There's a (major?) NPM security incident that caused malicious code to be shipped with specific versions of several common NPM packages: https://socket.dev/blog/npm-author-qix-compromised-in-major-supply-chain-attack
The attack is apparently targeted at crypto transactions, so threat seems low for us(?). Still, it may make sense to take short-term steps against this:
Suggested steps (quick fix)
There's a (major?) NPM security incident that caused malicious code to be shipped with specific versions of several common NPM packages: https://socket.dev/blog/npm-author-qix-compromised-in-major-supply-chain-attack
The attack is apparently targeted at crypto transactions, so threat seems low for us(?). Still, it may make sense to take short-term steps against this:
Suggested steps (quick fix)
Remove version caret symbols: In components/components/package.json, remove all
^symbols from package version numbers to pin exact versionsRemove previously installed dependencies: Delete both
package-lock.jsonandnode_modulesfolderReinstall dependencies: Run
npm installto reinstall all packages with the exact pinned versionsVerify the project still works: Check storybook
Create new release: Make a new patch release of the components package with the pinned dependencies