millisande
commented
1 year ago Investigated fixing. Largely storybook dependencies which are not production facing. When updated the create react app shell stops working.
Decision is to change framework as CRA is no longer supported by the React team. Astro has been recommended and seems like a good fit. Will require major styling refactor as it doesn't play nice with styled components.
Leaving this issue open as a documentation that this is planned to be fixed as part of migration work.
npm audit report
@adobe/css-tools <4.3.1 Severity: moderate @adobe/css-tools Regular Expression Denial of Service (ReDOS) while Parsing CSS - https://github.com/advisories/GHSA-hpx4-r86g-5jrg fix available via
npm audit fixnode_modules/@adobe/css-toolsansi-html <0.0.8 Severity: high Uncontrolled Resource Consumption in ansi-html - https://github.com/advisories/GHSA-whgm-jr23-g3j9 fix available via
npm audit fixnode_modules/ansi-html @pmmmwh/react-refresh-webpack-plugin <=0.5.0-rc.6 Depends on vulnerable versions of ansi-html node_modules/@storybook/react/node_modules/@pmmmwh/react-refresh-webpack-plugin @storybook/react 6.1.0-alpha.0 - 6.4.12 || 6.5.0-alpha.1 - 6.5.0-rc.1 Depends on vulnerable versions of @pmmmwh/react-refresh-webpack-plugin Depends on vulnerable versions of @storybook/core Depends on vulnerable versions of react-dev-utils Depends on vulnerable versions of webpack node_modules/@storybook/reactbrowserslist 4.0.0 - 4.16.4 Severity: moderate Regular Expression Denial of Service in browserslist - https://github.com/advisories/GHSA-w8qv-6jwh-64r5 fix available via
npm audit fixnode_modules/@storybook/react/node_modules/browserslist react-dev-utils 0.5.2 - 12.0.0-next.60 Depends on vulnerable versions of browserslist Depends on vulnerable versions of immer Depends on vulnerable versions of loader-utils Depends on vulnerable versions of recursive-readdir Depends on vulnerable versions of shell-quote node_modules/@storybook/react/node_modules/react-dev-utils @storybook/core >=5.3.0-alpha.0 Depends on vulnerable versions of @storybook/core-server Depends on vulnerable versions of cpy Depends on vulnerable versions of glob-base Depends on vulnerable versions of react-dev-utils node_modules/@storybook/addon-essentials/node_modules/@storybook/addon-docs/node_modules/@storybook/core node_modules/@storybook/react/node_modules/@storybook/core @storybook/addon-docs <=6.5.0-rc.1 Depends on vulnerable versions of @mdx-js/loader Depends on vulnerable versions of @mdx-js/mdx Depends on vulnerable versions of @storybook/core Depends on vulnerable versions of @storybook/csf-tools node_modules/@storybook/addon-essentials/node_modules/@storybook/addon-docs @storybook/addon-essentials 6.1.0-alpha.0 - 6.5.0-rc.1 Depends on vulnerable versions of @storybook/addon-docs node_modules/@storybook/addon-essentials @storybook/react 6.1.0-alpha.0 - 6.4.12 || 6.5.0-alpha.1 - 6.5.0-rc.1 Depends on vulnerable versions of @pmmmwh/react-refresh-webpack-plugin Depends on vulnerable versions of @storybook/core Depends on vulnerable versions of react-dev-utils Depends on vulnerable versions of webpack node_modules/@storybook/reactglob-parent <5.1.2 Severity: high glob-parent before 5.1.2 vulnerable to Regular Expression Denial of Service in enclosure regex - https://github.com/advisories/GHSA-ww39-953v-wcq6 fix available via
