Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Security warning on react-dev-utils that depends on immer #16093

Closed
erbunao opened this issue Sep 17, 2021 · 16 comments
Closed

Security warning on react-dev-utils that depends on immer #16093

erbunao opened this issue Sep 17, 2021 · 16 comments

Comments

@erbunao
Copy link

erbunao commented Sep 17, 2021

Describe the bug

I noticed from our pipeline that a critical vulnerability has been raised stemming from immer not on the latest version 9.0.6. immer is a dependency of react-dev-utils.

Alerts · wrapbookapp 2021-09-17 at 11 34 21 AM

At the moment, react-dev-utils is being updated to use immer's latest version.facebook/create-react-app#11364.

Happy to upgrade this once the PR above has been merged.

@snjnlsn
Copy link

snjnlsn commented Sep 29, 2021

That PR has been merged, storybook can now depend on react-dev-utils@11.0.4 to resolve this security vulnerability

@shilman
Copy link
Member

shilman commented Oct 1, 2021

Crikey!! I just released https://github.com/storybookjs/storybook/releases/tag/v6.4.0-beta.2 containing PR #16196 that references this issue. Upgrade today to the @next NPM tag to try it out!

npx sb upgrade --prerelease

Closing this issue. Please re-open if you think there's still more to do.

@shilman shilman closed this as completed Oct 1, 2021
@hawkticehurst
Copy link

hawkticehurst commented Oct 5, 2021

I'm unfortunately still getting a critical severity warning despite having 6.4.0-beta.4 installed.

Screen Shot 2021-10-04 at 6 45 39 PM

After some snooping, it looks like despite having bumped immer to the correct version in this PR, react-dev-utils has not yet actually published this change in a new package version (i.e. v11.0.4 is the latest release, but does not contain the security fix).

I would suggest potentially reopening this issue and tracking the conversation in the aforementioned PR until a published change comes down the line.

@fernandopasik
Copy link
Member

fernandopasik commented Oct 21, 2021

Unfortunately we are stuck on this until facebook publishes the version 12 that resolve the issue. Unless we feel adventurous to move now to that beta version

version: '12.0.0-next.47',
  engines: {
    node: '>=14'
  },
  dependencies: {
    '@babel/code-frame': '^7.10.4',
    address: '^1.1.2',
    browserslist: '^4.16.5',
    chalk: '^2.4.2',
    'cross-spawn': '^7.0.3',
    'detect-port-alt': '^1.1.6',
    'escape-string-regexp': '^2.0.0',
    filesize: '^6.1.0',
    'find-up': '^4.1.0',
    'fork-ts-checker-webpack-plugin': '^6.0.5',
    'global-modules': '^2.0.0',
    globby: '^11.0.1',
    'gzip-size': '^5.1.1',
    immer: '^9.0.6',
    'is-root': '^2.1.0',
    'loader-utils': '^2.0.0',
    open: '^7.0.2',
    'pkg-up': '^3.1.0',
    prompts: '^2.4.0',
    'react-error-overlay': '7.0.0-next.54+1465357b',
    'recursive-readdir': '^2.2.2',
    'shell-quote': '^1.7.2',
    'strip-ansi': '^6.0.0',
    'text-table': '^0.2.0'
  },

@fernandopasik
Copy link
Member

fernandopasik commented Oct 21, 2021

One "small" detail, we are using react-dev-utils for WatchMissingNodeModulesPlugin, and that is going to be removed in next version

facebook/create-react-app#11201 (comment)

facebook/create-react-app#11170 (comment)

@mrmckeb saw your comment there, are there any plans already to replace react-dev-utils?

@shilman shilman reopened this Oct 21, 2021
@simonsmith
Copy link

Are you planning to release a new version of 5.x to address this?

@shilman
Copy link
Member

shilman commented Nov 11, 2021

@simonsmith No, Storybook 5.3 is almost 2 years old now and I'd strongly prefer if people upgrade to the latest

https://storybook.js.org/blog/storybook-6-migration-guide/

@mukundkatpatal
Copy link

Any update on this guys?

@erbunao
Copy link
Author

erbunao commented Nov 11, 2021

Is there a temporary workaround to use the version "react-dev-utils": "12.0.0-next.47"?

@fernandopasik
Copy link
Member

you could try yarn resolutions in package.json

{
  "react-dev-utils": "^12.0.0-next.47"
}

@jonsalvas
Copy link

got it working this way: facebook/create-react-app#11660 (comment)

@robertwbradford
Copy link

react-dev-utils has published v12. Could @storybook/react now be updated to use it?

@andig
Copy link

andig commented Dec 20, 2021

Since vulnerability has been solved- could this be released?

@furdzik
Copy link

furdzik commented Jan 3, 2022

react-dev-utils has been published to version 12. Could @storybook/angular be updated?

@shilman
Copy link
Member

shilman commented Jan 3, 2022

Jiminy cricket!! I just released https://github.com/storybookjs/storybook/releases/tag/v6.5.0-alpha.6 containing PR #17022 that references this issue. Upgrade today to the @next NPM tag to try it out!

npx sb upgrade --prerelease

Closing this issue. Please re-open if you think there's still more to do.

@shilman shilman closed this as completed Jan 3, 2022
PiDelport added a commit to ntls-io/nautilus-wallet that referenced this issue Jan 7, 2022
Invocation:

    npx sb upgrade --prerelease

This is currently a 6.5.0 alpha release, but we can update to 6.5.0 once
that's stable.

Upstream issue:

* storybookjs/storybook#16093

CVEs for immer (Prototype Pollution):

* GHSA-33f9-j839-rf8h (CVSS 9.8 Critical)
* GHSA-c36v-fmgq-m8hx (CVSS 7.5 High)
PiDelport added a commit to ntls-io/nautilus-wallet that referenced this issue Jan 7, 2022
…lution)

Invocation:

    npx sb upgrade --prerelease

This is currently a 6.5.0 alpha release, but we can update to 6.5.0 once
that's stable.

Upstream issue: storybookjs/storybook#16093

CVEs for immer:

* GHSA-33f9-j839-rf8h (CVSS 9.8 Critical)
* GHSA-c36v-fmgq-m8hx (CVSS 7.5 High)
PiDelport added a commit to ntls-io/nautilus-wallet that referenced this issue Jan 7, 2022
…lution)

Invocation:

    npx sb upgrade --prerelease

This is currently a 6.5.0 alpha release, but we can update to 6.5.0 once
that's stable.

Upstream issue: storybookjs/storybook#16093

CVEs for immer:

* GHSA-33f9-j839-rf8h (CVSS 9.8 Critical)
* GHSA-c36v-fmgq-m8hx (CVSS 7.5 High)
PiDelport added a commit to ntls-io/nautilus-wallet that referenced this issue Jan 7, 2022
* security(web-client): update Storybook to remove immer (Prototype Pollution)

Invocation:

    npx sb upgrade --prerelease

This is currently a 6.5.0 alpha release, but we can update to 6.5.0 once
that's stable.

Upstream issue: storybookjs/storybook#16093

CVEs for immer:

* GHSA-33f9-j839-rf8h (CVSS 9.8 Critical)
* GHSA-c36v-fmgq-m8hx (CVSS 7.5 High)

* security(web-client): drop dependency on chromatic, and axios (ReDoS)

We don't actually need the Chromatic CLI installed: the GitHub Action
uses its own version.

axios CVE: GHSA-cph5-m8f7-6c5x

* security(web-client): update nth-check (ReDoS)

CVE: GHSA-rp65-9cf3-cjxr

* security(web-client): update json-schema (Prototype Pollution), via jsprim

json-schema CVE: GHSA-896r-f27r-55mw

* security(web-client): update url-parse (URL Redirection to Untrusted Site)

CVE: GHSA-hh27-ffr2-f2jc

* security(web-client): update jszip (Prototype Pollution)

CVE: GHSA-jg8v-48h5-wgxg
@shilman
Copy link
Member

shilman commented Jan 15, 2022

Yo-ho-ho!! I just released https://github.com/storybookjs/storybook/releases/tag/v6.4.13 containing PR #17022 that references this issue. Upgrade today to the @latest NPM tag to try it out!

npx sb upgrade

leotm added a commit to leotm/react-native-template-new-architecture that referenced this issue Feb 3, 2022
Prompted by Dependabot false positive Security vulnerabilities of dev build tools

RN Storybook v5.3
- Remove old /storybook config
- Keep old /stories for now

RN Storybook v6
- Setup in .storybook for now
- Add minimal config w/o stories for now

Jest setup mocks
- Remove stale RN mocks
- Add new RN Storybook mocks
- Doc @storybook/addon-ondevice-notes/register parsing issue
- Doc @storybook/addon-actions ES forEach proto parsing issue

Metro
- Config resolver for modern storybook build, vs polyfilled versions
- Keep inlineRequires optimisation on, disable later if blocking

App
- Update gitignore with Storybook
- Update app Storybook require to import with new path
- Add react-native-slider and RNDateTimePicker pods
- Add get-stories script to codegen storybook.requires.js
- Update RNCAsyncStorage pod
- Remove deprecated @react-native-community/async-storage later and update Reactotron config

Relevant Dependabot Security alerts
- Upgrading Storybook should clear some, resolve remaining after
- browserslist: storybookjs/storybook#15173
- glob-parent : storybookjs/storybook#15174
- Vulnerabilities: storybookjs/storybook#16063
- immer: storybookjs/storybook#16093
- immer: storybookjs/storybook#16556

storybookjs/react-native#240
- Old v5.3 warnings no longer present, in this v6 no-stories but with addons upgrade so far
leotm added a commit to leotm/react-native-template-new-architecture that referenced this issue Feb 3, 2022
Prompted by Dependabot false positive Security vulnerabilities of dev build tools

RN Storybook v5.3
- Remove old /storybook config
- Keep old /stories for now

RN Storybook v6
- Setup in .storybook for now
- Add minimal config w/o stories for now

Jest setup mocks
- Remove stale RN mocks
- Add new RN Storybook mocks
- Doc @storybook/addon-ondevice-notes/register parsing issue
- Doc @storybook/addon-actions ES forEach proto parsing issue

Metro
- Config resolver for modern storybook build, vs polyfilled versions
- Keep inlineRequires optimisation on, disable later if blocking

App
- Update gitignore with Storybook
- Update app Storybook require to import with new path
- Add react-native-slider and RNDateTimePicker pods
- Add get-stories script to codegen storybook.requires.js
- Update RNCAsyncStorage pod
- Remove deprecated @react-native-community/async-storage later and update Reactotron config

Relevant Dependabot Security alerts
- Upgrading Storybook should clear some, resolve remaining after
- browserslist: storybookjs/storybook#15173
- glob-parent : storybookjs/storybook#15174
- Vulnerabilities: storybookjs/storybook#16063
- immer: storybookjs/storybook#16093
- immer: storybookjs/storybook#16556

storybookjs/react-native#240
- Old v5.3 warnings no longer present, in this v6 no-stories but with addons upgrade so far

After figured @storybook/addon-ondevice-notes/register Jest parsing issue
- Add generated storybook.requires.js to gitignore
- Add prestart script to get-stories first

Consider splitting/decoupling App/Storybook Jest parsing
- env var with dynamic import
- npm workspaces / lerna
- multiple modules
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests