shelljs is vulnerable to Improper Privilege Management

[daybydae]

This came up today on a project I'm working on.
Looks to be pretty new.

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0144

[AlanGreene]

$ npm ls shelljs
…
└─┬ @storybook/storybook-deployer@2.8.10
  └── shelljs@0.8.5

That vulnerability was fixed in shelljs 0.8.5 and as you can see that's the version I'm seeing in my environment. You may just need to update your dependencies.

[ashishjpm]

shelljs version 0.8.4 is used with latest version(6.4.19) of @storybook/cli".
This is causing the same vulnerable issue with my project too.
CVE-2022-0144 High severity Vulnerable versions: < 0.8.5. shelljs is vulnerable to Improper Privilege Management

[shilman]

Huzzah!! I just released https://github.com/storybookjs/storybook/releases/tag/v6.5.0-alpha.47 containing PR #17602 that references this issue. Upgrade today to the @next NPM tag to try it out!

npx sb upgrade --prerelease

Closing this issue. Please re-open if you think there's still more to do.