npm audit fixnode_modules/cpy/node_modules/glob-parent node_modules/glob-base/node_modules/glob-parent node_modules/watchpack-chokidar2/node_modules/glob-parent chokidar 1.0.0-rc1 - 2.1.8 Depends on vulnerable versions of glob-parent node_modules/watchpack-chokidar2/node_modules/chokidar watchpack-chokidar2 Depends on vulnerable versions of chokidar node_modules/watchpack-chokidar2 watchpack 1.7.2 - 1.7.5 Depends on vulnerable versions of watchpack-chokidar2 node_modules/@storybook/core-common/node_modules/watchpack node_modules/@storybook/react/node_modules/watchpack webpack 4.44.0 - 4.47.0 || 5.0.0 - 5.75.0 Depends on vulnerable versions of watchpack node_modules/@storybook/core-common/node_modules/webpack node_modules/@storybook/react/node_modules/webpack node_modules/webpack @storybook/react 6.1.0-alpha.0 - 6.4.12 || 6.5.0-alpha.1 - 6.5.0-rc.1 Depends on vulnerable versions of @pmmmwh/react-refresh-webpack-plugin Depends on vulnerable versions of @storybook/core Depends on vulnerable versions of react-dev-utils Depends on vulnerable versions of webpack node_modules/@storybook/react fast-glob <=2.2.7 Depends on vulnerable versions of glob-parent node_modules/cpy/node_modules/fast-glob globby 8.0.0 - 9.2.0 Depends on vulnerable versions of fast-glob node_modules/cpy/node_modules/globby cpy 7.0.0 - 8.1.2 Depends on vulnerable versions of globby node_modules/cpy @storybook/core >=5.3.0-alpha.0 Depends on vulnerable versions of @storybook/core-server Depends on vulnerable versions of cpy Depends on vulnerable versions of glob-base Depends on vulnerable versions of react-dev-utils node_modules/@storybook/addon-essentials/node_modules/@storybook/addon-docs/node_modules/@storybook/core node_modules/@storybook/react/node_modules/@storybook/core @storybook/addon-docs <=6.5.0-rc.1 Depends on vulnerable versions of @mdx-js/loader Depends on vulnerable versions of @mdx-js/mdx Depends on vulnerable versions of @storybook/core Depends on vulnerable versions of @storybook/csf-tools node_modules/@storybook/addon-essentials/node_modules/@storybook/addon-docs @storybook/addon-essentials 6.1.0-alpha.0 - 6.5.0-rc.1 Depends on vulnerable versions of @storybook/addon-docs node_modules/@storybook/addon-essentials @storybook/core-server <=7.0.0-rc.11 Depends on vulnerable versions of @storybook/csf-tools Depends on vulnerable versions of cpy node_modules/@storybook/addon-essentials/node_modules/@storybook/addon-docs/node_modules/@storybook/core/node_modules/@storybook/core-server glob-base Depends on vulnerable versions of glob-parent node_modules/glob-basegraphql 16.3.0 - 16.8.0 Severity: moderate graphql Uncontrolled Resource Consumption vulnerability - https://github.com/advisories/GHSA-9pv7-vfvm-6vr7 fix available via
npm audit fixnode_modules/graphqlimmer <9.0.6 Severity: high Prototype Pollution in immer - https://github.com/advisories/GHSA-c36v-fmgq-m8hx fix available via
npm audit fixnode_modules/@storybook/react/node_modules/immer react-dev-utils 0.5.2 - 12.0.0-next.60 Depends on vulnerable versions of browserslist Depends on vulnerable versions of immer Depends on vulnerable versions of loader-utils Depends on vulnerable versions of recursive-readdir Depends on vulnerable versions of shell-quote node_modules/@storybook/react/node_modules/react-dev-utils @storybook/core >=5.3.0-alpha.0 Depends on vulnerable versions of @storybook/core-server Depends on vulnerable versions of cpy Depends on vulnerable versions of glob-base Depends on vulnerable versions of react-dev-utils node_modules/@storybook/addon-essentials/node_modules/@storybook/addon-docs/node_modules/@storybook/core node_modules/@storybook/react/node_modules/@storybook/core @storybook/addon-docs <=6.5.0-rc.1 Depends on vulnerable versions of @mdx-js/loader Depends on vulnerable versions of @mdx-js/mdx Depends on vulnerable versions of @storybook/core Depends on vulnerable versions of @storybook/csf-tools node_modules/@storybook/addon-essentials/node_modules/@storybook/addon-docs @storybook/addon-essentials 6.1.0-alpha.0 - 6.5.0-rc.1 Depends on vulnerable versions of @storybook/addon-docs node_modules/@storybook/addon-essentials @storybook/react 6.1.0-alpha.0 - 6.4.12 || 6.5.0-alpha.1 - 6.5.0-rc.1 Depends on vulnerable versions of @pmmmwh/react-refresh-webpack-plugin Depends on vulnerable versions of @storybook/core Depends on vulnerable versions of react-dev-utils Depends on vulnerable versions of webpack node_modules/@storybook/reactloader-utils 2.0.0 - 2.0.3 Severity: critical loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS) - https://github.com/advisories/GHSA-hhq3-ff78-jv3g Prototype pollution in webpack loader-utils - https://github.com/advisories/GHSA-76p3-8jx3-jpfq fix available via
