Closed shilman closed 1 year ago
New dependency changes detected. Learn more about Socket for GitHub ↗︎
🚨 Potential security issues found in this pull request. To accept the risk, merge this PR and you will not be notified again.
To ignore an alert, reply with a comment starting with @SocketSecurity ignore
followed by a space separated list of package-name@version
specifiers. e.g. @SocketSecurity ignore foo@1.0.0 bar@*
or ignore all packages with @SocketSecurity ignore-all
@SocketSecurity ignore esbuild@0.17.14
@SocketSecurity ignore babel-plugin-istanbul@6.1.1
@SocketSecurity ignore commander@2.20.3
@SocketSecurity ignore commander@9.5.0
@SocketSecurity ignore cross-spawn@7.0.3
@SocketSecurity ignore envinfo@7.8.1
@SocketSecurity ignore execa@5.1.1
@SocketSecurity ignore fb-watchman@2.0.2
@SocketSecurity ignore gitlog@4.0.4
@SocketSecurity ignore jake@10.8.5
@SocketSecurity ignore jest-worker@27.5.1
@SocketSecurity ignore jscodeshift@0.14.0
@SocketSecurity ignore jsdom@16.7.0
@SocketSecurity ignore pidtree@0.6.0
@SocketSecurity ignore requireg@0.2.2
@SocketSecurity ignore shelljs@0.8.5
@SocketSecurity ignore tree-kill@1.2.2
@SocketSecurity ignore ts-node@10.9.1
@SocketSecurity ignore typescript@4.9.4
@SocketSecurity ignore update-browserslist-db@1.0.10
@SocketSecurity ignore webpack@5.75.0
@SocketSecurity ignore ajv@6.12.6
@SocketSecurity ignore depd@2.0.0
@SocketSecurity ignore ejs@3.1.8
@SocketSecurity ignore expect@27.5.1
@SocketSecurity ignore handlebars@4.7.7
@SocketSecurity ignore is-callable@1.2.7
@SocketSecurity ignore jest-diff@27.5.1
@SocketSecurity ignore js-yaml@3.14.1
@SocketSecurity ignore lodash@4.17.21
@SocketSecurity ignore object-inspect@1.12.3
@SocketSecurity ignore prettier@2.8.3
@SocketSecurity ignore pretty-format@27.5.1
@SocketSecurity ignore rollup@3.10.1
@SocketSecurity ignore telejson@7.0.4
@SocketSecurity ignore tsup@6.5.0
@SocketSecurity ignore uglify-js@3.17.4
@SocketSecurity ignore await-to-js@3.0.0
@SocketSecurity ignore bottleneck@2.19.5
@SocketSecurity ignore get-intrinsic@1.2.0
@SocketSecurity ignore loader-runner@4.3.0
Install scripts are run when the package is installed. The majority of malware in npm is hidden in install scripts.
Packages should not be running non-essential scripts during install and there are often solutions to problems people solve with install scripts that can be run at publish time instead.
Package | Script field | Source |
---|---|---|
esbuild@0.17.14 (upgraded) | postinstall |
package.json via @storybook/addon-essentials@7.0.0, @storybook/addon-interactions@7.0.0, @storybook/react@7.0.0, @storybook/react-webpack5@7.0.0, storybook@7.0.0, tsup@6.5.0 |
This module accesses the system shell. Accessing the system shell increases the risk of executing arbitrary code.
Packages should avoid accessing the shell which can reduce portability, and make it easier for malicious shell access to be introduced.
Package uses eval() which is a dangerous function. This prevents the code from running in certain environments and increases the risk that the code may contain exploits or malicious behavior.
Avoid packages that use eval, since this could potentially execute any code.
Update version dependency to point include 7.0 support. Will publish a major release as a follow-on step next week.
📦 Published PR as canary version:
0.0.5--canary.22.909f1b7.0
:sparkles: Test out this PR locally via: ```bash npm install @storybook/mdx1-csf@0.0.5--canary.22.909f1b7.0 # or yarn add @storybook/mdx1-csf@0.0.5--canary.22.909f1b7.0 ```
Version
Published prerelease version:
v1.0.0-next.3
Changelog
#### 💥 Breaking Change - Update to 7.0 / mdx2-csf structure [#19](https://github.com/storybookjs/mdx1-csf/pull/19) ([@shilman](https://github.com/shilman)) #### 🐛 Bug Fix - Upgrade to SB7.0 [#22](https://github.com/storybookjs/mdx1-csf/pull/22) ([@shilman](https://github.com/shilman)) - Throw descriptive error when 'of' prop is detected [#21](https://github.com/storybookjs/mdx1-csf/pull/21) ([@JReinhold](https://github.com/JReinhold)) - Move mdx import out of loader into compile [#20](https://github.com/storybookjs/mdx1-csf/pull/20) ([@shilman](https://github.com/shilman)) - ReDoS attack patch [#17](https://github.com/storybookjs/mdx1-csf/pull/17) ([@iarmbears](https://github.com/iarmbears)) #### Authors: 3 - [@iarmbears](https://github.com/iarmbears) - Jeppe Reinhold ([@JReinhold](https://github.com/JReinhold)) - Michael Shilman ([@shilman](https://github.com/shilman))