storybook/[email protected], @storybook/[email protected], @storybook/[email protected], @storybook/[email protected], @storybook/[email protected], @storybook/[email protected], @storybook/[email protected], @storybook/[email protected], @storybook/[email protected], @storybook/[email protected], @storybook/[email protected], @storybook/[email protected], @storybook/[email protected], @storybook/[email protected], @storybook/[email protected], @storybook/[email protected], @storybook/[email protected], @storybook/[email protected], @storybook/[email protected], @storybook/[email protected], @storybook/[email protected], @storybook/[email protected], @storybook/[email protected], @storybook/[email protected], @storybook/[email protected], @storybook/[email protected], @storybook/[email protected], @storybook/[email protected], @storybook/[email protected], @storybook/[email protected], @storybook/[email protected], @storybook/[email protected], @storybook/[email protected], @storybook/[email protected], @testing-library/[email protected], [email protected], [email protected], [email protected], [email protected], [email protected], code/addons/a11y/package.json via @storybook/[email protected], @storybook/[email protected], code/addons/actions/package.json via @storybook/[email protected], code/addons/backgrounds/package.json via @storybook/[email protected], code/addons/controls/package.json via @storybook/[email protected], @storybook/[email protected], code/addons/docs/package.json via @storybook/[email protected], @storybook/[email protected], @storybook/[email protected], @storybook/[email protected], code/addons/essentials/package.json via @storybook/[email protected], @storybook/[email protected], @storybook/[email protected], @storybook/[email protected], @storybook/[email protected], @storybook/[email protected], @storybook/[email protected], @storybook/[email protected], code/addons/highlight/package.json via @storybook/[email protected], code/addons/interactions/package.json via @storybook/[email protected], @storybook/[email protected], @storybook/[email protected], @storybook/[email protected], code/addons/jest/package.json via @storybook/[email protected], code/addons/links/package.json via @storybook/[email protected], code/addons/measure/package.json via @storybook/[email protected], code/addons/outline/package.json via @storybook/[email protected], code/addons/storyshots-core/package.json via @storybook/[email protected], @storybook/[email protected], @storybook/[email protected], @storybook/[email protected], @storybook/[email protected], @storybook/[email protected], [email protected], [email protected], [email protected], [email protected], code/addons/storyshots-puppeteer/package.json via @storybook/[email protected], [email protected], [email protected], code/addons/storysource/package.json via @storybook/[email protected], code/addons/toolbars/package.json via @storybook/[email protected], code/addons/viewport/package.json via @storybook/[email protected], code/frameworks/angular/package.json via @angular-devkit/[email protected], @storybook/[email protected], @storybook/[email protected], @storybook/[email protected], @storybook/[email protected], @storybook/[email protected], [email protected], code/frameworks/ember/package.json via @storybook/[email protected], @storybook/[email protected], @storybook/[email protected], code/frameworks/html-vite/package.json via @storybook/[email protected], @storybook/[email protected], @storybook/[email protected], @storybook/[email protected], @storybook/[email protected], @storybook/[email protected], @storybook/[email protected], code/frameworks/html-webpack5/package.json via @storybook/[email protected], @storybook/[email protected], code/frameworks/nextjs/package.json via @storybook/[email protected], @storybook/[email protected], @storybook/[email protected], @storybook/[email protected], @storybook/[email protected], code/frameworks/preact-vite/package.json via @storybook/[email protected], @storybook/[email protected], code/frameworks/preact-webpack5/package.json via @storybook/[email protected], @storybook/[email protected], code/frameworks/react-vite/package.json via @storybook/[email protected], @storybook/[email protected], code/frameworks/react-webpack5/package.json via @storybook/[email protected], @storybook/[email protected], @storybook/[email protected], code/frameworks/server-webpack5/package.json via @storybook/[email protected], @storybook/[email protected], code/frameworks/svelte-vite/package.json via @storybook/[email protected], @storybook/[email protected], code/frameworks/svelte-webpack5/package.json via @storybook/[email protected], @storybook/[email protected], code/frameworks/sveltekit/package.json via @storybook/[email protected], @storybook/[email protected], @storybook/[email protected], code/frameworks/vue-vite/package.json via @storybook/[email protected], @storybook/[email protected], @storybook/[email protected], [email protected], code/frameworks/vue-webpack5/package.json via @storybook/[email protected], @storybook/[email protected], @storybook/[email protected], code/frameworks/vue3-vite/package.json via @storybook/[email protected], @storybook/[email protected], @storybook/[email protected], [email protected], code/frameworks/vue3-webpack5/package.json via @storybook/[email protected], @storybook/[email protected], @storybook/[email protected], code/frameworks/web-components-vite/package.json via @storybook/[email protected], @storybook/[email protected], code/frameworks/web-components-webpack5/package.json via @storybook/[email protected], code/lib/addons/package.json via @storybook/[email protected], code/lib/builder-manager/package.json via [email protected], [email protected], code/lib/builder-vite/package.json via @storybook/[email protected], @storybook/[email protected], @storybook/[email protected], [email protected], [email protected], code/lib/builder-webpack5/package.json via @storybook/[email protected], @storybook/[email protected], @storybook/[email protected], @storybook/[email protected], @storybook/[email protected], [email protected], [email protected], code/lib/channel-postmessage/package.json via [email protected], code/lib/cli/package.json via @storybook/[email protected], @storybook/[email protected], @storybook/[email protected], @storybook/[email protected], [email protected], code/lib/cli-sb/package.json via @storybook/[email protected], code/lib/cli-storybook/package.json via @storybook/[email protected], code/lib/client-api/package.json via @storybook/[email protected], code/lib/codemod/package.json