Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

glob-parent Security Vulnerability #15174

Closed
zpeterson opened this issue Jun 8, 2021 · 18 comments
Closed

glob-parent Security Vulnerability #15174

zpeterson opened this issue Jun 8, 2021 · 18 comments

Comments

@zpeterson
Copy link

Describe the bug

NPM Advisory 1751

You are dependent on an insecure version of glob-parent.

To Reproduce

Run npm audit

System

Environment Info:

  System:
    OS: Linux 5.10 Ubuntu 20.04 LTS (Focal Fossa)
    CPU: (8) x64 Intel(R) Core(TM) i7-1065G7 CPU @ 1.30GHz
  Binaries:
    Node: 10.13.0 - ~/.nvm/versions/node/v10.13.0/bin/node
    npm: 6.4.1 - ~/.nvm/versions/node/v10.13.0/bin/npm
  npmPackages:
    @storybook/addon-a11y: 6.2.9 => 6.2.9 
    @storybook/addon-essentials: 6.2.9 => 6.2.9 
    @storybook/addon-links: 6.2.9 => 6.2.9 
    @storybook/addons: 6.2.9 => 6.2.9 
    @storybook/preset-scss: 1.0.3 => 1.0.3 
    @storybook/react: 6.2.9 => 6.2.9 
    @storybook/theming: 6.2.9 => 6.2.9 

