-
-
Notifications
You must be signed in to change notification settings - Fork 9.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Security warning on react-dev-utils that depends on immer #16093
Comments
That PR has been merged, storybook can now depend on react-dev-utils@11.0.4 to resolve this security vulnerability |
Crikey!! I just released https://github.com/storybookjs/storybook/releases/tag/v6.4.0-beta.2 containing PR #16196 that references this issue. Upgrade today to the
Closing this issue. Please re-open if you think there's still more to do. |
I'm unfortunately still getting a critical severity warning despite having After some snooping, it looks like despite having bumped I would suggest potentially reopening this issue and tracking the conversation in the aforementioned PR until a published change comes down the line. |
Unfortunately we are stuck on this until facebook publishes the version 12 that resolve the issue. Unless we feel adventurous to move now to that beta version
|
One "small" detail, we are using facebook/create-react-app#11201 (comment) facebook/create-react-app#11170 (comment) @mrmckeb saw your comment there, are there any plans already to replace |
Are you planning to release a new version of |
@simonsmith No, Storybook 5.3 is almost 2 years old now and I'd strongly prefer if people upgrade to the latest |
Any update on this guys? |
Is there a temporary workaround to use the version |
you could try yarn resolutions in
|
got it working this way: facebook/create-react-app#11660 (comment) |
react-dev-utils has published v12. Could |
Since vulnerability has been solved- could this be released? |
|
Jiminy cricket!! I just released https://github.com/storybookjs/storybook/releases/tag/v6.5.0-alpha.6 containing PR #17022 that references this issue. Upgrade today to the
Closing this issue. Please re-open if you think there's still more to do. |
Invocation: npx sb upgrade --prerelease This is currently a 6.5.0 alpha release, but we can update to 6.5.0 once that's stable. Upstream issue: * storybookjs/storybook#16093 CVEs for immer (Prototype Pollution): * GHSA-33f9-j839-rf8h (CVSS 9.8 Critical) * GHSA-c36v-fmgq-m8hx (CVSS 7.5 High)
…lution) Invocation: npx sb upgrade --prerelease This is currently a 6.5.0 alpha release, but we can update to 6.5.0 once that's stable. Upstream issue: storybookjs/storybook#16093 CVEs for immer: * GHSA-33f9-j839-rf8h (CVSS 9.8 Critical) * GHSA-c36v-fmgq-m8hx (CVSS 7.5 High)
…lution) Invocation: npx sb upgrade --prerelease This is currently a 6.5.0 alpha release, but we can update to 6.5.0 once that's stable. Upstream issue: storybookjs/storybook#16093 CVEs for immer: * GHSA-33f9-j839-rf8h (CVSS 9.8 Critical) * GHSA-c36v-fmgq-m8hx (CVSS 7.5 High)
* security(web-client): update Storybook to remove immer (Prototype Pollution) Invocation: npx sb upgrade --prerelease This is currently a 6.5.0 alpha release, but we can update to 6.5.0 once that's stable. Upstream issue: storybookjs/storybook#16093 CVEs for immer: * GHSA-33f9-j839-rf8h (CVSS 9.8 Critical) * GHSA-c36v-fmgq-m8hx (CVSS 7.5 High) * security(web-client): drop dependency on chromatic, and axios (ReDoS) We don't actually need the Chromatic CLI installed: the GitHub Action uses its own version. axios CVE: GHSA-cph5-m8f7-6c5x * security(web-client): update nth-check (ReDoS) CVE: GHSA-rp65-9cf3-cjxr * security(web-client): update json-schema (Prototype Pollution), via jsprim json-schema CVE: GHSA-896r-f27r-55mw * security(web-client): update url-parse (URL Redirection to Untrusted Site) CVE: GHSA-hh27-ffr2-f2jc * security(web-client): update jszip (Prototype Pollution) CVE: GHSA-jg8v-48h5-wgxg
Yo-ho-ho!! I just released https://github.com/storybookjs/storybook/releases/tag/v6.4.13 containing PR #17022 that references this issue. Upgrade today to the
|
Prompted by Dependabot false positive Security vulnerabilities of dev build tools RN Storybook v5.3 - Remove old /storybook config - Keep old /stories for now RN Storybook v6 - Setup in .storybook for now - Add minimal config w/o stories for now Jest setup mocks - Remove stale RN mocks - Add new RN Storybook mocks - Doc @storybook/addon-ondevice-notes/register parsing issue - Doc @storybook/addon-actions ES forEach proto parsing issue Metro - Config resolver for modern storybook build, vs polyfilled versions - Keep inlineRequires optimisation on, disable later if blocking App - Update gitignore with Storybook - Update app Storybook require to import with new path - Add react-native-slider and RNDateTimePicker pods - Add get-stories script to codegen storybook.requires.js - Update RNCAsyncStorage pod - Remove deprecated @react-native-community/async-storage later and update Reactotron config Relevant Dependabot Security alerts - Upgrading Storybook should clear some, resolve remaining after - browserslist: storybookjs/storybook#15173 - glob-parent : storybookjs/storybook#15174 - Vulnerabilities: storybookjs/storybook#16063 - immer: storybookjs/storybook#16093 - immer: storybookjs/storybook#16556 storybookjs/react-native#240 - Old v5.3 warnings no longer present, in this v6 no-stories but with addons upgrade so far
Prompted by Dependabot false positive Security vulnerabilities of dev build tools RN Storybook v5.3 - Remove old /storybook config - Keep old /stories for now RN Storybook v6 - Setup in .storybook for now - Add minimal config w/o stories for now Jest setup mocks - Remove stale RN mocks - Add new RN Storybook mocks - Doc @storybook/addon-ondevice-notes/register parsing issue - Doc @storybook/addon-actions ES forEach proto parsing issue Metro - Config resolver for modern storybook build, vs polyfilled versions - Keep inlineRequires optimisation on, disable later if blocking App - Update gitignore with Storybook - Update app Storybook require to import with new path - Add react-native-slider and RNDateTimePicker pods - Add get-stories script to codegen storybook.requires.js - Update RNCAsyncStorage pod - Remove deprecated @react-native-community/async-storage later and update Reactotron config Relevant Dependabot Security alerts - Upgrading Storybook should clear some, resolve remaining after - browserslist: storybookjs/storybook#15173 - glob-parent : storybookjs/storybook#15174 - Vulnerabilities: storybookjs/storybook#16063 - immer: storybookjs/storybook#16093 - immer: storybookjs/storybook#16556 storybookjs/react-native#240 - Old v5.3 warnings no longer present, in this v6 no-stories but with addons upgrade so far After figured @storybook/addon-ondevice-notes/register Jest parsing issue - Add generated storybook.requires.js to gitignore - Add prestart script to get-stories first Consider splitting/decoupling App/Storybook Jest parsing - env var with dynamic import - npm workspaces / lerna - multiple modules
Describe the bug
I noticed from our pipeline that a critical vulnerability has been raised stemming from
immer
not on the latest version9.0.6
.immer
is a dependency ofreact-dev-utils
.At the moment,
react-dev-utils
is being updated to useimmer
's latest version.facebook/create-react-app#11364.Happy to upgrade this once the PR above has been merged.
The text was updated successfully, but these errors were encountered: