search

storybookjs / mdx1-csf

MDX to CSF compiler using MDXv1
MIT License
4 stars 12 forks source link

Release 1.0.0 #23

Closed shilman closed 1 year ago

shilman commented 1 year ago

For SB 7.0 release

socket-security[bot] commented 1 year ago

New dependency changes detected. Learn more about Socket for GitHub ↗︎

🚨 Potential security issues found in this pull request. To accept the risk, merge this PR and you will not be notified again.

Bot Commands

To ignore an alert, reply with a comment starting with @SocketSecurity ignore followed by a space separated list of package-name@version specifiers. e.g. @SocketSecurity ignore foo@1.0.0 bar@* or ignore all packages with @SocketSecurity ignore-all

  • @SocketSecurity ignore core-js@3.27.2
  • @SocketSecurity ignore esbuild@0.17.14
  • @SocketSecurity ignore jest@27.5.1
  • @SocketSecurity ignore jest-cli@27.5.1
  • @SocketSecurity ignore @auto-it/core@10.37.6
  • @SocketSecurity ignore @auto-it/npm@10.37.6
  • @SocketSecurity ignore @aw-web-design/x-default-browser@1.4.88
  • @SocketSecurity ignore babel-plugin-istanbul@6.1.1
  • @SocketSecurity ignore commander@2.20.3
  • @SocketSecurity ignore commander@9.5.0
  • @SocketSecurity ignore cross-spawn@7.0.3
  • @SocketSecurity ignore envinfo@7.8.1
  • @SocketSecurity ignore execa@5.1.1
  • @SocketSecurity ignore fb-watchman@2.0.2
  • @SocketSecurity ignore gitlog@4.0.4
  • @SocketSecurity ignore jake@10.8.5
  • @SocketSecurity ignore jest-haste-map@29.3.1
  • @SocketSecurity ignore jest-worker@27.5.1
  • @SocketSecurity ignore jest-worker@29.3.1
  • @SocketSecurity ignore jscodeshift@0.14.0
  • @SocketSecurity ignore jsdom@16.7.0
  • @SocketSecurity ignore pidtree@0.6.0
  • @SocketSecurity ignore requireg@0.2.2
  • @SocketSecurity ignore shelljs@0.8.5
  • @SocketSecurity ignore tree-kill@1.2.2
  • @SocketSecurity ignore ts-node@10.9.1
  • @SocketSecurity ignore typescript@4.9.4
  • @SocketSecurity ignore update-browserslist-db@1.0.10
  • @SocketSecurity ignore webpack@5.75.0
  • @SocketSecurity ignore @sinclair/typebox@0.24.51
  • @SocketSecurity ignore @storybook/components@7.0.0
  • @SocketSecurity ignore @storybook/router@7.0.0
  • @SocketSecurity ignore ajv@6.12.6
  • @SocketSecurity ignore depd@2.0.0
  • @SocketSecurity ignore ejs@3.1.8
  • @SocketSecurity ignore expect@27.5.1
  • @SocketSecurity ignore handlebars@4.7.7
  • @SocketSecurity ignore is-callable@1.2.7
  • @SocketSecurity ignore jest-diff@27.5.1
  • @SocketSecurity ignore js-yaml@3.14.1
  • @SocketSecurity ignore lodash@4.17.21
  • @SocketSecurity ignore object-inspect@1.12.3
  • @SocketSecurity ignore prettier@2.8.3
  • @SocketSecurity ignore pretty-format@27.5.1
  • @SocketSecurity ignore rollup@3.10.1
  • @SocketSecurity ignore telejson@7.0.4
  • @SocketSecurity ignore tsup@6.5.0
  • @SocketSecurity ignore uglify-js@3.17.4
  • @SocketSecurity ignore @storybook/blocks@7.0.0
  • @SocketSecurity ignore await-to-js@3.0.0
📜 Install scripts

Install scripts are run when the package is installed. The majority of malware in npm is hidden in install scripts.

Packages should not be running non-essential scripts during install and there are often solutions to problems people solve with install scripts that can be run at publish time instead.

Package Script field Source
core-js@3.27.2 (upgraded) postinstall package.json via @storybook/addon-interactions@7.0.0, @storybook/testing-library@0.0.14-next.1
esbuild@0.17.14 (added) postinstall package.json via @storybook/addon-essentials@7.0.0, @storybook/addon-interactions@7.0.0, @storybook/react@7.0.0, @storybook/react-webpack5@7.0.0, storybook@7.0.0, tsup@6.5.0
😵‍💫 Bin script confusion

This package has multiple bin scripts with the same name. This can cause non-deterministic behavior when installing or could be a sign of a supply chain attack

Consider removing one of the conflicting packages. Packages should only export bin scripts with their name

Package Bin script Source
jest@27.5.1 (upgraded) jest package.json via ts-jest@27.1.5
jest-cli@27.5.1 (upgraded) jest package.json via jest@27.5.1, ts-jest@27.1.5
⚠️ Shell access

This module accesses the system shell. Accessing the system shell increases the risk of executing arbitrary code.

Packages should avoid accessing the shell which can reduce portability, and make it easier for malicious shell access to be introduced.

Package Module Location Source
@auto-it/core@10.37.6 (upgraded) child_process dist/tests/auto-make-changelog.test.js package.json via auto@10.37.6
@auto-it/core@10.37.6 (upgraded) child_process dist/tests/auto.test.js package.json via auto@10.37.6
@auto-it/core@10.37.6 (upgraded) child_process dist/tests/get-current-branch.test.js package.json via auto@10.37.6
@auto-it/core@10.37.6 (upgraded) child_process dist/tests/get-remote.test.js package.json via auto@10.37.6
@auto-it/core@10.37.6 (upgraded) child_process dist/tests/release.test.js package.json via auto@10.37.6
@auto-it/core@10.37.6 (upgraded) child_process dist/auto.js package.json via auto@10.37.6
@auto-it/core@10.37.6 (upgraded) child_process dist/release.js package.json via auto@10.37.6
@auto-it/core@10.37.6 (upgraded) child_process dist/utils/tests/load-plugin.test.js package.json via auto@10.37.6
@auto-it/core@10.37.6 (upgraded) child_process dist/utils/tests/verify-auth.test.js package.json via auto@10.37.6
@auto-it/core@10.37.6 (upgraded) child_process dist/utils/exec-promise.js package.json via auto@10.37.6
@auto-it/core@10.37.6 (upgraded) child_process dist/utils/get-current-branch.js package.json via auto@10.37.6
@auto-it/core@10.37.6 (upgraded) child_process dist/utils/load-plugins.js package.json via auto@10.37.6
@auto-it/core@10.37.6 (upgraded) child_process dist/utils/verify-auth.js package.json via auto@10.37.6
@auto-it/npm@10.37.6 (upgraded) child_process dist/index.js package.json via auto@10.37.6
@aw-web-design/x-default-browser@1.4.88 (added) child_process src/detect-linux.js package.json via storybook@7.0.0
@aw-web-design/x-default-browser@1.4.88 (added) child_process src/detect-windows.js package.json via storybook@7.0.0
@aw-web-design/x-default-browser@1.4.88 (added) child_process src/detect-windows10.js package.json via storybook@7.0.0
babel-plugin-istanbul@6.1.1 (upgraded) child_process lib/index.js package.json via @storybook/addon-essentials@7.0.0, babel-jest@27.5.1, jest@27.5.1, ts-jest@27.1.5
commander@2.20.3 (upgraded) child_process index.js package.json via @storybook/react-webpack5@7.0.0, babel-loader@8.3.0
commander@9.5.0 (upgraded) child_process lib/command.js package.json via lint-staged@13.1.0
cross-spawn@7.0.3 (upgraded) child_process index.js package.json via @storybook/react-webpack5@7.0.0, auto@10.37.6, jest@27.5.1, lint-staged@13.1.0, storybook@7.0.0, ts-jest@27.1.5, tsup@6.5.0
envinfo@7.8.1 (added) child_process dist/envinfo.js package.json via storybook@7.0.0
esbuild@0.17.14 (added) child_process install.js package.json via @storybook/addon-essentials@7.0.0, @storybook/addon-interactions@7.0.0, @storybook/react@7.0.0, @storybook/react-webpack5@7.0.0, storybook@7.0.0, tsup@6.5.0
esbuild@0.17.14 (added) child_process lib/main.js package.json via @storybook/addon-essentials@7.0.0, @storybook/addon-interactions@7.0.0, @storybook/react@7.0.0, @storybook/react-webpack5@7.0.0, storybook@7.0.0, tsup@6.5.0
execa@5.1.1 (upgraded) child_process index.js package.json via auto@10.37.6, jest@27.5.1, storybook@7.0.0, ts-jest@27.1.5, tsup@6.5.0
fb-watchman@2.0.2 (upgraded) child_process index.js package.json via @storybook/addon-essentials@7.0.0, babel-jest@27.5.1, jest@27.5.1, ts-jest@27.1.5
gitlog@4.0.4 (added) child_process dist/gitlog.cjs.development.js package.json via auto@10.37.6
gitlog@4.0.4 (added) child_process dist/gitlog.cjs.production.min.js package.json via auto@10.37.6
gitlog@4.0.4 (added) child_process dist/gitlog.esm.js package.json via auto@10.37.6
jake@10.8.5 (added) child_process jake-v10.8.5/jakefile.js package.json via storybook@7.0.0
jake@10.8.5 (added) child_process jake-v10.8.5/lib/package_task.js package.json via storybook@7.0.0
jake@10.8.5 (added) child_process jake-v10.8.5/lib/publish_task.js package.json via storybook@7.0.0
jake@10.8.5 (added) child_process jake-v10.8.5/lib/utils/index.js package.json via storybook@7.0.0
jake@10.8.5 (added) child_process jake-v10.8.5/test/integration/concurrent.js package.json via storybook@7.0.0
jake@10.8.5 (added) child_process jake-v10.8.5/test/integration/file_task.js package.json via storybook@7.0.0
jake@10.8.5 (added) child_process jake-v10.8.5/test/integration/file.js package.json via storybook@7.0.0
jake@10.8.5 (added) child_process jake-v10.8.5/test/integration/helpers.js package.json via storybook@7.0.0
jake@10.8.5 (added) child_process jake-v10.8.5/test/integration/jakelib/rule.jake.js package.json via storybook@7.0.0
jake@10.8.5 (added) child_process jake-v10.8.5/test/integration/publish_task.js package.json via storybook@7.0.0
jake@10.8.5 (added) child_process jake-v10.8.5/test/integration/rule.js package.json via storybook@7.0.0
jake@10.8.5 (added) child_process jake-v10.8.5/test/integration/selfdep.js package.json via storybook@7.0.0
jake@10.8.5 (added) child_process jake-v10.8.5/test/integration/task_base.js package.json via storybook@7.0.0
jake@10.8.5 (added) child_process jake-v10.8.5/test/integration/task_base.js package.json via storybook@7.0.0