npm audit fixnode_modules/@mdx-js/loader/node_modules/loader-utils node_modules/@storybook/react/node_modules/loader-utils @mdx-js/loader 0.15.5 - 1.6.22 Depends on vulnerable versions of @mdx-js/mdx Depends on vulnerable versions of loader-utils node_modules/@mdx-js/loader @storybook/addon-docs <=6.5.0-rc.1 Depends on vulnerable versions of @mdx-js/loader Depends on vulnerable versions of @mdx-js/mdx Depends on vulnerable versions of @storybook/core Depends on vulnerable versions of @storybook/csf-tools node_modules/@storybook/addon-essentials/node_modules/@storybook/addon-docs @storybook/addon-essentials 6.1.0-alpha.0 - 6.5.0-rc.1 Depends on vulnerable versions of @storybook/addon-docs node_modules/@storybook/addon-essentials react-dev-utils 0.5.2 - 12.0.0-next.60 Depends on vulnerable versions of browserslist Depends on vulnerable versions of immer Depends on vulnerable versions of loader-utils Depends on vulnerable versions of recursive-readdir Depends on vulnerable versions of shell-quote node_modules/@storybook/react/node_modules/react-dev-utils @storybook/core >=5.3.0-alpha.0 Depends on vulnerable versions of @storybook/core-server Depends on vulnerable versions of cpy Depends on vulnerable versions of glob-base Depends on vulnerable versions of react-dev-utils node_modules/@storybook/addon-essentials/node_modules/@storybook/addon-docs/node_modules/@storybook/core node_modules/@storybook/react/node_modules/@storybook/core @storybook/react 6.1.0-alpha.0 - 6.4.12 || 6.5.0-alpha.1 - 6.5.0-rc.1 Depends on vulnerable versions of @pmmmwh/react-refresh-webpack-plugin Depends on vulnerable versions of @storybook/core Depends on vulnerable versions of react-dev-utils Depends on vulnerable versions of webpack node_modules/@storybook/reactminimatch <3.0.5 Severity: high minimatch ReDoS vulnerability - https://github.com/advisories/GHSA-f8q6-p94x-37v3 fix available via
npm audit fixnode_modules/@storybook/react/node_modules/minimatch recursive-readdir 1.2.0 - 2.2.2 Depends on vulnerable versions of minimatch node_modules/@storybook/react/node_modules/recursive-readdir react-dev-utils 0.5.2 - 12.0.0-next.60 Depends on vulnerable versions of browserslist Depends on vulnerable versions of immer Depends on vulnerable versions of loader-utils Depends on vulnerable versions of recursive-readdir Depends on vulnerable versions of shell-quote node_modules/@storybook/react/node_modules/react-dev-utils @storybook/core >=5.3.0-alpha.0 Depends on vulnerable versions of @storybook/core-server Depends on vulnerable versions of cpy Depends on vulnerable versions of glob-base Depends on vulnerable versions of react-dev-utils node_modules/@storybook/addon-essentials/node_modules/@storybook/addon-docs/node_modules/@storybook/core node_modules/@storybook/react/node_modules/@storybook/core @storybook/addon-docs <=6.5.0-rc.1 Depends on vulnerable versions of @mdx-js/loader Depends on vulnerable versions of @mdx-js/mdx Depends on vulnerable versions of @storybook/core Depends on vulnerable versions of @storybook/csf-tools node_modules/@storybook/addon-essentials/node_modules/@storybook/addon-docs @storybook/addon-essentials 6.1.0-alpha.0 - 6.5.0-rc.1 Depends on vulnerable versions of @storybook/addon-docs node_modules/@storybook/addon-essentials @storybook/react 6.1.0-alpha.0 - 6.4.12 || 6.5.0-alpha.1 - 6.5.0-rc.1 Depends on vulnerable versions of @pmmmwh/react-refresh-webpack-plugin Depends on vulnerable versions of @storybook/core Depends on vulnerable versions of react-dev-utils Depends on vulnerable versions of webpack node_modules/@storybook/reactsemver <=5.7.1 || 6.0.0 - 6.3.0 || 7.0.0 - 7.5.1 Severity: moderate semver vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw semver vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw semver vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw fix available via