via @storybook/[email protected], [email protected], [email protected], code/lib/core-client/package.json via @storybook/[email protected], code/lib/core-server/package.json via @storybook/[email protected], @storybook/[email protected], @storybook/[email protected], [email protected], code/lib/csf-plugin/package.json via @storybook/[email protected], code/lib/csf-tools/package.json via [email protected], code/lib/docs-tools/package.json via @storybook/[email protected], code/lib/instrumenter/package.json via @storybook/[email protected], code/lib/manager-api/package.json via [email protected], code/lib/preview/package.json via @storybook/[email protected], @storybook/[email protected], code/lib/preview-api/package.json via @storybook/[email protected], [email protected], code/lib/preview-web/package.json via @storybook/[email protected], code/lib/router/package.json via [email protected], code/lib/store/package.json via @storybook/[email protected], code/presets/create-react-app/package.json via @pmmmwh/[email protected], [email protected], code/presets/react-webpack/package.json via @pmmmwh/[email protected], @storybook/[email protected], @storybook/[email protected], code/presets/server-webpack/package.json via @storybook/[email protected], code/presets/vue-webpack/package.json via @storybook/[email protected], [email protected], [email protected], code/presets/vue3-webpack/package.json via @storybook/[email protected], [email protected], [email protected], code/renderers/html/package.json via @storybook/[email protected], @storybook/[email protected], code/renderers/preact/package.json via @storybook/[email protected], code/renderers/react/package.json via @storybook/[email protected], @storybook/[email protected], code/renderers/server/package.json via @storybook/[email protected], code/renderers/svelte/package.json via @storybook/[email protected], @storybook/[email protected], [email protected], code/renderers/vue/package.json via @storybook/[email protected], @storybook/[email protected], code/renderers/vue3/package.json via @storybook/[email protected], @storybook/[email protected], code/renderers/web-components/package.json via @storybook/[email protected], @storybook/[email protected], code/ui/blocks/package.json via @storybook/[email protected], @storybook/[email protected], @storybook/[email protected], code/ui/manager/package.json via @storybook/[email protected], @storybook/[email protected], [email protected], scripts/package.json via @storybook/[email protected], @storybook/[email protected], @storybook/[email protected], @storybook/[email protected], @testing-library/[email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], test-storybooks/ember-cli/package.json via @storybook/[email protected], @storybook/[email protected], @storybook/[email protected], @storybook/[email protected], @storybook/[email protected], @storybook/[email protected], @storybook/[email protected], @storybook/[email protected], @storybook/[email protected], @storybook/[email protected], @storybook/[email protected], @storybook/[email protected], [email protected], [email protected], [email protected], test-storybooks/external-docs/package.json via @storybook/[email protected], @storybook/[email protected], @storybook/[email protected], @storybook/[email protected], @storybook/[email protected], @storybook/[email protected], [email protected], [email protected], [email protected], test-storybooks/server-kitchen-sink/package.json via @storybook/[email protected], @storybook/[email protected], @storybook/[email protected], @storybook/[email protected], @storybook/[email protected], @storybook/[email protected], @storybook/[email protected], @storybook/[email protected], [email protected], [email protected], [email protected], test-storybooks/standalone-preview/package.json via @storybook/[email protected], @storybook/[email protected], @storybook/[email protected], @storybook/[email protected], [email protected]
[email protected] (added) eval lib/engines.js test-storybooks/external-docs/package.json via [email protected]
[email protected] (added) eval dist/hdrhistogram.umd.js code/package.json via @storybook/[email protected], @storybook/[email protected], @storybook/[email protected], code/addons/storyshots-core/package.json via @storybook/[email protected], [email protected], code/addons/storyshots-puppeteer/package.json via @storybook/[email protected], code/frameworks/angular/package.json via @angular-devkit/[email protected], [email protected]
[email protected] (added) eval dist/hdrhistogram.umd.js code/package.json via @storybook/[email protected], @storybook/[email protected], @storybook/[email protected], code/addons/storyshots-core/package.json via @storybook/[email protected], [email protected], code/addons/storyshots-puppeteer/package.json via @storybook/[email protected], code/frameworks/angular/package.json via @angular-devkit/[email protected], [email protected]
[email protected] (added) eval dist/JsHistogram.encoding.js code/package.json via @storybook/[email protected], @storybook/[email protected], @storybook/[email protected], code/addons/storyshots-core/package.json via @storybook/[email protected], [email protected], code/addons/storyshots-puppeteer/package.json via @storybook/[email protected], code/frameworks/angular/package.json via @angular-devkit/[email protected], [email protected]
[email protected] (added) eval dist/JsHistogram.encoding.js code/package.json via @storybook/[email protected], @storybook/[email protected], @storybook/[email protected], code/addons/storyshots-core/package.json via @storybook/[email protected], [email protected], code/addons/storyshots-puppeteer/package.json via @storybook/[email protected], code/frameworks/angular/package.json via @angular-devkit/[email protected], [[email protected]](https://socket.dev/npm/package/jest-preset-angular/overview/

@shilman shilman merged commit ffa814e into next Mar 1, 2023
@shilman shilman deleted the norbert/download-tarball-security-fork branch March 1, 2023 12:26
@shilman shilman mentioned this pull request Mar 1, 2023
Closed
@freakzlike
Copy link

@ndelangen
I've noticed that this package adds a lot of unnecessary dependencies. Opened a PR in the repo ndelangen/download-tarball#2

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@shilman shilman shilman approved these changes

Assignees

@ndelangen ndelangen

Labels
cli maintenance User-facing maintenance tasks
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Please upgrade dependencies to fix audit failures
3 participants
@ndelangen @freakzlike @shilman