A vulnerability CVE-2020-28469 is introduced in your package

[ayaka-kms]

Hi, a vulnerability CVE-2020-28469 is introduced in @storybook/core-common@6.3.7 via:
● @storybook/core-common@6.3.7 ➔ glob-base@0.3.0 ➔ glob-parent@2.0.0

However, glob-base is a legacy package, which has not been maintained for about 6 years.
Is it possible to migrate glob-base to other package or remove it to remediate this vulnerability?

I noticed a migration record in relevant js repo for glob-base:

● in @storybook/core, version 6.1.21 ➔ 6.2.0-beta.0, remove glob-base via commit

Thanks.

[shilman]

Try upgrading to the latest prerelease:

npx sb@next upgrade --prerelease

Does that fix it?

[marcinincreo]

No this does not fix it.

[stof]

#15399 removes the glob-base dependency entirely in 6.4.0-alpha.20, not in 6.2.0-beta.0, so this is expected that 6.3.7 does not have the fix.

[stof]

Closing this as Storybook 6.4 has been released.

[mheob]

For me, this still seems to be an issue:

From GitHub Security:

@storybook/addon-essentials@6.4.4 requires glob-parent@^3.1.0 via a transitive dependency on fast-glob@2.2.7
@storybook/react@6.4.4 requires glob-parent@^3.1.0 via a transitive dependency on fast-glob@2.2.7

Or from my terminal:

❯ yarn why glob-parent
yarn why v1.22.15
[1/4] 🤔  Why do we have the module "glob-parent"...?
[2/4] 🚚  Initialising dependency graph...
[3/4] 🔍  Finding dependency...
[4/4] 🚡  Calculating file sizes...
=> Found "glob-parent@5.1.2"
info Has been hoisted to "glob-parent"
info Reasons this module exists
   - Hoisted from "fast-glob#glob-parent"
   - Hoisted from "eslint#glob-parent"
   - Hoisted from "chokidar#glob-parent"
   - Hoisted from "next#chokidar#glob-parent"
info Disk size without dependencies: "28KB"
info Disk size with unique dependencies: "48KB"
info Disk size with transitive dependencies: "64KB"
info Number of shared dependencies: 2
=> Found "copy-webpack-plugin#glob-parent@6.0.2"
info This module exists because "@nrwl#web#copy-webpack-plugin" depends on it.
info Disk size without dependencies: "20KB"
info Disk size with unique dependencies: "40KB"
info Disk size with transitive dependencies: "56KB"
info Number of shared dependencies: 2
=> Found "watchpack-chokidar2#glob-parent@3.1.0"
info Reasons this module exists
   - "webpack#watchpack#watchpack-chokidar2#chokidar" depends on it
   - Hoisted from "webpack#watchpack#watchpack-chokidar2#chokidar#glob-parent"
info Disk size without dependencies: "44KB"
info Disk size with unique dependencies: "80KB"
info Disk size with transitive dependencies: "96KB"
info Number of shared dependencies: 3
=> Found "cpy#glob-parent@3.1.0"
info Reasons this module exists
   - "@storybook#react#@storybook#core#@storybook#core-server#cpy#globby#fast-glob" depends on it
   - Hoisted from "@storybook#react#@storybook#core#@storybook#core-server#cpy#globby#fast-glob#glob-parent"
info Disk size without dependencies: "44KB"
info Disk size with unique dependencies: "80KB"
info Disk size with transitive dependencies: "96KB"
info Number of shared dependencies: 3
✨  Done in 1.00s.

Edit:

The problematic package seems to be cpy@^8.1.2 in @storybook/core-server. See: sindresorhus/cpy#98

[stof]

This tickets asks about removing glob-base, not glob-parent. That's why I closed it.

[mheob]

The issue creator made a little mistake. The mentored CVE-2020-28469 belongs to glob-parent package.

But as I edited my comment, the dependency update has to publish in the cpy package. This way, people looking for the CVE number at least got the hint where the error comes from and why it hasn't been fixed yet.