Additional context

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Regular expression denial of service                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ glob-parent                                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=5.1.2                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @storybook/addon-essentials [dev]                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ @storybook/addon-essentials > @storybook/addon-docs >        │
│               │ @storybook/builder-webpack4 > @storybook/core-common >       │
│               │ glob-base > glob-parent                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/1751                      │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Regular expression denial of service                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ glob-parent                                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=5.1.2                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @storybook/addon-essentials [dev]                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ @storybook/addon-essentials > @storybook/addon-docs >        │
│               │ @storybook/core > @storybook/core-server >                   │
│               │ @storybook/builder-webpack4 > @storybook/core-common >       │
│               │ glob-base > glob-parent                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/1751                      │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Regular expression denial of service                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ glob-parent                                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=5.1.2                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @storybook/react [dev]                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ @storybook/react > @storybook/core > @storybook/core-server  │
│               │ > @storybook/builder-webpack4 > @storybook/core-common >     │
│               │ glob-base > glob-parent                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/1751                      │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Regular expression denial of service                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ glob-parent                                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=5.1.2                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @storybook/addon-essentials [dev]                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ @storybook/addon-essentials > @storybook/addon-docs >        │
│               │ @storybook/core > @storybook/core-server >                   │
│               │ @storybook/core-common > glob-base > glob-parent             │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/1751                      │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Regular expression denial of service                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ glob-parent                                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=5.1.2                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @storybook/react [dev]                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ @storybook/react > @storybook/core > @storybook/core-server  │
│               │ > @storybook/core-common > glob-base > glob-parent           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/1751                      │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Regular expression denial of service                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ glob-parent                                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=5.1.2                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @storybook/react [dev]                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ @storybook/react > @storybook/core-common > glob-base >      │
│               │ glob-parent                                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/1751                      │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Regular expression denial of service                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ glob-parent                                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=5.1.2                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @storybook/addon-essentials [dev]                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ @storybook/addon-essentials > @storybook/addon-docs >        │
│               │ @storybook/builder-webpack4 > @storybook/core-common >       │
│               │ webpack > watchpack > watchpack-chokidar2 > chokidar >       │
│               │ glob-parent                                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/1751                      │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Regular expression denial of service                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ glob-parent                                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=5.1.2                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @storybook/addon-essentials [dev]                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ @storybook/addon-essentials > @storybook/addon-docs >        │
│               │ @storybook/core > @storybook/core-server >                   │
│               │ @storybook/builder-webpack4 > @storybook/core-common >       │
│               │ webpack > watchpack > watchpack-chokidar2 > chokidar >       │
│               │ glob-parent                                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/1751                      │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Regular expression denial of service                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ glob-parent                                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=5.1.2                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @storybook/react [dev]                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ @storybook/react > @storybook/core > @storybook/core-server  │
│               │ > @storybook/builder-webpack4 > @storybook/core-common >     │
│               │ webpack > watchpack > watchpack-chokidar2 > chokidar >       │
│               │ glob-parent                                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/1751                      │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Regular expression denial of service                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ glob-parent                                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=5.1.2                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @storybook/addon-essentials [dev]                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ @storybook/addon-essentials > @storybook/addon-docs >        │
│               │ @storybook/core > @storybook/core-server >                   │
│               │ @storybook/core-common > webpack > watchpack >               │
│               │ watchpack-chokidar2 > chokidar > glob-parent                 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/1751                      │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Regular expression denial of service                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ glob-parent                                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=5.1.2                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @storybook/react [dev]                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ @storybook/react > @storybook/core > @storybook/core-server  │
│               │ > @storybook/core-common > webpack > watchpack >             │
│               │ watchpack-chokidar2 > chokidar > glob-parent                 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/1751                      │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Regular expression denial of service                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ glob-parent                                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=5.1.2                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @storybook/react [dev]                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ @storybook/react > @storybook/core-common > webpack >        │
│               │ watchpack > watchpack-chokidar2 > chokidar > glob-parent     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/1751                      │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Regular expression denial of service                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ glob-parent                                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=5.1.2                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @storybook/addon-essentials [dev]                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ @storybook/addon-essentials > @storybook/addon-docs >        │
│               │ @storybook/builder-webpack4 > webpack > watchpack >          │
│               │ watchpack-chokidar2 > chokidar > glob-parent                 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/1751                      │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Regular expression denial of service                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ glob-parent                                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=5.1.2                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @storybook/addon-essentials [dev]                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ @storybook/addon-essentials > @storybook/addon-docs >        │
│               │ @storybook/core > @storybook/core-server >                   │
│               │ @storybook/builder-webpack4 > webpack > watchpack >          │
│               │ watchpack-chokidar2 > chokidar > glob-parent                 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/1751                      │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Regular expression denial of service                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ glob-parent                                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=5.1.2                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @storybook/react [dev]                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ @storybook/react > @storybook/core > @storybook/core-server  │
│               │ > @storybook/builder-webpack4 > webpack > watchpack >        │
│               │ watchpack-chokidar2 > chokidar > glob-parent                 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/1751                      │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Regular expression denial of service                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ glob-parent                                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=5.1.2                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @storybook/addon-essentials [dev]                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ @storybook/addon-essentials > @storybook/addon-docs >        │
│               │ @storybook/core > @storybook/core-server > webpack >         │
│               │ watchpack > watchpack-chokidar2 > chokidar > glob-parent     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/1751                      │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Regular expression denial of service                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ glob-parent                                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=5.1.2                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @storybook/react [dev]                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ @storybook/react > @storybook/core > @storybook/core-server  │
│               │ > webpack > watchpack > watchpack-chokidar2 > chokidar >     │
│               │ glob-parent                                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/1751                      │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Regular expression denial of service                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ glob-parent                                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=5.1.2                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @storybook/react [dev]                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ @storybook/react > webpack > watchpack > watchpack-chokidar2 │
│               │ > chokidar > glob-parent                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/1751                      │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Regular expression denial of service                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ glob-parent                                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=5.1.2                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @storybook/addon-essentials [dev]                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ @storybook/addon-essentials > @storybook/addon-docs >        │
│               │ @storybook/core > @storybook/core-server > cpy > globby >    │
│               │ fast-glob > glob-parent                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/1751                      │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Regular expression denial of service                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ glob-parent                                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=5.1.2                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @storybook/react [dev]                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ @storybook/react > @storybook/core > @storybook/core-server  │
│               │ > cpy > globby > fast-glob > glob-parent                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/1751                      │
└───────────────┴──────────────────────────────────────────────────────────────┘
@s100
Copy link

s100 commented Jun 14, 2021

glob-base has an issue open to upgrade from glob-parent@^2.0.0 (!!) to a patched version (@^5.1.2). However, that issue has been open since 15 May with no activity, and the glob-base repo itself has seen no activity since September 2015 and is clearly unmaintained.

Recommendation is for @storybook/core-common to stop using glob-base entirely.

@shilman
Copy link
Member

shilman commented Jul 23, 2021

Yowza!! I just released https://github.com/storybookjs/storybook/releases/tag/v6.4.0-alpha.20 containing PR #15399 that references this issue. Upgrade today to the @next NPM tag to try it out!

npx sb upgrade --prerelease

Closing this issue. Please re-open if you think there's still more to do.