jest-haste-map@29.3.1 (upgraded) child_process build/crawlers/node.js package.json via @storybook/addon-essentials@7.0.0
jest-haste-map@29.3.1 (upgraded) child_process build/lib/isWatchmanInstalled.js package.json via @storybook/addon-essentials@7.0.0
jest-worker@27.5.1 (upgraded) child_process build/workers/ChildProcessWorker.js package.json via @storybook/react-webpack5@7.0.0, babel-jest@27.5.1, babel-loader@8.3.0, jest@27.5.1, ts-jest@27.1.5
jest-worker@29.3.1 (upgraded) child_process build/workers/ChildProcessWorker.js package.json via @storybook/addon-essentials@7.0.0
jscodeshift@0.14.0 (added) child_process dist/Runner.js package.json via storybook@7.0.0
jscodeshift@0.14.0 (added) child_process src/Runner.js package.json via storybook@7.0.0
jsdom@16.7.0 (upgraded) child_process lib/jsdom/living/xhr/XMLHttpRequest-impl.js package.json via jest@27.5.1, jest-environment-jsdom@27.5.1, ts-jest@27.1.5
pidtree@0.6.0 (added) child_process lib/bin.js package.json via lint-staged@13.1.0
requireg@0.2.2 (added) child_process lib/resolvers.js package.json via auto@10.37.6
shelljs@0.8.5 (added) child_process src/exec-child.js package.json via storybook@7.0.0
shelljs@0.8.5 (added) child_process src/exec.js package.json via storybook@7.0.0
tree-kill@1.2.2 (added) child_process index.js package.json via concurrently@7.6.0, tsup@6.5.0
ts-node@10.9.1 (added) child_process dist/child/spawn-child.js package.json via auto@10.37.6, jest@27.5.1, ts-jest@27.1.5, tsup@6.5.0
typescript@4.9.4 (upgraded) child_process lib/tsserver.js package.json via @storybook/react-webpack5@7.0.0, auto@10.37.6, jest@27.5.1, ts-jest@27.1.5, tsup@6.5.0
typescript@4.9.4 (upgraded) child_process lib/tsserver.js package.json via @storybook/react-webpack5@7.0.0, auto@10.37.6, jest@27.5.1, ts-jest@27.1.5, tsup@6.5.0
update-browserslist-db@1.0.10 (added) child_process check-npm-version.js package.json via @babel/core@7.20.12, @babel/preset-env@7.20.2, @babel/preset-react@7.18.6, @babel/preset-typescript@7.18.6, @mdx-js/mdx@1.6.22, @storybook/addon-actions@7.0.0, @storybook/addon-essentials@7.0.0, @storybook/addon-interactions@7.0.0, @storybook/addon-links@7.0.0, @storybook/react@7.0.0, @storybook/react-webpack5@7.0.0, @storybook/testing-library@0.0.14-next.1, babel-jest@27.5.1, babel-loader@8.3.0, jest@27.5.1, storybook@7.0.0, ts-jest@27.1.5
update-browserslist-db@1.0.10 (added) child_process index.js package.json via @babel/core@7.20.12, @babel/preset-env@7.20.2, @babel/preset-react@7.18.6, @babel/preset-typescript@7.18.6, @mdx-js/mdx@1.6.22, @storybook/addon-actions@7.0.0, @storybook/addon-essentials@7.0.0, @storybook/addon-interactions@7.0.0, @storybook/addon-links@7.0.0, @storybook/react@7.0.0, @storybook/react-webpack5@7.0.0, @storybook/testing-library@0.0.14-next.1, babel-jest@27.5.1, babel-loader@8.3.0, jest@27.5.1, storybook@7.0.0, ts-jest@27.1.5
webpack@5.75.0 (upgraded) child_process bin/webpack.js package.json via @storybook/react-webpack5@7.0.0, babel-loader@8.3.0
⚠️ Uses eval