npm audit fixnode_modules/@babel/core/node_modules/semver node_modules/@babel/eslint-parser/node_modules/semver node_modules/@babel/helper-compilation-targets/node_modules/semver node_modules/@babel/helper-define-polyfill-provider/node_modules/semver node_modules/@babel/plugin-transform-runtime/node_modules/semver node_modules/@babel/preset-env/node_modules/semver node_modules/@babel/register/node_modules/semver node_modules/@mdx-js/mdx/node_modules/semver node_modules/@storybook/addon-essentials/node_modules/@storybook/addon-docs/node_modules/@storybook/builder-webpack4/node_modules/@storybook/core-common/node_modules/semver node_modules/@storybook/addon-essentials/node_modules/@storybook/addon-docs/node_modules/@storybook/core/node_modules/make-dir/node_modules/semver node_modules/@storybook/addon-essentials/node_modules/@storybook/addon-docs/node_modules/make-dir/node_modules/semver node_modules/@storybook/addon-essentials/node_modules/@storybook/addon-docs/node_modules/semver node_modules/@storybook/addon-essentials/node_modules/make-dir/node_modules/semver node_modules/@storybook/addon-essentials/node_modules/postcss-loader/node_modules/semver node_modules/@storybook/addon-essentials/node_modules/semver node_modules/@storybook/core-common/node_modules/make-dir/node_modules/semver node_modules/@storybook/core-common/node_modules/semver node_modules/@storybook/react/node_modules/fork-ts-checker-webpack-plugin/node_modules/semver node_modules/@storybook/react/node_modules/make-dir/node_modules/semver node_modules/@storybook/react/node_modules/semver node_modules/babel-plugin-polyfill-corejs2/node_modules/semver node_modules/eslint-config-airbnb-base/node_modules/semver node_modules/eslint-plugin-import/node_modules/semver node_modules/eslint-plugin-jsx-a11y/node_modules/semver node_modules/eslint-plugin-react/node_modules/semver node_modules/istanbul-lib-instrument/node_modules/semver node_modules/make-dir/node_modules/semver node_modules/normalize-package-data/node_modules/semver node_modules/remark-mdx/node_modules/semver node_modules/sane/node_modules/semver node_modules/semvershell-quote <=1.7.2 Severity: critical Improper Neutralization of Special Elements used in a Command in Shell-quote - https://github.com/advisories/GHSA-g4rg-993r-mgx7 fix available via
npm audit fixnode_modules/@storybook/react/node_modules/shell-quote react-dev-utils 0.5.2 - 12.0.0-next.60 Depends on vulnerable versions of browserslist Depends on vulnerable versions of immer Depends on vulnerable versions of loader-utils Depends on vulnerable versions of recursive-readdir Depends on vulnerable versions of shell-quote node_modules/@storybook/react/node_modules/react-dev-utils @storybook/core >=5.3.0-alpha.0 Depends on vulnerable versions of @storybook/core-server Depends on vulnerable versions of cpy Depends on vulnerable versions of glob-base Depends on vulnerable versions of react-dev-utils node_modules/@storybook/addon-essentials/node_modules/@storybook/addon-docs/node_modules/@storybook/core node_modules/@storybook/react/node_modules/@storybook/core @storybook/addon-docs <=6.5.0-rc.1 Depends on vulnerable versions of @mdx-js/loader Depends on vulnerable versions of @mdx-js/mdx Depends on vulnerable versions of @storybook/core Depends on vulnerable versions of @storybook/csf-tools node_modules/@storybook/addon-essentials/node_modules/@storybook/addon-docs @storybook/addon-essentials 6.1.0-alpha.0 - 6.5.0-rc.1 Depends on vulnerable versions of @storybook/addon-docs node_modules/@storybook/addon-essentials @storybook/react 6.1.0-alpha.0 - 6.4.12 || 6.5.0-alpha.1 - 6.5.0-rc.1 Depends on vulnerable versions of @pmmmwh/react-refresh-webpack-plugin Depends on vulnerable versions of @storybook/core Depends on vulnerable versions of react-dev-utils Depends on vulnerable versions of webpack node_modules/@storybook/reacttough-cookie <4.1.3 Severity: moderate tough-cookie Prototype Pollution vulnerability - https://github.com/advisories/GHSA-72xf-g2v4-qvf3 fix available via
npm audit fixnode_modules/tough-cookietrim <0.0.3 Severity: high Regular Expression Denial of Service in trim - https://github.com/advisories/GHSA-w5p7-h5w8-2hfq fix available via
npm audit fixnode_modules/trim remark-parse <=8.0.3 Depends on vulnerable versions of trim node_modules/remark-parse @mdx-js/mdx <=1.6.22 Depends on vulnerable versions of remark-mdx Depends on vulnerable versions of remark-parse node_modules/@mdx-js/mdx @mdx-js/loader 0.15.5 - 1.6.22 Depends on vulnerable versions of @mdx-js/mdx Depends on vulnerable versions of loader-utils node_modules/@mdx-js/loader @storybook/addon-docs <=6.5.0-rc.1 Depends on vulnerable versions of @mdx-js/loader Depends on vulnerable versions of @mdx-js/mdx Depends on vulnerable versions of @storybook/core Depends on vulnerable versions of @storybook/csf-tools node_modules/@storybook/addon-essentials/node_modules/@storybook/addon-docs @storybook/addon-essentials 6.1.0-alpha.0 - 6.5.0-rc.1 Depends on vulnerable versions of @storybook/addon-docs node_modules/@storybook/addon-essentials @storybook/csf-tools <=6.5.0-rc.1 Depends on vulnerable versions of @mdx-js/mdx node_modules/@storybook/csf-tools @storybook/core-server <=7.0.0-rc.11 Depends on vulnerable versions of @storybook/csf-tools Depends on vulnerable versions of cpy node_modules/@storybook/addon-essentials/node_modules/@storybook/addon-docs/node_modules/@storybook/core/node_modules/@storybook/core-server @storybook/core >=5.3.0-alpha.0 Depends on vulnerable versions of @storybook/core-server Depends on vulnerable versions of cpy Depends on vulnerable versions of glob-base Depends on vulnerable versions of react-dev-utils node_modules/@storybook/addon-essentials/node_modules/@storybook/addon-docs/node_modules/@storybook/core node_modules/@storybook/react/node_modules/@storybook/core @storybook/react 6.1.0-alpha.0 - 6.4.12 || 6.5.0-alpha.1 - 6.5.0-rc.1 Depends on vulnerable versions of @pmmmwh/react-refresh-webpack-plugin Depends on vulnerable versions of @storybook/core Depends on vulnerable versions of react-dev-utils Depends on vulnerable versions of webpack node_modules/@storybook/react remark-mdx <=1.6.22 Depends on vulnerable versions of remark-parse node_modules/remark-mdxwebpack 4.44.0 - 4.47.0 || 5.0.0 - 5.75.0 Severity: high Cross-realm object access in Webpack 5 - https://github.com/advisories/GHSA-hc6q-2mpp-qw7j Depends on vulnerable versions of watchpack fix available via
npm audit fixnode_modules/@storybook/core-common/node_modules/webpack node_modules/@storybook/react/node_modules/webpack node_modules/webpack @storybook/react 6.1.0-alpha.0 - 6.4.12 || 6.5.0-alpha.1 - 6.5.0-rc.1 Depends on vulnerable versions of @pmmmwh/react-refresh-webpack-plugin Depends on vulnerable versions of @storybook/core Depends on vulnerable versions of react-dev-utils Depends on vulnerable versions of webpack node_modules/@storybook/reactword-wrap <1.2.4 Severity: moderate word-wrap vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-j8xg-fqg3-53r7 fix available via
npm audit fixnode_modules/word-wrap34 vulnerabilities (6 moderate, 25 high, 3 critical)