regen lockfile #26

ndelangen · 2023-04-26T09:33:23Z

Issue: #

What Changed

How to test

Change Type

📦 Published PR as canary version: 1.0.1--canary.26.47c2c44.0

✨ Test out this PR locally via:

npm install @storybook/[email protected]
# or 
yarn add @storybook/[email protected]

Version

Published prerelease version: v1.0.1-next.0

Changelog

🚀 Enhancement

regen lockfile #26 (@ndelangen)

Authors: 1

Norbert de Langen (@ndelangen)

socket-security · 2023-04-26T09:35:58Z

New dependency changes detected. Learn more about Socket for GitHub ↗︎

🚨 Potential security issues found in this pull request. To accept the risk, merge this PR and you will not be notified again.

Bot Commands

To ignore an alert, reply with a comment starting with @SocketSecurity ignore followed by a space separated list of package-name@version specifiers. e.g. @SocketSecurity ignore [email protected] bar@* or ignore all packages with @SocketSecurity ignore-all

@SocketSecurity ignore @storybook/[email protected]
@SocketSecurity ignore [email protected]
@SocketSecurity ignore @storybook/[email protected]
@SocketSecurity ignore [email protected]
@SocketSecurity ignore [email protected]
@SocketSecurity ignore [email protected]
@SocketSecurity ignore [email protected]
@SocketSecurity ignore [email protected]
@SocketSecurity ignore @storybook/[email protected]
@SocketSecurity ignore @storybook/[email protected]
@SocketSecurity ignore @storybook/[email protected]
@SocketSecurity ignore [email protected]
@SocketSecurity ignore @storybook/[email protected]
@SocketSecurity ignore [email protected]
@SocketSecurity ignore [email protected]
@SocketSecurity ignore [email protected]

😵‍💫 Bin script confusion

This package has multiple bin scripts with the same name. This can cause non-deterministic behavior when installing or could be a sign of a supply chain attack

Consider removing one of the conflicting packages. Packages should only export bin scripts with their name

Package	Bin script	Source
@storybook/[email protected] (added)	`sb`	`package.json` via [email protected]
[email protected] (added)	`sb`	`package.json`

⚠️ Shell access

This module accesses the system shell. Accessing the system shell increases the risk of executing arbitrary code.

Packages should avoid accessing the shell which can reduce portability, and make it easier for malicious shell access to be introduced.

Package	Module	Location	Source
@storybook/[email protected] (added)	child_process	dist/generate.js	`package.json` via [email protected]
@storybook/[email protected] (added)	child_process	dist/index.js	`package.json` via [email protected]
@storybook/[email protected] (added)	child_process	dist/index.mjs	`package.json` via [email protected]
[email protected] (added)	child_process	lib/address.js	`package.json` via [email protected]
[email protected] (added)	child_process	dist/index.js	`package.json` via [email protected]
[email protected] (added)	child_process	index.js	`package.json` via [email protected]
[email protected] (added)	child_process	index.js	`package.json` via [email protected]
[email protected] (added)	child_process	lib/Launcher.js	`package.json` via [email protected]

⚠️ Uses eval

Package uses eval() which is a dangerous function. This prevents the code from running in certain environments and increases the risk that the code may contain exploits or malicious behavior.

Avoid packages that use eval, since this could potentially execute any code.