Package uses eval() which is a dangerous function. This prevents the code from running in certain environments and increases the risk that the code may contain exploits or malicious behavior.

Avoid packages that use eval, since this could potentially execute any code.

Package Eval Type Location Source
@sinclair/typebox@0.24.51 (added) Function compiler/compiler.js package.json via @storybook/addon-essentials@7.0.0
@sinclair/typebox@0.24.51 (added) Function conditional/structural.js package.json via @storybook/addon-essentials@7.0.0
@sinclair/typebox@0.24.51 (added) Function errors/errors.js package.json via @storybook/addon-essentials@7.0.0
@sinclair/typebox@0.24.51 (added) Function value/cast.js package.json via @storybook/addon-essentials@7.0.0
@sinclair/typebox@0.24.51 (added) Function value/check.js package.json via @storybook/addon-essentials@7.0.0
@sinclair/typebox@0.24.51 (added) Function value/create.js package.json via @storybook/addon-essentials@7.0.0
@storybook/components@7.0.0 (upgraded) Function dist/formatter-UT3ZCDIS.mjs package.json via @storybook/addon-actions@7.0.0, @storybook/addon-essentials@7.0.0, @storybook/addon-interactions@7.0.0, @storybook/react-webpack5@7.0.0
@storybook/components@7.0.0 (upgraded) Function dist/formatter-UT3ZCDIS.mjs package.json via @storybook/addon-actions@7.0.0, @storybook/addon-essentials@7.0.0, @storybook/addon-interactions@7.0.0, @storybook/react-webpack5@7.0.0
@storybook/router@7.0.0 (upgraded) Function dist/chunk-NQZQ3SVL.mjs package.json via @storybook/addon-actions@7.0.0, @storybook/addon-essentials@7.0.0, @storybook/addon-interactions@7.0.0, @storybook/addon-links@7.0.0, @storybook/react-webpack5@7.0.0
@storybook/router@7.0.0 (upgraded) Function dist/index.js package.json via @storybook/addon-actions@7.0.0, @storybook/addon-essentials@7.0.0, @storybook/addon-interactions@7.0.0, @storybook/addon-links@7.0.0, @storybook/react-webpack5@7.0.0
@storybook/router@7.0.0 (upgraded) Function dist/utils.js package.json via @storybook/addon-actions@7.0.0, @storybook/addon-essentials@7.0.0, @storybook/addon-interactions@7.0.0, @storybook/addon-links@7.0.0, @storybook/react-webpack5@7.0.0
ajv@6.12.6 (upgraded) Function dist/ajv.bundle.js package.json via @storybook/react-webpack5@7.0.0, babel-loader@8.3.0
ajv@6.12.6 (upgraded) Function lib/compile/index.js package.json via @storybook/react-webpack5@7.0.0, babel-loader@8.3.0
core-js@3.27.2 (upgraded) Function internals/async-iterator-prototype.js package.json via @storybook/addon-interactions@7.0.0, @storybook/testing-library@0.0.14-next.1
depd@2.0.0 (upgraded) Function index.js package.json via @storybook/addon-actions@7.0.0, @storybook/addon-essentials@7.0.0, @storybook/addon-interactions@7.0.0, @storybook/addon-links@7.0.0, @storybook/react@7.0.0, @storybook/react-webpack5@7.0.0, @storybook/testing-library@0.0.14-next.1, storybook@7.0.0
ejs@3.1.8 (added) Function ejs-v3.1.8/ejs.js package.json via storybook@7.0.0
ejs@3.1.8 (added) Function ejs-v3.1.8/ejs.js package.json via storybook@7.0.0
ejs@3.1.8 (added) Function ejs-v3.1.8/ejs.min.js package.json via storybook@7.0.0
ejs@3.1.8 (added) Function ejs-v3.1.8/ejs.min.js package.json via storybook@7.0.0
ejs@3.1.8 (added) Function ejs-v3.1.8/lib/ejs.js package.json via storybook@7.0.0
ejs@3.1.8 (added) Function ejs-v3.1.8/lib/ejs.js package.json via storybook@7.0.0
envinfo@7.8.1 (added) Function dist/envinfo.js package.json via storybook@7.0.0
envinfo@7.8.1 (added) Function dist/envinfo.js package.json via storybook@7.0.0
expect@27.5.1 (upgraded) Function build/index.js package.json via jest@27.5.1, ts-jest@27.1.5
expect@27.5.1 (upgraded) Function build/index.js package.json via jest@27.5.1, ts-jest@27.1.5
expect@27.5.1 (upgraded) Function build/index.js package.json via jest@27.5.1, ts-jest@27.1.5
expect@27.5.1 (upgraded) Function build/utils.js package.json via jest@27.5.1, ts-jest@27.1.5
handlebars@4.7.7 (added) Function dist/cjs/handlebars/compiler/javascript-compiler.js package.json via @storybook/addon-essentials@7.0.0, @storybook/addon-interactions@7.0.0, @storybook/react@7.0.0, @storybook/react-webpack5@7.0.0, storybook@7.0.0
handlebars@4.7.7 (added) Function dist/cjs/handlebars/compiler/javascript-compiler.js package.json via @storybook/addon-essentials@7.0.0, @storybook/addon-interactions@7.0.0, @storybook/react@7.0.0, @storybook/react-webpack5@7.0.0, storybook@7.0.0
handlebars@4.7.7 (added) Function dist/handlebars.amd.js package.json via @storybook/addon-essentials@7.0.0, @storybook/addon-interactions@7.0.0, @storybook/react@7.0.0, @storybook/react-webpack5@7.0.0, storybook@7.0.0
handlebars@4.7.7 (added) Function dist/handlebars.amd.js package.json via @storybook/addon-essentials@7.0.0, @storybook/addon-interactions@7.0.0, @storybook/react@7.0.0, @storybook/react-webpack5@7.0.0, storybook@7.0.0
handlebars@4.7.7 (added) Function dist/handlebars.amd.min.js package.json via @storybook/addon-essentials@7.0.0, @storybook/addon-interactions@7.0.0, @storybook/react@7.0.0, @storybook/react-webpack5@7.0.0, storybook@7.0.0
[handlebars@4.7.7](https://socket.dev/npm/package/handlebars/files/4.7.7/dist/handlebars.amd.min.js#T66621-66643