socket-security[bot]
commented
1 year ago New dependency changes detected. Learn more about Socket for GitHub ↗︎
🚨 Potential security issues found in this pull request. To accept the risk, merge this PR and you will not be notified again.
Bot Commands
To ignore an alert, reply with a comment starting with @SocketSecurity ignore followed by a space separated list of package-name@version specifiers. e.g. @SocketSecurity ignore foo@1.0.0 bar@* or ignore all packages with @SocketSecurity ignore-all
@SocketSecurity ignore @storybook/cli@7.0.7@SocketSecurity ignore storybook@7.0.7@SocketSecurity ignore @storybook/telemetry@7.0.7@SocketSecurity ignore address@1.2.2@SocketSecurity ignore better-opn@2.1.1@SocketSecurity ignore open@7.4.2@SocketSecurity ignore open@8.4.2@SocketSecurity ignore puppeteer-core@2.1.1@SocketSecurity ignore @storybook/docs-mdx@0.1.0@SocketSecurity ignore @storybook/manager@7.0.7@SocketSecurity ignore @storybook/preview@7.0.7@SocketSecurity ignore esbuild-register@3.4.2@SocketSecurity ignore @storybook/csf-tools@7.0.7@SocketSecurity ignore terser@5.17.1@SocketSecurity ignore html-webpack-plugin@5.5.1@SocketSecurity ignore assert@2.0.0
😵💫 Bin script confusion
This package has multiple bin scripts with the same name. This can cause non-deterministic behavior when installing or could be a sign of a supply chain attack
Consider removing one of the conflicting packages. Packages should only export bin scripts with their name
| Package | Bin script | Source |
|---|---|---|
| @storybook/cli@7.0.7 (added) | sb |
package.json via storybook@7.0.7 |
| storybook@7.0.7 (added) | sb |
package.json |
⚠️ Shell access
This module accesses the system shell. Accessing the system shell increases the risk of executing arbitrary code.
Packages should avoid accessing the shell which can reduce portability, and make it easier for malicious shell access to be introduced.
| Package | Module | Location | Source |
|---|---|---|---|
| @storybook/cli@7.0.7 (added) | child_process | dist/generate.js | package.json via storybook@7.0.7 |
| @storybook/telemetry@7.0.7 (added) | child_process | dist/index.js | package.json via storybook@7.0.7 |
| @storybook/telemetry@7.0.7 (added) | child_process | dist/index.mjs | package.json via storybook@7.0.7 |
| address@1.2.2 (added) | child_process | lib/address.js | package.json via storybook@7.0.7 |
| better-opn@2.1.1 (added) | child_process | dist/index.js | package.json via storybook@7.0.7 |
| open@7.4.2 (added) | child_process | index.js | package.json via storybook@7.0.7 |
| open@8.4.2 (added) | child_process | index.js | package.json via storybook@7.0.7 |
| puppeteer-core@2.1.1 (added) | child_process | lib/Launcher.js | package.json via storybook@7.0.7 |
⚠️ Uses eval
Package uses eval() which is a dangerous function. This prevents the code from running in certain environments and increases the risk that the code may contain exploits or malicious behavior.
Avoid packages that use eval, since this could potentially execute any code.
⚠️ New author
A new npm collaborator published a version of the package for the first time. New collaborators are usually benign additions to a project, but do indicate a change to the security surface area of a package.
Scrutinize new collaborator additions to packages because they now have the ability to publish code into your dependency tree. Packages should avoid frequent or unnecessary additions or changes to publishing rights.
| Package | New Author | Previous Author | Source |
|---|---|---|---|
| puppeteer-core@2.1.1 (added) | hanselfmu | mathias | package.json via storybook@7.0.7 |
| html-webpack-plugin@5.5.1 (upgraded) | evilebottnawi | jantimon | package.json via @storybook/react-webpack5@7.0.7 |
| assert@2.0.0 (added) | lukechilds | goto-bus-stop | package.json via @storybook/addon-essentials@7.0.7, storybook@7.0.7 |
Pull request alert summary
| Issue | Status |
|---|---|
| Install scripts | ✅ 0 issues |
| Native code | ✅ 0 issues |
| Bin script confusion | ⚠️ 2 issues |
| Bin script shell injection | ✅ 0 issues |
| Shell access | ⚠️ 8 issues |
| Uses eval | ⚠️ 43 issues |
| Unresolved require | ✅ 0 issues |
| Invalid package.json | ✅ 0 issues |
| HTTP dependency | ✅ 0 issues |
| Git dependency | ✅ 0 issues |
| GitHub dependency | ✅ 0 issues |
| New author | ⚠️ 3 issues |
| Potential typo squat | ✅ 0 issues |
| Known Malware | ✅ 0 issues |
| Telemetry | ✅ 0 issues |
| Protestware/Troll package | ✅ 0 issues |
📊 Modified Dependency Overview:
| ➕ Added Package | Capability Access | +/- Transitive Count |
Publisher |
|---|---|---|---|
| storybook@7.0.7 | None | +192 |
shilman |
| ⬆️ Updated Package | Version Diff | Added Capability Access | +/- Transitive Count |
Publisher |
|---|---|---|---|---|
| typescript@4.9.5 | 4.9.4...4.9.5 | None | +0/-0 |
typescript-bot |
| @storybook/addon-essentials@7.0.7 | 7.0.0...7.0.7 | None | +117/-111 |
shilman |
| @storybook/testing-library@0.0.14-next.2 | 0.0.14-next.1...0.0.14-next.2 | network | +20/-54 |
yannbf |
| @storybook/addon-links@7.0.7 | 7.0.0...7.0.7 | network | +16/-53 |
shilman |
| @storybook/addon-actions@7.0.7 | 7.0.0...7.0.7 | network | +19/-55 |
shilman |
| tsup@6.7.0 | 6.5.0...6.7.0 | environment | +31/-37 |
egoist |
| auto@10.46.0 | 10.37.6...10.46.0 | None | +12/-20 |
alisowski |
| @storybook/addon-interactions@7.0.7 | 7.0.0...7.0.7 | network | +69/-79 |
shilman |
| @types/lodash@4.14.194 | 4.14.191...4.14.194 | None | +0/-0 |
types |
| @storybook/react-webpack5@7.0.7 | 7.0.0...7.0.7 | None | +109/-140 |
shilman |
| @storybook/react@7.0.7 | 7.0.0...7.0.7 | network | +76/-74 |
shilman |
| prettier@2.8.8 | 2.8.3...2.8.8 | None | +0/-0 |
prettier-bot |
🚮 Removed packages: @babel/core@7.20.12, @babel/generator@7.20.7, @babel/parser@7.20.13, @babel/preset-env@7.20.2, @babel/preset-typescript@7.18.6, @babel/types@7.20.7, @types/node@16.18.11, lint-staged@13.1.0
Issue: #
What Changed
How to test
Change Type
maintenancedocumentationpatchminormajor📦 Published PR as canary version:
1.0.1--canary.26.47c2c44.0:sparkles: Test out this PR locally via: ```bash npm install @storybook/mdx1-csf@1.0.1--canary.26.47c2c44.0 # or yarn add @storybook/mdx1-csf@1.0.1--canary.26.47c2c44.0 ```
Version
Published prerelease version:
v1.0.1-next.0Changelog
#### 🚀 Enhancement - regen lockfile [#26](https://github.com/storybookjs/mdx1-csf/pull/26) ([@ndelangen](https://github.com/ndelangen)) #### Authors: 1 - Norbert de Langen ([@ndelangen](https://github.com/ndelangen))