Closed ghengeveld closed 1 year ago
New dependency changes detected. Learn more about Socket for GitHub ↗︎
🚨 Potential security issues found in this pull request. To accept the risk, merge this PR and you will not be notified again.
To ignore an alert, reply with a comment starting with @SocketSecurity ignore
followed by a space separated list of package-name@version
specifiers. e.g. @SocketSecurity ignore foo@1.0.0 bar@*
or ignore all packages with @SocketSecurity ignore-all
@SocketSecurity ignore @storybook/cli@7.0.2
@SocketSecurity ignore storybook@7.0.2
@SocketSecurity ignore @storybook/telemetry@7.0.2
@SocketSecurity ignore address@1.2.2
@SocketSecurity ignore babel-plugin-istanbul@6.1.1
@SocketSecurity ignore better-opn@2.1.1
@SocketSecurity ignore chromatic@5.9.2
@SocketSecurity ignore commander@2.20.3
@SocketSecurity ignore commander@7.2.0
@SocketSecurity ignore cross-spawn@7.0.3
@SocketSecurity ignore envinfo@7.8.1
@SocketSecurity ignore esbuild@0.17.12
@SocketSecurity ignore execa@4.1.0
@SocketSecurity ignore execa@5.1.1
@SocketSecurity ignore gitlog@4.0.4
@SocketSecurity ignore jake@10.8.5
@SocketSecurity ignore jest-haste-map@29.5.0
@SocketSecurity ignore jest-worker@27.5.1
@SocketSecurity ignore jest-worker@29.5.0
@SocketSecurity ignore jscodeshift@0.14.0
@SocketSecurity ignore open@7.4.2
@SocketSecurity ignore open@8.4.2
@SocketSecurity ignore puppeteer-core@2.1.1
@SocketSecurity ignore shelljs@0.8.5
@SocketSecurity ignore tree-kill@1.2.2
@SocketSecurity ignore typescript@4.9.5
@SocketSecurity ignore update-browserslist-db@1.0.10
@SocketSecurity ignore v8flags@3.2.0
@SocketSecurity ignore @storybook/components@7.0.2
@SocketSecurity ignore @storybook/docs-mdx@0.1.0
@SocketSecurity ignore @storybook/manager@7.0.2
@SocketSecurity ignore @storybook/preview@7.0.2
@SocketSecurity ignore @storybook/router@7.0.2
@SocketSecurity ignore @yarnpkg/lockfile@1.1.0
@SocketSecurity ignore ajv@6.12.6
@SocketSecurity ignore ajv@8.11.0
@SocketSecurity ignore ajv@8.12.0
@SocketSecurity ignore core-js@3.17.3
@SocketSecurity ignore core-js-pure@3.29.0
@SocketSecurity ignore depd@2.0.0
@SocketSecurity ignore ejs@3.1.8
@SocketSecurity ignore handlebars@4.7.7
@SocketSecurity ignore is-callable@1.2.4
@SocketSecurity ignore is-generator-function@1.0.10
@SocketSecurity ignore js-yaml@3.14.1
@SocketSecurity ignore lodash@4.17.21
@SocketSecurity ignore object-inspect@1.12.2
@SocketSecurity ignore prettier@2.4.0
@SocketSecurity ignore prettier@2.8.4
@SocketSecurity ignore react-popper@1.3.11
This package has multiple bin scripts with the same name. This can cause non-deterministic behavior when installing or could be a sign of a supply chain attack
Consider removing one of the conflicting packages. Packages should only export bin scripts with their name
Package | Bin script | Source |
---|---|---|
@storybook/cli@7.0.2 (added) | sb |
package.json via storybook@7.0.2 |
storybook@7.0.2 (added) | sb |
package.json |
This module accesses the system shell. Accessing the system shell increases the risk of executing arbitrary code.
Packages should avoid accessing the shell which can reduce portability, and make it easier for malicious shell access to be introduced.
Package uses eval() which is a dangerous function. This prevents the code from running in certain environments and increases the risk that the code may contain exploits or malicious behavior.
Avoid packages that use eval, since this could potentially execute any code.
:rocket: PR was released in v7.15.9
:rocket:
📦 Published PR as canary version:
7.15.9-canary.417.0af64e9.0
:sparkles: Test out this PR locally via: ```bash npm install @storybook/design-system@7.15.9-canary.417.0af64e9.0 # or yarn add @storybook/design-system@7.15.9-canary.417.0af64e9.0 ```