disable frontend version check

[alexan]

Is your feature request related to a problem? Please describe.
On our infrastructure we don't allow requests to other domains for security reasons.
Since 5.x of storybook the frontend does requests to https://storybook.js.org/versions.json to notify the user of new releases. This produces error logs in the javascript console.

Describe the solution you'd like
I would like to have a cli switch and/or config parameter to disable this version check.

Describe alternatives you've considered
Maybe is is possible to detect the content security settings in js and don't do the calls if forbidden.
I think this won't be as straight forward and disabling this check could have various other reasons.

Are you able to assist bring the feature to reality?
yes, I can...

Additional context

[shilman]

Hi @alexan, in general we'd like people to run the update check to keep their storybook up to date, and we may also use that for distributing security notices in the future. However in cases like yours it seems reasonable to disable it. Do you think you might be able to add the CLI flag --disable-update-check to turn off the version update?

[backbone87]

imho the version check should be removed from the static build. it does not look very nice, if you present it to your companies other departments.

[ghengeveld]

+1 on removing it from the static build. Makes no sense to show the "upgrade available" notification badge in a production environment.

I also suggest to show the notification only for minor/major releases. With patch releases several times a week it's not feasible to stay up-to-date all the time. Relying on version ranges (^x.x.x) is also not an option, as we don't allow automatic updates, even for patch releases.

[tomspeak]

Would also appreciate this being an optional thing, or possible to have it only in a local dev environment.

[stale]

Hi everyone! Seems like there hasn't been much going on in this issue lately. If there are still questions, comments, or bugs, please feel free to continue the discussion. Unfortunately, we don't have time to get to every issue. We are always open to contributions so please send us a pull request if you would like to help. Inactive issues will be closed after 30 days. Thanks!

[Haroenv]

I'm also wondering if every patch version needs to be promoted so heavily in the build, especially in a case like this, where 5.0.7 & 5.0.8 are exactly the same

[shilman]

@Haroenv Currently the only thing that should show up in a patch version is a little green circle on the menu. Are you seeing something else?

[Haroenv]

I just realised I didn’t comment on the right issue, but my terminal has “you should update to 5.0.8”, when on 5.0.7

[shilman]

@Haroenv I see -- yeah that's something I could get behind. Will discuss with the team and see what we can do!

[tofran]

While this is not implemented I've made a simple workaround (for the backed side only):

https://gist.github.com/tofran/949060c7e385c66bfb76efa043479028

[stale]

Hi everyone! Seems like there hasn't been much going on in this issue lately. If there are still questions, comments, or bugs, please feel free to continue the discussion. Unfortunately, we don't have time to get to every issue. We are always open to contributions so please send us a pull request if you would like to help. Inactive issues will be closed after 30 days. Thanks!

[tofran]

I think this is very relevant and should not be closed.
This feature may be used for telemetry purposes. Users should be able to opt-ot from it.

[chrismiceli]

I agree that this should be resolved. I would even further argue off by default, at least until I can find a privacy policy for the data collected from these update checks. This may be a legal issue in some countries.

[stale]

Hi everyone! Seems like there hasn't been much going on in this issue lately. If there are still questions, comments, or bugs, please feel free to continue the discussion. Unfortunately, we don't have time to get to every issue. We are always open to contributions so please send us a pull request if you would like to help. Inactive issues will be closed after 30 days. Thanks!

[chrismiceli]

Can we get a comment from project maintainers that a PR would even be accepted for this feature before someone invest time into resolving it?

[stale]

Hi everyone! Seems like there hasn't been much going on in this issue lately. If there are still questions, comments, or bugs, please feel free to continue the discussion. Unfortunately, we don't have time to get to every issue. We are always open to contributions so please send us a pull request if you would like to help. Inactive issues will be closed after 30 days. Thanks!

[chrismiceli]

Ping asking for comment on a whether a PR would be approved or not.

[thibaudcolas]

I would also like to have a way to turn this off. The main reason is that I find the current design of notifications quite obnoxious. Then, also because I wouldn’t use this type of in-app information to keep track of new versions to start with. I also wouldn’t use this for security notices as @shilman suggests – I already use other channels for this as well, that are not specific to Storybook.