@shilman shilman closed this as completed Jul 23, 2021
@cloakedninjas
Copy link

This did fix a bunch of them, but a few remain, after running npx sb upgrade --prerelease (now on 6.4.0-alpha.30)

However - cpy needs updating: sindresorhus/cpy#87

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Regular expression denial of service                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ glob-parent                                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=5.1.2                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @storybook/addon-docs [dev]                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ @storybook/addon-docs > @storybook/core >                    │
│               │ @storybook/core-server > cpy > globby > fast-glob >          │
│               │ glob-parent                                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1751                            │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Regular expression denial of service                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ glob-parent                                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=5.1.2                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @storybook/addon-storyshots [dev]                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ @storybook/addon-storyshots > @storybook/core >              │
│               │ @storybook/core-server > cpy > globby > fast-glob >          │
│               │ glob-parent                                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1751                            │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Regular expression denial of service                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ glob-parent                                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=5.1.2                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @storybook/angular [dev]                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ @storybook/angular > @storybook/core >                       │
│               │ @storybook/core-server > cpy > globby > fast-glob >          │
│               │ glob-parent                                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1751                            │
└───────────────┴──────────────────────────────────────────────────────────────┘

@marcinincreo
Copy link

@shilman please re-open this as it is still an issue.

anomiex added a commit to Automattic/jetpack that referenced this issue Aug 31, 2021
Unfortunately we can't do them all.

* storybook still has some deps. One they [removed in "next"][2].
  Another is still there. Plus it has some webpack 4 deps it seemingly
  doesn't actually use.
* `gulp` devs [actively refuse to update dependencies][3] when they
  believe they're not hitting the vulnerability, apparently as protest
  against `npm audit` which they consider "broken".

[2]: storybookjs/storybook#15174
[3]: gulpjs/glob-stream#108
@shilman shilman reopened this Aug 31, 2021
@shilman
Copy link
Member

shilman commented Aug 31, 2021

Huzzah!! I just released https://github.com/storybookjs/storybook/releases/tag/v6.4.0-alpha.33 containing PR #15953 that references this issue. Upgrade today to the @next NPM tag to try it out!

npx sb upgrade --prerelease

Closing this issue. Please re-open if you think there's still more to do.

@shilman shilman closed this as completed Aug 31, 2021
@cloakedninjas
Copy link

Issues still present - v8.1.2 doesn't resolve the warnings from cpy, we will have to wait for their next release

@shilman shilman reopened this Sep 1, 2021
anomiex added a commit to Automattic/jetpack that referenced this issue Sep 1, 2021
Clean up JS dependencies, mainly those complained about by `pnpm audit`.

* Remove unneeded pnpm.overrides.
  
  * `@automattic/calypso-build` no longer depends on `node-sass`.
  * Nothing we depend on depends on `terser-webpack-plugin` 2.3.1 anymore.
  
  And fix syntax for a few others. Looks like pnpm 6.10.2 broke the syntax
  we were using before.

* Update browserslist.
  
  Add an override for `react-dev-utils` which unnecessarily depends on a
  specific version instead of allowing updates.

* Update cheerio.
  
  New version fixes dep on vulnerable `css-what`.

* Update tar.

* Update postcss.
  
  Only the 7.0.35 deps needed updating for vulnerabilities, but may as
  well do the 8.2.15 too.

* Update path-parse.

* Add override for trim@0.0.1.
  
  `@storybook/csf-tools` depends on `@mdx-js/mdx`, which is [refusing to
  fix the old dep in its 1.x branch][1] and hasn't released 2.0 yet.

* Upgrade copy-webpack-plugin.
  
  Depends on a vulnerable version of glob-parent.

* Update glob-parent where we can.
  
  Unfortunately we can't do them all.
  
  * storybook still has some deps. One they [removed in "next"][2].
    Another is still there. Plus it has some webpack 4 deps it seemingly
    doesn't actually use.
  * `gulp` devs [actively refuse to update dependencies][3] when they
    believe they're not hitting the vulnerability, apparently as protest
    against `npm audit` which they consider "broken".
  
