search

GoogleChromeLabs / ps-analysis-tool

Privacy Sandbox Analysis Chrome Extension and CLI for analysis and understanding of cookie usage on web pages, and new privacy-preserving Chrome APIs
https://www.privacysandbox.com
Apache License 2.0
97 stars 22 forks source link

4 High Severity Vulnerabilities with npm audit #701

Closed milindmore22 closed 4 months ago

milindmore22 commented 4 months ago

Describe the bug I recently ran npm audit and discovered 4 high severity vulnerabilities in my project's dependencies. This is a critical security issue that needs to be addressed immediately.

To Reproduce Steps to reproduce the behavior:

  1. Go to Terminal where you cloned repo.
  2. Run git checkout main
  3. Run npm audit
  4. note error on CLI screen as below
# npm audit report
ip  *
Severity: high
ip SSRF improper categorization in isPublic - https://github.com/advisories/GHSA-2p57-rm9w-gvfp
fix available via `npm audit fix --force`
Will install storybook@6.5.16, which is a breaking change
node_modules/ip
  @storybook/core-server  *
  Depends on vulnerable versions of ip
  node_modules/@storybook/core-server
    @storybook/cli  <=0.0.0-pr-27418-sha-ab9c6633 || >=6.5.17-alpha.0
    Depends on vulnerable versions of @storybook/core-server
    node_modules/@storybook/cli
      storybook  <=0.0.0-pr-27418-sha-ab9c6633 || >=6.5.17-alpha.0
      Depends on vulnerable versions of @storybook/cli
      node_modules/storybook

4 high severity vulnerabilities

To address all issues (including breaking changes), run:
  npm audit fix --force

Expected behavior There should not be any high-risk vulnerabilities

Screenshots Screen Shot 2024-06-03 at 3 27 05 PM

Desktop (please complete the following information):

mohdsayed commented 4 months ago
  1. npm run fix --force is unable to fix it.
  2. I tried to use the latest storybook version on an empty npm package and I still get the same vulnerabilities
āžœ  storybook-test npm audit report
# npm audit report

ip  *
Severity: high
ip SSRF improper categorization in isPublic - https://github.com/advisories/GHSA-2p57-rm9w-gvfp
fix available via `npm audit fix --force`
Will install storybook@6.5.16, which is a breaking change
node_modules/ip
  @storybook/core-server  *
  Depends on vulnerable versions of ip
  node_modules/@storybook/core-server
    @storybook/cli  <=0.0.0-pr-27522-sha-b32386a1 || >=6.5.17-alpha.0
    Depends on vulnerable versions of @storybook/core-server
    node_modules/@storybook/cli
      storybook  <=0.0.0-pr-27522-sha-b32386a1 || >=6.5.17-alpha.0
      Depends on vulnerable versions of @storybook/cli
      node_modules/storybook

4 high severity vulnerabilities

To address all issues (including breaking changes), run:
  npm audit fix --force

It appears that this needs to be fixed in storybook Related: https://github.com/storybookjs/storybook/issues/26014

As currently storybook is not a hard dependency for PSAT, I am going to temporarily remove storybook package dependencies form package.json until it is fixed in the upcoming storybook version, or we have a solution of it.

milindmore22 commented 4 months ago

Checked Looks good šŸ‘šŸ¼