[dev-server-storybook] Fix potential security vulnerabilities

modernweb-dev / web

Guides, tools and libraries for modern web development.

https://modern-web.dev

MIT License

2.22k stars 289 forks source link

[dev-server-storybook] Fix potential security vulnerabilities #1841

Open abdonrd opened 2 years ago

abdonrd commented 2 years ago

With a fresh install of the @web/dev-server-storybook we have this warning:

Because these two dependencies:

@web/dev-server-storybook@0.4.1 requires trim@0.0.1 via a transitive dependency on remark-parse@8.0.3

Show trim details

@web/dev-server-storybook@0.4.1 requires prismjs@~1.17.0 via a transitive dependency on refractor@2.10.1

Show prismjs details

abdonrd commented 2 years ago

We already talk about this in the past with @Westbrook & @daKmoR:

https://lit-and-friends.slack.com/archives/C01JH6K4XFA/p1627390927451800

Westbrook commented 2 years ago

@daKmoR much of this derives from @mdjs/core issues in Rocket...

abdonrd commented 2 years ago

After update to the new @web/dev-server-storybook@0.4.3 we have this:

abdonrd commented 2 years ago

After update to the new @mdjs/core@0.9.3 we have this:

Westbrook commented 2 years ago

Good that we’re making some progress here. Did we get @mdjs/core added to open-wc? That means we’re close, but I’m not sure there’s a path to reducing those last two yet. I’ll try to get another look this week, but then I’m on vacation for a while and might not be able to get into the deep deep spelunking I’ve been doing so far until I get back.

abdonrd commented 2 years ago

Ops! The first one is from lit-analyzer, not from @web/dev-server-storybook.

glob-parent@^3.1.0 => fast-glob@^2.2.6 => lit-analyzer

And the second one:

trim@0.0.1 => remark-parse@8.0.3 => @mdx-js/mdx@^1.6.22 => @storybook/csf-tools trim@0.0.1 => remark-parse@8.0.3 => @mdx-js/mdx@^1.6.22 => @web/dev-server-storybook trim@0.0.1 => remark-parse@8.0.3 => @mdx-js/mdx@^1.6.22 => storybook-addon-markdown-docs trim@0.0.1 => remark-parse@8.0.3 => remark-mdx@1.6.22 => @mdx-js/mdx

Enjoy your vacation! 🎉

abdonrd commented 2 years ago

Right now we just have:

johnhunter commented 1 year ago

There remain several vulnerabilities in @web/dev-server-storybook@1.0.7 - including trim. These are with transitive dependencies so not straightforward to resolve but worth tracking.

The npm audit output I see:

Severity: high
Regular Expression Denial of Service in trim - https://github.com/advisories/GHSA-w5p7-h5w8-2hfq
fix available via `npm audit fix --force`
Will install @web/dev-server-storybook@0.0.2, which is a breaking change
node_modules/trim
  remark-parse  <=8.0.3
  Depends on vulnerable versions of trim
  node_modules/remark-parse
    @mdx-js/mdx  <=1.6.22
    Depends on vulnerable versions of remark-mdx
    Depends on vulnerable versions of remark-parse
    node_modules/@mdx-js/mdx
      @storybook/mdx1-csf  *
      Depends on vulnerable versions of @mdx-js/mdx
      node_modules/@storybook/mdx1-csf
        @storybook/csf-tools  6.5.0-alpha.1 - 6.5.17-alpha.0
        Depends on vulnerable versions of @storybook/mdx1-csf
        node_modules/@storybook/csf-tools
      @web/dev-server-storybook  <=0.0.0-canary-20230420104136 || >=0.1.0
      Depends on vulnerable versions of @mdx-js/mdx
      Depends on vulnerable versions of storybook-addon-markdown-docs
      node_modules/@web/dev-server-storybook
      storybook-addon-markdown-docs  <=0.0.0-canary-20221203831 || >=0.1.0
      Depends on vulnerable versions of @mdx-js/mdx
      node_modules/storybook-addon-markdown-docs
    remark-mdx  <=1.6.22
    Depends on vulnerable versions of remark-parse
    node_modules/remark-mdx

Westbrook commented 1 year ago

We’ll be publishing more about this soon, but the current suggestion is to upgrade to our brand new storybook builder that supports storybook@7: https://modern-web.dev/docs/storybook-builder/overview/