Closed shilman closed 1 year ago
Dependency issues detected. If you merge this pull request, you will not be alerted to the instances of these issues again.
Install scripts are run when the package is installed. The majority of malware in npm is hidden in install scripts.
Packages should not be running non-essential scripts during install and there are often solutions to problems people solve with install scripts that can be run at publish time instead.
Package | Script field | Source |
---|---|---|
esbuild@0.15.18 (added) | postinstall |
package.json via tsup@6.5.0 |
esbuild@0.16.17 (added) | postinstall |
package.json via @storybook/addon-essentials@7.0.0-beta.31, @storybook/core-common@7.0.0-beta.31 |
This package has multiple bin scripts with the same name. This can cause non-deterministic behavior when installing or could be a sign of a supply chain attack
Consider removing one of the conflicting packages. Packages should only export bin scripts with their name
Package | Bin script | Source |
---|---|---|
@storybook/cli@7.0.0-beta.31 (added) | sb |
package.json via storybook@7.0.0-beta.31 |
storybook@7.0.0-beta.31 (added) | sb |
package.json |
Issue | Status |
---|---|
Install scripts | β οΈ 2 issues |
Native code | β 0 issues |
Bin script confusion | β οΈ 2 issues |
Bin script shell injection | β 0 issues |
Unresolved require | β 0 issues |
Invalid package.json | β 0 issues |
HTTP dependency | β 0 issues |
Git dependency | β 0 issues |
Potential typo squat | β 0 issues |
Known Malware | β 0 issues |
Telemetry | β 0 issues |
Protestware/Troll package | β 0 issues |
To ignore an alert, reply with a comment starting with @SocketSecurity ignore
followed by a space separated list of package-name@version
specifiers. e.g. @SocketSecurity ignore foo@1.0.0 bar@2.4.2
@SocketSecurity ignore esbuild@0.15.18
@SocketSecurity ignore esbuild@0.16.17
@SocketSecurity ignore @storybook/cli@7.0.0-beta.31
@SocketSecurity ignore storybook@7.0.0-beta.31
Powered by socket.dev
Issue: https://github.com/storybookjs/storybook/issues/20145
What Changed
When
mdx1-csf
was created, it was designed to be interchangeable withmdx2-csf
, which provided experimental MDX2 support in Storybook 6.5.Then, in Storybook 7.0, we evolved
mdx2-csf
in a variety of ways:tsup
'stories-mdx'
tags to compiled storiesThe plan was to abandon
mdx1-csf
, because MDX1 is now legacy. However, due to MDX1 => 2 upgrade pains, we decided to add opt-in transitional MDX1 support for people who are upgrading to SB7 and want a stopgap to view working MDX1 before going through the MDX2 upgrade process. See https://github.com/storybookjs/storybook/issues/20145This PR adopts the latest
mdx2-csf
structure and improvements and applies them tomdx1-csf
. It corresponds to https://github.com/storybookjs/storybook/pull/20747 in the monorepo.How to test
See https://github.com/storybookjs/storybook/pull/20747
Change Type
maintenance
documentation
patch
minor
major
π¦ Published PR as canary version:
0.0.5--canary.19.89e7fd1.0
:sparkles: Test out this PR locally via: ```bash npm install @storybook/mdx1-csf@0.0.5--canary.19.89e7fd1.0 # or yarn add @storybook/mdx1-csf@0.0.5--canary.19.89e7fd1.0 ```
Version
Published prerelease version:
v1.0.0-next.0
Changelog
#### π₯ Breaking Change - Update to 7.0 / mdx2-csf structure [#19](https://github.com/storybookjs/mdx1-csf/pull/19) ([@shilman](https://github.com/shilman)) #### π Bug Fix - ReDoS attack patch [#17](https://github.com/storybookjs/mdx1-csf/pull/17) ([@iarmbears](https://github.com/iarmbears)) #### Authors: 2 - [@iarmbears](https://github.com/iarmbears) - Michael Shilman ([@shilman](https://github.com/shilman))