[1]: mdx-js/mdx#1553
[2]: storybookjs/storybook#15174
[3]: gulpjs/glob-stream#108
matticbot pushed a commit to Automattic/jetpack-production that referenced this issue Sep 1, 2021
Clean up JS dependencies, mainly those complained about by `pnpm audit`.

* Remove unneeded pnpm.overrides.

  * `@automattic/calypso-build` no longer depends on `node-sass`.
  * Nothing we depend on depends on `terser-webpack-plugin` 2.3.1 anymore.

  And fix syntax for a few others. Looks like pnpm 6.10.2 broke the syntax
  we were using before.

* Update browserslist.

  Add an override for `react-dev-utils` which unnecessarily depends on a
  specific version instead of allowing updates.

* Update cheerio.

  New version fixes dep on vulnerable `css-what`.

* Update tar.

* Update postcss.

  Only the 7.0.35 deps needed updating for vulnerabilities, but may as
  well do the 8.2.15 too.

* Update path-parse.

* Add override for trim@0.0.1.

  `@storybook/csf-tools` depends on `@mdx-js/mdx`, which is [refusing to
  fix the old dep in its 1.x branch][1] and hasn't released 2.0 yet.

* Upgrade copy-webpack-plugin.

  Depends on a vulnerable version of glob-parent.

* Update glob-parent where we can.

  Unfortunately we can't do them all.

  * storybook still has some deps. One they [removed in "next"][2].
    Another is still there. Plus it has some webpack 4 deps it seemingly
    doesn't actually use.
  * `gulp` devs [actively refuse to update dependencies][3] when they
    believe they're not hitting the vulnerability, apparently as protest
    against `npm audit` which they consider "broken".

[1]: mdx-js/mdx#1553
[2]: storybookjs/storybook#15174
[3]: gulpjs/glob-stream#108

Committed via a GitHub action: https://github.com/Automattic/jetpack/actions/runs/1190571780
@andziaoo7
Copy link

andziaoo7 commented Dec 20, 2021

After I've replaced addon-knobs with addon-controls this issue appeared.

I'm using:
"@storybook/angular": "6.4.9",
"@storybook/addon-controls": "6.4.9",


┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Regular expression denial of service                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ glob-parent                                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=5.1.2                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @storybook/addon-controls                               │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ @storybook/addon-controls > @storybook/core-common > webpack  
                  > watchpack > watchpack-chokidar2 > chokidar > glob-parent                                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://github.com/advisories/GHSA-ww39-953v-wcq6                              │
└───────────────┴──────────────────────────────────────────────────────────────┘

@landsman
Copy link

landsman commented Feb 1, 2022

pls

leotm added a commit to leotm/react-native-template-new-architecture that referenced this issue Feb 3, 2022
Prompted by Dependabot false positive Security vulnerabilities of dev build tools

RN Storybook v5.3
- Remove old /storybook config
- Keep old /stories for now

RN Storybook v6
- Setup in .storybook for now
- Add minimal config w/o stories for now

Jest setup mocks
- Remove stale RN mocks
- Add new RN Storybook mocks
- Doc @storybook/addon-ondevice-notes/register parsing issue
- Doc @storybook/addon-actions ES forEach proto parsing issue

Metro
- Config resolver for modern storybook build, vs polyfilled versions
- Keep inlineRequires optimisation on, disable later if blocking

App
- Update gitignore with Storybook
- Update app Storybook require to import with new path
- Add react-native-slider and RNDateTimePicker pods
- Add get-stories script to codegen storybook.requires.js
- Update RNCAsyncStorage pod
- Remove deprecated @react-native-community/async-storage later and update Reactotron config

Relevant Dependabot Security alerts
- Upgrading Storybook should clear some, resolve remaining after
- browserslist: storybookjs/storybook#15173
- glob-parent : storybookjs/storybook#15174
- Vulnerabilities: storybookjs/storybook#16063
- immer: storybookjs/storybook#16093
- immer: storybookjs/storybook#16556

storybookjs/react-native#240
- Old v5.3 warnings no longer present, in this v6 no-stories but with addons upgrade so far
leotm added a commit to leotm/react-native-template-new-architecture that referenced this issue Feb 3, 2022
Prompted by Dependabot false positive Security vulnerabilities of dev build tools

RN Storybook v5.3
- Remove old /storybook config
- Keep old /stories for now

RN Storybook v6
- Setup in .storybook for now
- Add minimal config w/o stories for now

