search

storybookjs / storybook

Storybook is the industry standard workshop for building, documenting, and testing UI components in isolation
https://storybook.js.org
MIT License
83.49k stars 9.13k forks source link

[Bug]: The storybook 7.6.* version depends on the highly vulnerable ip package #28257

Open sridhar614 opened 3 weeks ago

sridhar614 commented 3 weeks ago

Describe the bug

I am encountering a high vulnerability issue flagged by npm audit related to the ip package. This issue is present in the storybook core-server dependency. I noticed that this vulnerability has been addressed in the latest release of Storybook (version 8.1.9). and it got fixed in https://github.com/storybookjs/storybook/issues/26014

can we reroll the path to 7.6. which will be helpful for users who are on 7.6.

Reproduction link

https://github.com/storybookjs/storybook

Reproduction steps

Screenshot 2024-06-17 at 10 28 38 AM

System

npx storybook@latest info

Storybook Environment Info:

  System:
    OS: macOS 14.5
    CPU: (10) arm64 Apple M1 Max
    Shell: 5.9 - /bin/zsh
  Binaries:
    Node: 20.12.2 - /opt/homebrew/opt/node@20/bin/node
    Yarn: 1.22.19 - /opt/homebrew/bin/yarn
    npm: 10.5.0 - /opt/homebrew/opt/node@20/bin/npm <----- active
  Browsers:
    Chrome: 125.0.6422.142
    Edge: 126.0.2592.56
    Safari: 17.5
  npmPackages:
    @storybook/addon-a11y: 7.6.17 => 7.6.17
    @storybook/addon-actions: 7.6.17 => 7.6.17
    @storybook/addon-controls: 7.6.17 => 7.6.17
    @storybook/addon-designs: 7.0.9 => 7.0.9
    @storybook/addon-docs: 7.6.17 => 7.6.17
    @storybook/addon-storysource: 7.6.17 => 7.6.17
    @storybook/addon-toolbars: 7.6.17 => 7.6.17
    @storybook/addon-viewport: 7.6.17 => 7.6.17
    @storybook/addons: 7.6.17 => 7.6.17
    @storybook/api: 7.6.17 => 7.6.17
    @storybook/cli: 7.6.17 => 7.6.17
    @storybook/client-api: 7.6.17 => 7.6.17
    @storybook/components: 7.6.17 => 7.6.17
    @storybook/core-client: 7.6.17 => 7.6.17
    @storybook/core-events: 7.6.17 => 7.6.17
    @storybook/core-server: 7.6.17 => 7.6.17
    @storybook/html: 7.6.17 => 7.6.17
    @storybook/manager-api: 7.6.17 => 7.6.17
    @storybook/preview-api: 7.6.17 => 7.6.17
    @storybook/source-loader: 7.6.17 => 7.6.17
    @storybook/theming: 7.6.17 => 7.6.17
    @storybook/web-components: 7.6.17 => 7.6.17
    @storybook/web-components-webpack5: 7.6.17 => 7.6.17
    storybook: 7.6.17 => 7.6.17

Additional context

No response

shilman commented 3 weeks ago

Please upgrade to the latest release.

Migration guide: https://storybook.js.org/docs/8.0/migration-guide

msakrejda commented 3 weeks ago

Storybook 8 requires node 18. We have some dependencies that require node 16 (they are deprecated and we are trying to migrate off, but it's not trivial). The migration guide says

If any of these new requirements or changes are blockers for your project, we recommend to continue using Storybook 7.x.

Should this be qualified? Or is there any chance this change will be backported to 7?

sridhar614 commented 3 weeks ago

We are encountering similar issues with migrating our dependencies and replacing other add-on plugins for Storybook 8.

Since there is already a solution and fix available in Storybook, is it feasible to backport the patch to version 7?