socket-security[bot]
commented
1 year ago Socket Security Pull Request Report
Dependency issues detected. If you merge this pull request, you will not be alerted to the instances of these issues again.
π Install scripts
Install scripts are run when the package is installed. The majority of malware in npm is hidden in install scripts.
Packages should not be running non-essential scripts during install and there are often solutions to problems people solve with install scripts that can be run at publish time instead.
| Package | Script field | Source |
|---|---|---|
| esbuild@0.15.18 (added) | postinstall |
package.json via tsup@6.5.0 |
| esbuild@0.16.17 (added) | postinstall |
package.json via @storybook/addon-essentials@7.0.0-beta.31, @storybook/core-common@7.0.0-beta.31 |
π΅βπ« Bin script confusion
This package has multiple bin scripts with the same name. This can cause non-deterministic behavior when installing or could be a sign of a supply chain attack
Consider removing one of the conflicting packages. Packages should only export bin scripts with their name
| Package | Bin script | Source |
|---|---|---|
| @storybook/cli@7.0.0-beta.31 (added) | sb |
package.json via storybook@7.0.0-beta.31 |
| storybook@7.0.0-beta.31 (added) | sb |
package.json |
Pull request report summary
| Issue | Status |
|---|---|
| Install scripts | β οΈ 2 issues |
| Native code | β 0 issues |
| Bin script confusion | β οΈ 2 issues |
| Bin script shell injection | β 0 issues |
| Unresolved require | β 0 issues |
| Invalid package.json | β 0 issues |
| HTTP dependency | β 0 issues |
| Git dependency | β 0 issues |
| Potential typo squat | β 0 issues |
| Known Malware | β 0 issues |
| Telemetry | β 0 issues |
| Protestware/Troll package | β 0 issues |
Bot Commands
To ignore an alert, reply with a comment starting with @SocketSecurity ignore followed by a space separated list of package-name@version specifiers. e.g. @SocketSecurity ignore foo@1.0.0 bar@2.4.2
@SocketSecurity ignore esbuild@0.15.18@SocketSecurity ignore esbuild@0.16.17@SocketSecurity ignore @storybook/cli@7.0.0-beta.31@SocketSecurity ignore storybook@7.0.0-beta.31
Powered by socket.dev
Issue: https://github.com/storybookjs/storybook/issues/20145
What Changed
When
mdx1-csfwas created, it was designed to be interchangeable withmdx2-csf, which provided experimental MDX2 support in Storybook 6.5.Then, in Storybook 7.0, we evolved
mdx2-csfin a variety of ways:tsup'stories-mdx'tags to compiled storiesThe plan was to abandon
mdx1-csf, because MDX1 is now legacy. However, due to MDX1 => 2 upgrade pains, we decided to add opt-in transitional MDX1 support for people who are upgrading to SB7 and want a stopgap to view working MDX1 before going through the MDX2 upgrade process. See https://github.com/storybookjs/storybook/issues/20145This PR adopts the latest
mdx2-csfstructure and improvements and applies them tomdx1-csf. It corresponds to https://github.com/storybookjs/storybook/pull/20747 in the monorepo.How to test
See https://github.com/storybookjs/storybook/pull/20747
Change Type
maintenancedocumentationpatchminormajorπ¦ Published PR as canary version:
0.0.5--canary.19.89e7fd1.0:sparkles: Test out this PR locally via: ```bash npm install @storybook/mdx1-csf@0.0.5--canary.19.89e7fd1.0 # or yarn add @storybook/mdx1-csf@0.0.5--canary.19.89e7fd1.0 ```
Version
Published prerelease version:
v1.0.0-next.0Changelog
#### π₯ Breaking Change - Update to 7.0 / mdx2-csf structure [#19](https://github.com/storybookjs/mdx1-csf/pull/19) ([@shilman](https://github.com/shilman)) #### π Bug Fix - ReDoS attack patch [#17](https://github.com/storybookjs/mdx1-csf/pull/17) ([@iarmbears](https://github.com/iarmbears)) #### Authors: 2 - [@iarmbears](https://github.com/iarmbears) - Michael Shilman ([@shilman](https://github.com/shilman))