Jest setup mocks
- Remove stale RN mocks
- Add new RN Storybook mocks
- Doc @storybook/addon-ondevice-notes/register parsing issue
- Doc @storybook/addon-actions ES forEach proto parsing issue

Metro
- Config resolver for modern storybook build, vs polyfilled versions
- Keep inlineRequires optimisation on, disable later if blocking

App
- Update gitignore with Storybook
- Update app Storybook require to import with new path
- Add react-native-slider and RNDateTimePicker pods
- Add get-stories script to codegen storybook.requires.js
- Update RNCAsyncStorage pod
- Remove deprecated @react-native-community/async-storage later and update Reactotron config

Relevant Dependabot Security alerts
- Upgrading Storybook should clear some, resolve remaining after
- browserslist: storybookjs/storybook#15173
- glob-parent : storybookjs/storybook#15174
- Vulnerabilities: storybookjs/storybook#16063
- immer: storybookjs/storybook#16093
- immer: storybookjs/storybook#16556

storybookjs/react-native#240
- Old v5.3 warnings no longer present, in this v6 no-stories but with addons upgrade so far

After figured @storybook/addon-ondevice-notes/register Jest parsing issue
- Add generated storybook.requires.js to gitignore
- Add prestart script to get-stories first

Consider splitting/decoupling App/Storybook Jest parsing
- env var with dynamic import
- npm workspaces / lerna
- multiple modules
@dgarciasarai
Copy link

After updating to @storybook/react 6.4.19:

image

@iuriifaevskii
Copy link

@dgarciasarai the same issue

can someone from the storybook team take a look

@NicolasBelliard
Copy link

Hello!
Do you have any news concerning a potential fix of this vulnerability?
Thank you!

@shilman
Copy link
Member

shilman commented Feb 24, 2022

If you look at the dependency tree, this is an issue with Webpack4.

The plan is to make Webpack4 optional starting in Storybook 7.0, which will come out later this year. At that point, this failing check should go away.

@SimenB
Copy link
Contributor

SimenB commented Mar 8, 2022

@shilman cpy is not from webpack, but since its latest version is ESM only it might not be possibly for you to upgrade? Could replace it with some other copying lib, tho

@bodograumann
Copy link
Contributor

I guess the issue is not that big, but I wish npm wouldn’t warn about “23 high severity vulnerabilities”, just because @storybook/addon-docs@6.4 is installed...

@strmer15
Copy link
Contributor

When I looked at this again yesterday, cpy was coming from @storybook/core-server, which uses cpy to move a favicon and the contents of a prebuiltDir to the output in certain circumstances - I've created #18497 to use fs-extra instead (which has a copy function and is already installed in the project).

@shilman
Copy link
Member

shilman commented Jun 29, 2022

Olé!! I just released https://github.com/storybookjs/storybook/releases/tag/v7.0.0-alpha.7 containing PR #18497 that references this issue. Upgrade today to the @future NPM tag to try it out!

npx sb upgrade --prerelease

Closing this issue. Please re-open if you think there's still more to do.

@shilman shilman closed this as completed Jun 29, 2022
@esharmony
Copy link

Olé!! I just released https://github.com/storybookjs/storybook/releases/tag/v7.0.0-alpha.7 containing PR #18497 that references this issue. Upgrade today to the @future NPM tag to try it out!

npx sb upgrade --prerelease

Closing this issue. Please re-open if you think there's still more to do.

I just followed this, and now storybook no longer runs
/bin/sh: start-storybook: command not found

I have cleared the cache and deleted and reinstalled node_modules, has something changed?

@esharmony
Copy link

esharmony commented Aug 11, 2022

Olé!! I just released https://github.com/storybookjs/storybook/releases/tag/v7.0.0-alpha.7 containing PR #18497 that references this issue. Upgrade today to the @future NPM tag to try it out!

npx sb upgrade --prerelease

Closing this issue. Please re-open if you think there's still more to do.

I just followed this, and now storybook no longer runs /bin/sh: start-storybook: command not found

I have cleared the cache and deleted and reinstalled node_modules, has something changed?

OK - there are migration notes I need to read : )
https://github.com/storybookjs/storybook/blob/next/MIGRATION.md#start-storybook--build-storybook-binaries-removed

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests