Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

npm audit fix fails with severity high because of dependency markdown-to-jsx #10871

Closed
wschaef opened this issue May 22, 2020 · 6 comments
Closed

npm audit fix fails with severity high because of dependency markdown-to-jsx #10871

wschaef opened this issue May 22, 2020 · 6 comments
Assignees
@shilman
Labels
dependencies security

Comments

@wschaef
Copy link

wschaef commented May 22, 2020

Describe the bug
Result of npm audit

  High            Cross-Site Scripting                                          

  Package         markdown-to-jsx                                               

  Patched in      No patch available                                            

  Dependency of   @storybook/html [dev]                                         

  Path            @storybook/html > @storybook/core > @storybook/ui >           
                  markdown-to-jsx                                               

  More info       https://npmjs.com/advisories/1219

To Reproduce
Steps to reproduce the behavior:

  1. npm install @storybook/html --save-dev
  2. npm audit fix
  3. See error

Additional context
Even if it is a static content deployment at the end, it is still relevant if any other systems are available by the same domain.
Currently this issue is a show stopper for all public facing installations
@shilman shilman mentioned this issue May 22, 2020
Merged
@shilman
Copy link
Member

shilman commented May 22, 2020

Yowza!! I just released https://github.com/storybookjs/storybook/releases/tag/v6.0.0-beta.13 containing PR #10873 that references this issue. Upgrade today to try it out!

You can find this prerelease on the @next NPM tag.

Closing this issue. Please re-open if you think there's still more to do.

@shilman shilman closed this as completed May 22, 2020
@shilman shilman mentioned this issue May 24, 2020
Closed
@shilman
Copy link
Member

shilman commented May 24, 2020

Yippee!! I just released https://github.com/storybookjs/storybook/releases/tag/v5.3.19 containing PR #10873 that references this issue. Upgrade today to try it out!

@merlinstardust
Copy link

merlinstardust commented May 24, 2020
edited

I'm still seeing this as an issue in 5.3.19 even after uninstalling and reinstalling @storybook/react. Both @storybook/ui and @storybook/components depends on this and it's still causing a vulnerability.

And looking at the link provided by npm audit, it says there is no fix available and that this still affects 6.11.4. It seems that the only way to fix it would be to downgrade the version of markdown-to-jsx

@shilman shilman reopened this May 25, 2020
@shilman
Copy link
Member

shilman commented May 25, 2020

Looks like markdown-to-jsx is on it: quantizor/markdown-to-jsx#306

Will upgrade when ready

@shilman shilman self-assigned this May 25, 2020
@msvivianso
Copy link

Looks like the fix in v6.11.4 from markdown-to-jx has been whitelisted from the vulnerability advisory.

@shilman
Copy link
Member

shilman commented May 27, 2020

@msvivianso thanks so much for letting me know. 🙏 closing!

@shilman shilman closed this as completed May 27, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@shilman shilman

Labels
dependencies security
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@merlinstardust @shilman @msvivianso @wschaef