Back to the design,

Here is what I don’t like about it:

• It often sits above the main Storybook navigation
• Its "light on dark" theme makes it visually distracting as it stands out a lot compared to the rest of the Storybook UI, and my stories.
• There is no clear indication that it’s clickable (it does not have any of the visual cues of links or buttons), so it took me at least a couple of months of seeing the notification literally all the time, to realise this was something I could click on to make it disappear. I wouldn’t be surprised if there were lots of people in the same situation.
• There is no way to dismiss it without opening the "About" page. Notifications should be dismiss-able without having to trigger what the notification is for to start with.
• The "🎉" and the exclamation mark make it look like this information is something to rejoice about. I think I would appreciate like this kind of tone if I was wanting to keep up with Storybook updates (either opting in to a notification like this, or because I browsed recent updates on the project’s website). But here, while I’m working on my project, this feels more like an ad than anything.

---

There is also the concerns of privacy that @tofran and @chrismiceli have raised. Generally I would expect any kind of "phone home" feature in open-source software to either be disable-able, or opt-in only, regardless of whether it’s actually used for telemetry or not.

From a legal perspective, I think the first obvious source of concern in the EU would be cookie laws – the version check is storing information in the user’s browser, without their consent, and I don’t think this information can be construed to be essential to Storybook being functional. I’m not entirely sure whether this would definitely be illegal or not, but I can see why people would want to disable this check for that reason alone. See https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2019/07/blog-cookies-what-does-good-look-like/ if you’re interested in this.

Anyway, I’d be happy to make a PR for this if we can get some guidance from the Storybook team on how they would like to see this implemented – both disabling the version check completely, and improving the design of the notifications if there is some agreement on my concerns above (for example adding a "close" icon on the right-hand side).

[stale]

Hi everyone! Seems like there hasn't been much going on in this issue lately. If there are still questions, comments, or bugs, please feel free to continue the discussion. Unfortunately, we don't have time to get to every issue. We are always open to contributions so please send us a pull request if you would like to help. Inactive issues will be closed after 30 days. Thanks!

[Kikobeats]

keep this open, my friendly bot

[dan-diaz]

my team is also not very happy with this "update floaty"

[thibaudcolas]

I think the only reason why this is inactive is that we’re waiting for some guidance from the Storybook team that they’re happy to take PRs to disable this in-browser version check, whether that’s via a CLI flag, environment variable, or some other form of configuration.

@shilman you were mentioning discussing this with the wider team a few months ago (#6194 (comment)), is there an update on this?

[shilman]

Yeah we're open to backing off on this. We're in the final stages of getting 5.2 out the door and will prioritize a fix first thing in 5.3.

[wbern]

In the mean time, here's a workaround to hide it.

1. Create manager-head.html in .storybook directory.
2. Put in following contents:

<style type="text/css">
    [href='/?path=/settings/about'] {
        display: none;
    }
</style>

[chrismiceli]

My bigger concern is the phone home telemetry issues, though the popup is annoying as well.

[brenzy]

For the workaround above I needed to add !important for it to work:

<style type="text/css">
    [href='/?path=/settings/about'] {
        display: none !important;
    }
</style>

[raphaellueckl]

How come this issue does not get any attention? Why should our users be informed, that there is a new storybook version, if they don't even have control over the codebase? That we get those messages during development is nice, but that we have to find workarounds to suppress those messages on PROD is kind of weird. Our users often don't even know what "Storybook" is, so this can get even more confusing.

[thibaudcolas]

@raphaellueckl as far as I can see the notifications have been disabled for production builds since v5.0.3 / 5.1.0-alpha.9: UI: Make update notifications much less aggressive (#6143). If you’re running a more recent version than this and still have the notifications that’s likely a bug / unintended.

[raphaellueckl]

Hi @thibaudcolas

Thanks for your response! :)

We are using the following versions (currently wondering why the html package is still 5.0.8):

"@storybook/addon-knobs": "^5.1.9",
"@storybook/addons": "^5.1.9",
"@storybook/html": "^5.0.8",
"@storybook/theming": "^5.1.9",

With "production" I mean the statically files coming npm run build-storybook.

[shilman]

@raphaellueckl coming soon in 5.3. we've been busy shipping 5.2.

[raphaellueckl]

@shilman Cool, thank you guys!

[shilman]

Whoopee!! I just released https://github.com/storybookjs/storybook/releases/tag/v5.3.0-alpha.27 containing PR #8488 that references this issue. Upgrade today to try it out!

You can find this prerelease on the @next NPM tag.

Closing this issue. Please re-open if you think there's still more to do.

[JackHowa]

this worked for me with !important, thanks @brenzy and @wbern

        display: none !important;

[ferdicus]

i know, this is an old issue, however i'd like to ask:
is this also possible as a config option instead of a cli flag?

thanks in advance