Open abdonrd opened 2 years ago
We already talk about this in the past with @Westbrook & @daKmoR:
https://lit-and-friends.slack.com/archives/C01JH6K4XFA/p1627390927451800
@daKmoR much of this derives from @mdjs/core
issues in Rocket...
After update to the new @web/dev-server-storybook@0.4.3
we have this:
After update to the new @mdjs/core@0.9.3
we have this:
Good that we’re making some progress here. Did we get @mdjs/core added to open-wc? That means we’re close, but I’m not sure there’s a path to reducing those last two yet. I’ll try to get another look this week, but then I’m on vacation for a while and might not be able to get into the deep deep spelunking I’ve been doing so far until I get back.
Ops! The first one is from lit-analyzer
, not from @web/dev-server-storybook
.
glob-parent@^3.1.0
=>fast-glob@^2.2.6
=>lit-analyzer
And the second one:
trim@0.0.1
=>remark-parse@8.0.3
=>@mdx-js/mdx@^1.6.22
=>@storybook/csf-tools
trim@0.0.1
=>remark-parse@8.0.3
=>@mdx-js/mdx@^1.6.22
=>@web/dev-server-storybook
trim@0.0.1
=>remark-parse@8.0.3
=>@mdx-js/mdx@^1.6.22
=>storybook-addon-markdown-docs
trim@0.0.1
=>remark-parse@8.0.3
=>remark-mdx@1.6.22
=>@mdx-js/mdx
Enjoy your vacation! 🎉
Right now we just have:
There remain several vulnerabilities in @web/dev-server-storybook@1.0.7
- including trim
. These are with transitive dependencies so not straightforward to resolve but worth tracking.
The npm audit output I see:
Severity: high
Regular Expression Denial of Service in trim - https://github.com/advisories/GHSA-w5p7-h5w8-2hfq
fix available via `npm audit fix --force`
Will install @web/dev-server-storybook@0.0.2, which is a breaking change
node_modules/trim
remark-parse <=8.0.3
Depends on vulnerable versions of trim
node_modules/remark-parse
@mdx-js/mdx <=1.6.22
Depends on vulnerable versions of remark-mdx
Depends on vulnerable versions of remark-parse
node_modules/@mdx-js/mdx
@storybook/mdx1-csf *
Depends on vulnerable versions of @mdx-js/mdx
node_modules/@storybook/mdx1-csf
@storybook/csf-tools 6.5.0-alpha.1 - 6.5.17-alpha.0
Depends on vulnerable versions of @storybook/mdx1-csf
node_modules/@storybook/csf-tools
@web/dev-server-storybook <=0.0.0-canary-20230420104136 || >=0.1.0
Depends on vulnerable versions of @mdx-js/mdx
Depends on vulnerable versions of storybook-addon-markdown-docs
node_modules/@web/dev-server-storybook
storybook-addon-markdown-docs <=0.0.0-canary-20221203831 || >=0.1.0
Depends on vulnerable versions of @mdx-js/mdx
node_modules/storybook-addon-markdown-docs
remark-mdx <=1.6.22
Depends on vulnerable versions of remark-parse
node_modules/remark-mdx
We’ll be publishing more about this soon, but the current suggestion is to upgrade to our brand new storybook builder that supports storybook@7: https://modern-web.dev/docs/storybook-builder/overview/
With a fresh install of the
@web/dev-server-storybook
we have this warning:Because these two dependencies:
Show trim details
Show prismjs details