Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Bug] vulnerability related to trim #25

Open
JBustin opened this issue Mar 31, 2023 · 1 comment
Open

[Bug] vulnerability related to trim #25

JBustin opened this issue Mar 31, 2023 · 1 comment
Labels
bug Something isn't working

Comments

@JBustin
Copy link

JBustin commented Mar 31, 2023

Describe the bug

Test-runner has a dep vulnerability related to trim 0.0.1
Force to use trim 0.0.3 breaks the storybook build on my side.

trim  <0.0.3
Severity: high
Regular Expression Denial of Service in trim - https://github.com/advisories/GHSA-w5p7-h5w8-2hfq
fix available via `npm audit fix --force`
Will install @storybook/[email protected], which is a breaking change
node_modules/trim
  remark-parse  <=8.0.3
  Depends on vulnerable versions of trim
  node_modules/remark-parse
    @mdx-js/mdx  <=1.6.22
    Depends on vulnerable versions of remark-mdx
    Depends on vulnerable versions of remark-parse
    node_modules/@mdx-js/mdx
      @storybook/mdx1-csf  *
      Depends on vulnerable versions of @mdx-js/mdx
      node_modules/@storybook/mdx1-csf
        @storybook/csf-tools  6.5.0-alpha.1 - 6.5.17-alpha.0
        Depends on vulnerable versions of @storybook/mdx1-csf
        node_modules/@storybook/csf-tools
          @storybook/test-runner  >=0.0.9--canary.107.1b41303.0
          Depends on vulnerable versions of @storybook/csf-tools
          node_modules/@storybook/test-runner

Environment

  • OS: iOS
  • Node.js version: 16.13.0
  • NPM version: 8.1.0

Additional context

I'm using

"@storybook/vue": "6.5.16",
"@storybook/test-runner": "0.9.4"
@JBustin JBustin added the bug Something isn't working label Mar 31, 2023
@yannbf
Copy link
Member

yannbf commented Apr 21, 2023

Hey there! Thanks for opening an issue, but I believe it doesn't have anything to do with the test-runner. It has to do with your @storybook/mdx1-csf dependency. I believe you won't have this issue if you migrate to Storybook 7 which we focused on fixing every security issue, given that lots of them related to mdx1.

I'll be moving this issue to the correct repo!

cc @shilman

@yannbf yannbf transferred this issue from storybookjs/test-runner Apr 21, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

No branches or pull requests

2 participants