glob-parent Security Vulnerability #15174
Comments
|
Recommendation is for |
|
Yowza!! I just released https://github.com/storybookjs/storybook/releases/tag/v6.4.0-alpha.20 containing PR #15399 that references this issue. Upgrade today to the Closing this issue. Please re-open if you think there's still more to do. |
|
This did fix a bunch of them, but a few remain, after running However - cpy needs updating: sindresorhus/cpy#87 |
|
@shilman please re-open this as it is still an issue. |
Unfortunately we can't do them all. * storybook still has some deps. One they [removed in "next"][2]. Another is still there. Plus it has some webpack 4 deps it seemingly doesn't actually use. * `gulp` devs [actively refuse to update dependencies][3] when they believe they're not hitting the vulnerability, apparently as protest against `npm audit` which they consider "broken". [2]: storybookjs/storybook#15174 [3]: gulpjs/glob-stream#108
|
Huzzah!! I just released https://github.com/storybookjs/storybook/releases/tag/v6.4.0-alpha.33 containing PR #15953 that references this issue. Upgrade today to the Closing this issue. Please re-open if you think there's still more to do. |
|
Issues still present - v8.1.2 doesn't resolve the warnings from cpy, we will have to wait for their next release |
Clean up JS dependencies, mainly those complained about by `pnpm audit`.
* Remove unneeded pnpm.overrides.
* `@automattic/calypso-build` no longer depends on `node-sass`.
* Nothing we depend on depends on `terser-webpack-plugin` 2.3.1 anymore.
And fix syntax for a few others. Looks like pnpm 6.10.2 broke the syntax
we were using before.
* Update browserslist.
Add an override for `react-dev-utils` which unnecessarily depends on a
specific version instead of allowing updates.
* Update cheerio.
New version fixes dep on vulnerable `css-what`.
* Update tar.
* Update postcss.
Only the 7.0.35 deps needed updating for vulnerabilities, but may as
well do the 8.2.15 too.
* Update path-parse.
* Add override for trim@0.0.1.
`@storybook/csf-tools` depends on `@mdx-js/mdx`, which is [refusing to
fix the old dep in its 1.x branch][1] and hasn't released 2.0 yet.
* Upgrade copy-webpack-plugin.
Depends on a vulnerable version of glob-parent.
* Update glob-parent where we can.
Unfortunately we can't do them all.
* storybook still has some deps. One they [removed in "next"][2].
Another is still there. Plus it has some webpack 4 deps it seemingly
doesn't actually use.
* `gulp` devs [actively refuse to update dependencies][3] when they
believe they're not hitting the vulnerability, apparently as protest
against `npm audit` which they consider "broken".
[1]: mdx-js/mdx#1553
[2]: storybookjs/storybook#15174
[3]: gulpjs/glob-stream#108
Clean up JS dependencies, mainly those complained about by `pnpm audit`.
* Remove unneeded pnpm.overrides.
* `@automattic/calypso-build` no longer depends on `node-sass`.
* Nothing we depend on depends on `terser-webpack-plugin` 2.3.1 anymore.
And fix syntax for a few others. Looks like pnpm 6.10.2 broke the syntax
we were using before.
* Update browserslist.
Add an override for `react-dev-utils` which unnecessarily depends on a
specific version instead of allowing updates.
* Update cheerio.
New version fixes dep on vulnerable `css-what`.
* Update tar.
* Update postcss.
Only the 7.0.35 deps needed updating for vulnerabilities, but may as
well do the 8.2.15 too.
* Update path-parse.
* Add override for trim@0.0.1.
`@storybook/csf-tools` depends on `@mdx-js/mdx`, which is [refusing to
fix the old dep in its 1.x branch][1] and hasn't released 2.0 yet.
* Upgrade copy-webpack-plugin.
Depends on a vulnerable version of glob-parent.
* Update glob-parent where we can.
Unfortunately we can't do them all.
* storybook still has some deps. One they [removed in "next"][2].
Another is still there. Plus it has some webpack 4 deps it seemingly
doesn't actually use.
* `gulp` devs [actively refuse to update dependencies][3] when they
believe they're not hitting the vulnerability, apparently as protest
against `npm audit` which they consider "broken".
[1]: mdx-js/mdx#1553
[2]: storybookjs/storybook#15174
[3]: gulpjs/glob-stream#108
Committed via a GitHub action: https://github.com/Automattic/jetpack/actions/runs/1190571780
|
After I've replaced addon-knobs with addon-controls this issue appeared. I'm using: |
|
pls |
Prompted by Dependabot false positive Security vulnerabilities of dev build tools RN Storybook v5.3 - Remove old /storybook config - Keep old /stories for now RN Storybook v6 - Setup in .storybook for now - Add minimal config w/o stories for now Jest setup mocks - Remove stale RN mocks - Add new RN Storybook mocks - Doc @storybook/addon-ondevice-notes/register parsing issue - Doc @storybook/addon-actions ES forEach proto parsing issue Metro - Config resolver for modern storybook build, vs polyfilled versions - Keep inlineRequires optimisation on, disable later if blocking App - Update gitignore with Storybook - Update app Storybook require to import with new path - Add react-native-slider and RNDateTimePicker pods - Add get-stories script to codegen storybook.requires.js - Update RNCAsyncStorage pod - Remove deprecated @react-native-community/async-storage later and update Reactotron config Relevant Dependabot Security alerts - Upgrading Storybook should clear some, resolve remaining after - browserslist: storybookjs/storybook#15173 - glob-parent : storybookjs/storybook#15174 - Vulnerabilities: storybookjs/storybook#16063 - immer: storybookjs/storybook#16093 - immer: storybookjs/storybook#16556 storybookjs/react-native#240 - Old v5.3 warnings no longer present, in this v6 no-stories but with addons upgrade so far
Prompted by Dependabot false positive Security vulnerabilities of dev build tools RN Storybook v5.3 - Remove old /storybook config - Keep old /stories for now RN Storybook v6 - Setup in .storybook for now - Add minimal config w/o stories for now Jest setup mocks - Remove stale RN mocks - Add new RN Storybook mocks - Doc @storybook/addon-ondevice-notes/register parsing issue - Doc @storybook/addon-actions ES forEach proto parsing issue Metro - Config resolver for modern storybook build, vs polyfilled versions - Keep inlineRequires optimisation on, disable later if blocking App - Update gitignore with Storybook - Update app Storybook require to import with new path - Add react-native-slider and RNDateTimePicker pods - Add get-stories script to codegen storybook.requires.js - Update RNCAsyncStorage pod - Remove deprecated @react-native-community/async-storage later and update Reactotron config Relevant Dependabot Security alerts - Upgrading Storybook should clear some, resolve remaining after - browserslist: storybookjs/storybook#15173 - glob-parent : storybookjs/storybook#15174 - Vulnerabilities: storybookjs/storybook#16063 - immer: storybookjs/storybook#16093 - immer: storybookjs/storybook#16556 storybookjs/react-native#240 - Old v5.3 warnings no longer present, in this v6 no-stories but with addons upgrade so far After figured @storybook/addon-ondevice-notes/register Jest parsing issue - Add generated storybook.requires.js to gitignore - Add prestart script to get-stories first Consider splitting/decoupling App/Storybook Jest parsing - env var with dynamic import - npm workspaces / lerna - multiple modules
|
After updating to
|
|
@dgarciasarai the same issue can someone from the storybook team take a look |
|
Hello! |
|
If you look at the dependency tree, this is an issue with Webpack4. The plan is to make Webpack4 optional starting in Storybook 7.0, which will come out later this year. At that point, this failing check should go away. |
|
@shilman |
|
I guess the issue is not that big, but I wish |
|
When I looked at this again yesterday, |
|
Olé!! I just released https://github.com/storybookjs/storybook/releases/tag/v7.0.0-alpha.7 containing PR #18497 that references this issue. Upgrade today to the Closing this issue. Please re-open if you think there's still more to do. |
I just followed this, and now storybook no longer runs I have cleared the cache and deleted and reinstalled node_modules, has something changed? |
OK - there are migration notes I need to read : ) |
Describe the bug
NPM Advisory 1751
You are dependent on an insecure version of
glob-parent.To Reproduce
Run
npm auditSystem
Additional context
The text was updated successfully, but these errors were encountered: