-
-
Notifications
You must be signed in to change notification settings - Fork 9.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
glob-parent Security Vulnerability #15174
Comments
Recommendation is for |
Yowza!! I just released https://github.com/storybookjs/storybook/releases/tag/v6.4.0-alpha.20 containing PR #15399 that references this issue. Upgrade today to the
Closing this issue. Please re-open if you think there's still more to do. |
This did fix a bunch of them, but a few remain, after running However - cpy needs updating: sindresorhus/cpy#87
|
@shilman please re-open this as it is still an issue. |
Unfortunately we can't do them all. * storybook still has some deps. One they [removed in "next"][2]. Another is still there. Plus it has some webpack 4 deps it seemingly doesn't actually use. * `gulp` devs [actively refuse to update dependencies][3] when they believe they're not hitting the vulnerability, apparently as protest against `npm audit` which they consider "broken". [2]: storybookjs/storybook#15174 [3]: gulpjs/glob-stream#108
Huzzah!! I just released https://github.com/storybookjs/storybook/releases/tag/v6.4.0-alpha.33 containing PR #15953 that references this issue. Upgrade today to the
Closing this issue. Please re-open if you think there's still more to do. |
Issues still present - v8.1.2 doesn't resolve the warnings from cpy, we will have to wait for their next release |
Clean up JS dependencies, mainly those complained about by `pnpm audit`. * Remove unneeded pnpm.overrides. * `@automattic/calypso-build` no longer depends on `node-sass`. * Nothing we depend on depends on `terser-webpack-plugin` 2.3.1 anymore. And fix syntax for a few others. Looks like pnpm 6.10.2 broke the syntax we were using before. * Update browserslist. Add an override for `react-dev-utils` which unnecessarily depends on a specific version instead of allowing updates. * Update cheerio. New version fixes dep on vulnerable `css-what`. * Update tar. * Update postcss. Only the 7.0.35 deps needed updating for vulnerabilities, but may as well do the 8.2.15 too. * Update path-parse. * Add override for trim@0.0.1. `@storybook/csf-tools` depends on `@mdx-js/mdx`, which is [refusing to fix the old dep in its 1.x branch][1] and hasn't released 2.0 yet. * Upgrade copy-webpack-plugin. Depends on a vulnerable version of glob-parent. * Update glob-parent where we can. Unfortunately we can't do them all. * storybook still has some deps. One they [removed in "next"][2]. Another is still there. Plus it has some webpack 4 deps it seemingly doesn't actually use. * `gulp` devs [actively refuse to update dependencies][3] when they believe they're not hitting the vulnerability, apparently as protest against `npm audit` which they consider "broken". [1]: mdx-js/mdx#1553 [2]: storybookjs/storybook#15174 [3]: gulpjs/glob-stream#108
Clean up JS dependencies, mainly those complained about by `pnpm audit`. * Remove unneeded pnpm.overrides. * `@automattic/calypso-build` no longer depends on `node-sass`. * Nothing we depend on depends on `terser-webpack-plugin` 2.3.1 anymore. And fix syntax for a few others. Looks like pnpm 6.10.2 broke the syntax we were using before. * Update browserslist. Add an override for `react-dev-utils` which unnecessarily depends on a specific version instead of allowing updates. * Update cheerio. New version fixes dep on vulnerable `css-what`. * Update tar. * Update postcss. Only the 7.0.35 deps needed updating for vulnerabilities, but may as well do the 8.2.15 too. * Update path-parse. * Add override for trim@0.0.1. `@storybook/csf-tools` depends on `@mdx-js/mdx`, which is [refusing to fix the old dep in its 1.x branch][1] and hasn't released 2.0 yet. * Upgrade copy-webpack-plugin. Depends on a vulnerable version of glob-parent. * Update glob-parent where we can. Unfortunately we can't do them all. * storybook still has some deps. One they [removed in "next"][2]. Another is still there. Plus it has some webpack 4 deps it seemingly doesn't actually use. * `gulp` devs [actively refuse to update dependencies][3] when they believe they're not hitting the vulnerability, apparently as protest against `npm audit` which they consider "broken". [1]: mdx-js/mdx#1553 [2]: storybookjs/storybook#15174 [3]: gulpjs/glob-stream#108 Committed via a GitHub action: https://github.com/Automattic/jetpack/actions/runs/1190571780
After I've replaced addon-knobs with addon-controls this issue appeared. I'm using:
|
pls |
Prompted by Dependabot false positive Security vulnerabilities of dev build tools RN Storybook v5.3 - Remove old /storybook config - Keep old /stories for now RN Storybook v6 - Setup in .storybook for now - Add minimal config w/o stories for now Jest setup mocks - Remove stale RN mocks - Add new RN Storybook mocks - Doc @storybook/addon-ondevice-notes/register parsing issue - Doc @storybook/addon-actions ES forEach proto parsing issue Metro - Config resolver for modern storybook build, vs polyfilled versions - Keep inlineRequires optimisation on, disable later if blocking App - Update gitignore with Storybook - Update app Storybook require to import with new path - Add react-native-slider and RNDateTimePicker pods - Add get-stories script to codegen storybook.requires.js - Update RNCAsyncStorage pod - Remove deprecated @react-native-community/async-storage later and update Reactotron config Relevant Dependabot Security alerts - Upgrading Storybook should clear some, resolve remaining after - browserslist: storybookjs/storybook#15173 - glob-parent : storybookjs/storybook#15174 - Vulnerabilities: storybookjs/storybook#16063 - immer: storybookjs/storybook#16093 - immer: storybookjs/storybook#16556 storybookjs/react-native#240 - Old v5.3 warnings no longer present, in this v6 no-stories but with addons upgrade so far
Prompted by Dependabot false positive Security vulnerabilities of dev build tools RN Storybook v5.3 - Remove old /storybook config - Keep old /stories for now RN Storybook v6 - Setup in .storybook for now - Add minimal config w/o stories for now Jest setup mocks - Remove stale RN mocks - Add new RN Storybook mocks - Doc @storybook/addon-ondevice-notes/register parsing issue - Doc @storybook/addon-actions ES forEach proto parsing issue Metro - Config resolver for modern storybook build, vs polyfilled versions - Keep inlineRequires optimisation on, disable later if blocking App - Update gitignore with Storybook - Update app Storybook require to import with new path - Add react-native-slider and RNDateTimePicker pods - Add get-stories script to codegen storybook.requires.js - Update RNCAsyncStorage pod - Remove deprecated @react-native-community/async-storage later and update Reactotron config Relevant Dependabot Security alerts - Upgrading Storybook should clear some, resolve remaining after - browserslist: storybookjs/storybook#15173 - glob-parent : storybookjs/storybook#15174 - Vulnerabilities: storybookjs/storybook#16063 - immer: storybookjs/storybook#16093 - immer: storybookjs/storybook#16556 storybookjs/react-native#240 - Old v5.3 warnings no longer present, in this v6 no-stories but with addons upgrade so far After figured @storybook/addon-ondevice-notes/register Jest parsing issue - Add generated storybook.requires.js to gitignore - Add prestart script to get-stories first Consider splitting/decoupling App/Storybook Jest parsing - env var with dynamic import - npm workspaces / lerna - multiple modules
@dgarciasarai the same issue can someone from the storybook team take a look |
Hello! |
If you look at the dependency tree, this is an issue with Webpack4. The plan is to make Webpack4 optional starting in Storybook 7.0, which will come out later this year. At that point, this failing check should go away. |
@shilman |
I guess the issue is not that big, but I wish |
When I looked at this again yesterday, |
Olé!! I just released https://github.com/storybookjs/storybook/releases/tag/v7.0.0-alpha.7 containing PR #18497 that references this issue. Upgrade today to the
Closing this issue. Please re-open if you think there's still more to do. |
I just followed this, and now storybook no longer runs I have cleared the cache and deleted and reinstalled node_modules, has something changed? |
OK - there are migration notes I need to read : ) |
Describe the bug
NPM Advisory 1751
You are dependent on an insecure version of
glob-parent
.To Reproduce
Run
npm audit
System
Additional context
The text was updated successfully, but these errors were encountered: