Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix for security issues in Synk #18713

Closed
nandeshwarshubh opened this issue Jul 14, 2022 · 12 comments
Closed

Fix for security issues in Synk #18713

nandeshwarshubh opened this issue Jul 14, 2022 · 12 comments
Assignees
@vanessayuenn
Labels
bug security

Comments

@nandeshwarshubh
Copy link

Hi,

There are certain issues which were reported in Snyk for @storybook-react. Is there a roadmap to update the following dependencies and fix the issues?

Snyk @storybook-react issues
@R-Lek
Copy link

R-Lek commented Jul 27, 2022

Same here.
We've updated to Storybook 6.5.9 this week but the same vulnerabilities mentioned by @nandeshwarshubh were reported by Snyk as well.

https://snyk.io/test/npm/storybook/6.5.9

@shilman
Copy link
Member

shilman commented Jul 27, 2022

All of the fixes are breaking changes so we will include them in 7.0

@cescoferraro cescoferraro mentioned this issue Jul 31, 2022
Closed
1 task
@nandeshwarshubh
Copy link
Author

One more issue identified:

Regular Expression Denial of Service (ReDoS) - @storybook/[email protected] › @storybook/[email protected] › @storybook/[email protected][email protected]

@R-Lek
Copy link

R-Lek commented Aug 10, 2022

All of the fixes are breaking changes so we will include them in 7.0

Do you have a release schedule or an estimate when Storybook 7 will be released? I can't seem to find it myself.

@Cliabhach Cliabhach mentioned this issue Sep 1, 2022
Open
@velsonjr
Copy link

velsonjr commented Nov 14, 2022
edited
Loading

Upgrading to 6.5.13 still has issues in below packages

  • ansi-regex, Regular Expression Denial of Service
  • trim Regular, Expression Denial of Service (ReDoS)
  • loader-utils, Prototype Pollution
  • trim-newlines, Denial of Service (DoS)
  • unset-value, Prototype Pollution
  • glob-parent, Regular Expression Denial of Service (ReDoS)
  • loader-utils Regular Expression Denial of Service

Any timeline for this?

@mtorre4580-peya
Copy link

For a few dependencies I use resolutions from yarn to force the new version with the fix, but has a disadvantages to break something.

https://classic.yarnpkg.com/lang/en/docs/selective-version-resolutions/

@apalski
Copy link

apalski commented Dec 30, 2022
edited
Loading

Three more issues for V7 please:

  • minimatch ReDoS vulnerability through glob CVE-2022-3517
  • terser insecure use of regular expressions CVE-2022-25858
  • Inefficient Regular Expression Complexity in nth-check through css-select CVE-2021-3803

@IanVS
Copy link
Member

IanVS commented Dec 30, 2022
edited
Loading

Would anyone be willing to dig in and help out by submitting pull requests?

Please do keep in mind that just because a CVE exists for a particular dependency does not mean that Storybook is using it in a way that makes it vulnerable, or that your use of Storybook opens you up to vulnerabilities. Most of these CVEs are geared towards folks using Node.js backends, in which case external users can sometimes cause problems. Storybook is a development tool and has different considerations.

That said, I know some companies are very strict about "no reported vulnerabilities" without taking the nuance into account, and we'd like to make sure dependencies are up to date regardless.

@shilman shilman moved this to Required for RC in Core Team Projects Jan 3, 2023
@spiess-demos spiess-demos mentioned this issue Jan 25, 2023
Closed
@alexgleason
Copy link

That said, I know some companies are very strict about "no reported vulnerabilities" without taking the nuance into account, and we'd like to make sure dependencies are up to date regardless.

The main problem is that if a real vulnerability comes in, it becomes buried in the security report.

@alexgleason
Copy link

Would anyone be willing to dig in and help out by submitting pull requests?

Why not just set up dependabot on this repo?

@shilman Volta.net
Copy link
Member

shilman commented Feb 5, 2023

@alexgleason dependabot sends about 5 updates per day. @ndelangen has looked at this and spoken with the dependabot team. i hope we can figure out a less noisy process for fixing security issues as they come in. agree this is super important.

@vanessayuenn vanessayuenn self-assigned this Feb 21, 2023
@vanessayuenn vanessayuenn moved this from Required for RC to Required for GA in Core Team Projects Feb 22, 2023
@vanessayuenn
Copy link
Contributor

Closing this issue; all fixable issues in the Snyk reports have already been addressed in the latest version of Storybook.

There is still one report remaining with the vulnerability trim, which is introduced via MDX1 (@storybook/[email protected] › @mdx-js/[email protected][email protected][email protected]). This is a known issue and a good reason to migrate to MDX2, but we have decided to allow opt-in MDX1 support to ease the transition (see #20145), therefore keeping this dependency.

@github-project-automation github-project-automation bot moved this from Required for GA to Done in Core Team Projects Feb 28, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@vanessayuenn vanessayuenn

Labels
bug security
Projects
Core Team Projects
Archived in project
Milestone
No milestone
Development

No branches or pull requests
9 participants
@shilman @alexgleason @IanVS @vanessayuenn @apalski @R-Lek @nandeshwarshubh @mtorre4580-peya @velsonjr