Package	Eval Type	Location	Source
@storybook/[email protected] (added)	Function	dist/index.mjs	`package.json` via [email protected]
@storybook/[email protected] (added)	Function	dist/chunk-KMFUW75Z.mjs	`package.json` via [email protected]
@storybook/[email protected] (added)	Function	dist/chunk-KMFUW75Z.mjs	`package.json` via [email protected]
@storybook/[email protected] (added)	Function	dist/chunk-KMFUW75Z.mjs	`package.json` via [email protected]
@storybook/[email protected] (added)	Function	dist/chunk-KMFUW75Z.mjs	`package.json` via [email protected]
@storybook/[email protected] (added)	Function	dist/chunk-KMFUW75Z.mjs	`package.json` via [email protected]
@storybook/[email protected] (added)	Function	dist/chunk-KMFUW75Z.mjs	`package.json` via [email protected]
@storybook/[email protected] (added)	Function	dist/chunk-KMFUW75Z.mjs	`package.json` via [email protected]
@storybook/[email protected] (added)	Function	dist/formatter-S4K5WUZV-X2U232II.mjs	`package.json` via [email protected]
@storybook/[email protected] (added)	Function	dist/formatter-S4K5WUZV-X2U232II.mjs	`package.json` via [email protected]
@storybook/[email protected] (added)	Function	dist/runtime.js	`package.json` via @storybook/[email protected]
@storybook/[email protected] (added)	Function	dist/runtime.js	`package.json` via @storybook/[email protected]
@storybook/[email protected] (added)	Function	dist/runtime.js	`package.json` via @storybook/[email protected]
@storybook/[email protected] (added)	Function	dist/runtime.js	`package.json` via @storybook/[email protected]
@storybook/[email protected] (added)	Function	dist/runtime.js	`package.json` via @storybook/[email protected]
@storybook/[email protected] (added)	Function	dist/runtime.mjs	`package.json` via @storybook/[email protected]
@storybook/[email protected] (added)	Function	dist/runtime.mjs	`package.json` via @storybook/[email protected]
@storybook/[email protected] (added)	Function	dist/runtime.mjs	`package.json` via @storybook/[email protected]
@storybook/[email protected] (added)	Function	dist/runtime.mjs	`package.json` via @storybook/[email protected]
@storybook/[email protected] (added)	Function	dist/runtime.mjs	`package.json` via @storybook/[email protected]
[email protected] (added)	Function	dist/node.js	`package.json` via @storybook/[email protected], @storybook/[email protected], @storybook/[email protected], @storybook/[email protected], [email protected]
[email protected] (added)	Function	lib/Browser.js	`package.json` via [email protected]
[email protected] (added)	Function	lib/DOMWorld.js	`package.json` via [email protected]
[email protected] (added)	Function	lib/ExecutionContext.js	`package.json` via [email protected]
[email protected] (added)	Function	lib/ExecutionContext.js	`package.json` via [email protected]
@storybook/[email protected] (added)	eval	dist/index.js	`package.json` via @storybook/[email protected], [email protected]
@storybook/[email protected] (added)	eval	dist/index.js	`package.json` via @storybook/[email protected], [email protected]
@storybook/[email protected] (added)	eval	dist/index.js	`package.json` via @storybook/[email protected], [email protected]
@storybook/[email protected] (added)	eval	dist/chunk-KMFUW75Z.mjs	`package.json` via [email protected]
@storybook/[email protected] (added)	eval	dist/chunk-KMFUW75Z.mjs	`package.json` via [email protected]
@storybook/[email protected] (added)	eval	dist/chunk-KMFUW75Z.mjs	`package.json` via [email protected]
@storybook/[email protected] (added)	eval	dist/chunk-KMFUW75Z.mjs	`package.json` via [email protected]
@storybook/[email protected] (added)	eval	dist/OverlayScrollbars-VAV6LJAB-ZCK6WCDR.mjs	`package.json` via [email protected]
@storybook/[email protected] (added)	eval	dist/runtime.js	`package.json` via @storybook/[email protected]
@storybook/[email protected] (added)	eval	dist/runtime.js	`package.json` via @storybook/[email protected]
@storybook/[email protected] (added)	eval	dist/runtime.js	`package.json` via @storybook/[email protected]
@storybook/[email protected] (added)	eval	dist/runtime.js	`package.json` via @storybook/[email protected]
@storybook/[email protected] (added)	eval	dist/runtime.mjs	`package.json` via @storybook/[email protected]
@storybook/[email protected] (added)	eval	dist/runtime.mjs	`package.json` via @storybook/[email protected]
@storybook/[email protected] (added)	eval	dist/runtime.mjs	`package.json` via @storybook/[email protected]
@storybook/[email protected] (added)	eval	dist/runtime.mjs	`package.json` via @storybook/[email protected]
[email protected] (upgraded)	eval	dist/bundle.min.js	`package.json` via @storybook/[email protected], [email protected]
[email protected] (upgraded)	eval	lib/propmangle.js	`package.json` via @storybook/[email protected], [email protected]

⚠️ New author

A new npm collaborator published a version of the package for the first time. New collaborators are usually benign additions to a project, but do indicate a change to the security surface area of a package.

Scrutinize new collaborator additions to packages because they now have the ability to publish code into your dependency tree. Packages should avoid frequent or unnecessary additions or changes to publishing rights.

Package	New Author	Previous Author	Source
[email protected] (added)	hanselfmu	mathias	`package.json` via [email protected]
[email protected] (upgraded)	evilebottnawi	jantimon	`package.json` via @storybook/[email protected]
[email protected] (added)	lukechilds	goto-bus-stop	`package.json` via @storybook/[email protected], [email protected]

Pull request alert summary

Issue	Status
Install scripts	✅ 0 issues
Native code	✅ 0 issues
Bin script confusion	⚠️ 2 issues
Bin script shell injection	✅ 0 issues
Shell access	⚠️ 8 issues
Uses eval	⚠️ 43 issues
Unresolved require	✅ 0 issues
Invalid package.json	✅ 0 issues
HTTP dependency	✅ 0 issues
Git dependency	✅ 0 issues
GitHub dependency	✅ 0 issues
New author	⚠️ 3 issues
Potential typo squat	✅ 0 issues
Known Malware	✅ 0 issues
Telemetry	✅ 0 issues
Protestware/Troll package	✅ 0 issues

📊 Modified Dependency Overview:

➕ Added Package	Capability Access	`+/-` Transitive Count	Publisher
[email protected]	None	`+192`	shilman

⬆️ Updated Package	Version Diff	Added Capability Access	`+/-` Transitive Count	Publisher
[email protected]	4.9.4...4.9.5	None	`+0/-0`	typescript-bot
@storybook/[email protected]	7.0.0...7.0.7	None	`+117/-111`	shilman
@storybook/[email protected]	0.0.14-next.1...0.0.14-next.2	network	`+20/-54`	yannbf
@storybook/[email protected]	7.0.0...7.0.7	network	`+16/-53`	shilman
@storybook/[email protected]	7.0.0...7.0.7	network	`+19/-55`	shilman
[email protected]	6.5.0...6.7.0	environment	`+31/-37`	egoist
[email protected]	10.37.6...10.46.0	None	`+12/-20`	alisowski
@storybook/[email protected]	7.0.0...7.0.7	network	`+69/-79`	shilman
@types/[email protected]	4.14.191...4.14.194	None	`+0/-0`	types
@storybook/[email protected]	7.0.0...7.0.7	None	`+109/-140`	shilman
@storybook/[email protected]	7.0.0...7.0.7	network	`+76/-74`	shilman
[email protected]	2.8.3...2.8.8	None	`+0/-0`	prettier-bot

🚮 Removed packages: @babel/[email protected], @babel/[email protected], @babel/[email protected], @babel/[email protected], @babel/[email protected], @babel/[email protected], @types/[email protected], [email protected]

regen lockfile

47c2c44

ndelangen requested review from shilman and valentinpalkovic April 26, 2023 09:35

ndelangen self-assigned this Apr 26, 2023

valentinpalkovic approved these changes Apr 26, 2023

View reviewed changes

ndelangen added the minor Increment the minor version when merged label Apr 26, 2023

ndelangen merged commit 00095bd into next Apr 26, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

regen lockfile #26

regen lockfile #26

ndelangen commented Apr 26, 2023 •

edited by github-actions bot

Loading

socket-security bot commented Apr 26, 2023

regen lockfile #26

regen lockfile #26

Conversation

ndelangen commented Apr 26, 2023 • edited by github-actions bot Loading

What Changed

How to test

Change Type

Version

🚀 Enhancement

Authors: 1

socket-security bot commented Apr 26, 2023

ndelangen commented Apr 26, 2023 •

edited by github-actions bot

Loading