Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Vulnerability error of unused vue-docgen-api dependency #10193

Closed
barakyosi opened this issue Mar 23, 2020 · 3 comments
Closed

Vulnerability error of unused vue-docgen-api dependency #10193

barakyosi opened this issue Mar 23, 2020 · 3 comments
Labels
addon: docs dependencies inactive security

Comments

@barakyosi
Copy link

Describe the bug
I'm getting vulnerability warning for acorn@3.3.0

Running yarn why acorn returns:

=> Found "with#acorn@3.3.0"
info This module exists because "_project_#@storybook#addon-docs#vue-docgen-api#pug#pug-code-gen#with" depends on it.

I'm using React in my project, so I'm not sure whether vue-docgen-api is really needed as a dependency in my project.

Saw a similar issue with a different package:
#8936
Feel free to close this issue if you feel we can continue the discussion there.

The official issue:
https://www.npmjs.com/advisories/1488

Disclaimer - I don't think that the security issue would actually affect anything here, but removing unneeded packages could help.

To Reproduce
Setup Storybook with addon-docs with a different framework (e.g. React)

Expected behavior
Either fix the vulnerability or remove vue-docgen-api dependency.

System:

  System:
    OS: macOS Mojave 10.14.6
    CPU: (8) x64 Intel(R) Core(TM) i7-6820HQ CPU @ 2.70GHz
  Binaries:
    Node: 10.16.0 - ~/.nvm/versions/node/v10.16.0/bin/node
    Yarn: 1.9.4 - /usr/local/bin/yarn
    npm: 6.13.4 - ~/.nvm/versions/node/v10.16.0/bin/npm
  Browsers:
    Chrome: 80.0.3987.149
    Firefox: 73.0.1
    Safari: 13.0.5
  npmPackages:
    @storybook/addon-a11y: 5.3.17 => 5.3.17
    @storybook/addon-actions: 5.3.17 => 5.3.17
    @storybook/addon-backgrounds: 5.3.17 => 5.3.17
    @storybook/addon-console: ^1.2.1 => 1.2.1
    @storybook/addon-docs: 5.3.17 => 5.3.17
    @storybook/addon-events: 5.3.17 => 5.3.17
    @storybook/addon-knobs: 5.3.17 => 5.3.17
    @storybook/addon-links: 5.3.17 => 5.3.17
    @storybook/addon-options: 5.3.17 => 5.3.17
    @storybook/addon-storysource: ^5.3.13 => 5.3.17
    @storybook/addons: 5.3.17 => 5.3.17
    @storybook/client-logger: 5.3.17 => 5.3.17
    @storybook/react: 5.3.17 => 5.3.17
    @storybook/theming: 5.3.17 => 5.3.17
@warunikar
Copy link

I'm also getting a security vulnerability warning for the nested dependency acorn in @storybook/addon-actions. react-inspector dependency doesn't seem to be up to date, which is causing this warning.

@stale
Copy link

stale bot commented Apr 28, 2020

Hi everyone! Seems like there hasn't been much going on in this issue lately. If there are still questions, comments, or bugs, please feel free to continue the discussion. Unfortunately, we don't have time to get to every issue. We are always open to contributions so please send us a pull request if you would like to help. Inactive issues will be closed after 30 days. Thanks!

@stale stale bot added the inactive label Apr 28, 2020
@stale
Copy link

stale bot commented May 30, 2020

Hey there, it's me again! I am going close this issue to help our maintainers focus on the current development roadmap instead. If the issue mentioned is still a concern, please open a new ticket and mention this old one. Cheers and thanks for using Storybook!

@stale stale bot closed this as completed May 30, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
addon: docs dependencies inactive security
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@shilman @warunikar @barakyosi