Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

High vulnerabilities with glob-parent, trim and trim-newlines #17142

Closed
othierry-asi opened this issue Jan 6, 2022 · 2 comments
Closed

High vulnerabilities with glob-parent, trim and trim-newlines #17142

othierry-asi opened this issue Jan 6, 2022 · 2 comments
Labels
bug dependencies duplicate security

Comments

@othierry-asi
Copy link

Hi,

I have a projet with the very latest of Storybook but I have high vulnerabilities with glob-parent, trim and trim-newlines.

Here is the npm audit report :

# npm audit report

glob-parent  <5.1.2
Severity: high
Regular expression denial of service - https://github.com/advisories/GHSA-ww39-953v-wcq6
fix available via `npm audit fix --force`
Will install @storybook/addon-essentials@5.3.21, which is a breaking change
node_modules/cpy/node_modules/glob-parent
node_modules/watchpack-chokidar2/node_modules/glob-parent
  chokidar  1.0.0-rc1 - 2.1.8
  Depends on vulnerable versions of glob-parent
  node_modules/watchpack-chokidar2/node_modules/chokidar
    watchpack-chokidar2  *
    Depends on vulnerable versions of chokidar
    node_modules/watchpack-chokidar2
      watchpack  1.7.2 - 1.7.5
      Depends on vulnerable versions of watchpack-chokidar2
      node_modules/webpack/node_modules/watchpack
        webpack  4.44.0 - 4.46.0
        Depends on vulnerable versions of watchpack
        node_modules/webpack
  fast-glob  <=2.2.7
  Depends on vulnerable versions of glob-parent
  node_modules/cpy/node_modules/fast-glob
    globby  8.0.0 - 9.2.0
    Depends on vulnerable versions of fast-glob
    node_modules/cpy/node_modules/globby
      cpy  >=7.0.0
      Depends on vulnerable versions of globby
      node_modules/cpy
        @storybook/core-server  *
        Depends on vulnerable versions of @storybook/csf-tools
        Depends on vulnerable versions of cpy
        node_modules/@storybook/core-server
          @storybook/core  >=6.2.0-alpha.0
          Depends on vulnerable versions of @storybook/core-server
          node_modules/@storybook/core
            @storybook/addon-docs  *
            Depends on vulnerable versions of @mdx-js/mdx
            Depends on vulnerable versions of @storybook/core
            Depends on vulnerable versions of @storybook/csf-tools
            Depends on vulnerable versions of @storybook/react
            node_modules/@storybook/addon-docs
              @storybook/addon-essentials  <=5.3.0-rc.14 || >=6.0.0-alpha.0
              Depends on vulnerable versions of @storybook/addon-docs
              node_modules/@storybook/addon-essentials
            @storybook/react  >=6.2.0-alpha.0
            Depends on vulnerable versions of @storybook/core
            node_modules/@storybook/react

trim  <0.0.3
Severity: high
Regular Expression Denial of Service in trim - https://github.com/advisories/GHSA-w5p7-h5w8-2hfq
fix available via `npm audit fix --force`
Will install @storybook/addon-essentials@5.3.21, which is a breaking change
node_modules/trim
  remark-parse  <=8.0.3
  Depends on vulnerable versions of trim
  node_modules/remark-parse
    @mdx-js/mdx  <=2.0.0-next.8
    Depends on vulnerable versions of remark-mdx
    Depends on vulnerable versions of remark-parse
    node_modules/@mdx-js/mdx
      @mdx-js/loader  0.15.5 - 1.6.22
      Depends on vulnerable versions of @mdx-js/mdx
      node_modules/@mdx-js/loader
      @storybook/addon-docs  *
      Depends on vulnerable versions of @mdx-js/mdx
      Depends on vulnerable versions of @storybook/core
      Depends on vulnerable versions of @storybook/csf-tools
      Depends on vulnerable versions of @storybook/react
      node_modules/@storybook/addon-docs
        @storybook/addon-essentials  <=5.3.0-rc.14 || >=6.0.0-alpha.0
        Depends on vulnerable versions of @storybook/addon-docs
        node_modules/@storybook/addon-essentials
      @storybook/csf-tools  *
      Depends on vulnerable versions of @mdx-js/mdx
      node_modules/@storybook/csf-tools
        @storybook/core-server  *
        Depends on vulnerable versions of @storybook/csf-tools
        Depends on vulnerable versions of cpy
        node_modules/@storybook/core-server
          @storybook/core  >=6.2.0-alpha.0
          Depends on vulnerable versions of @storybook/core-server
          node_modules/@storybook/core
            @storybook/react  >=6.2.0-alpha.0
            Depends on vulnerable versions of @storybook/core
            node_modules/@storybook/react
    remark-mdx  <=1.6.22
    Depends on vulnerable versions of remark-parse
    node_modules/remark-mdx

trim-newlines  <3.0.1
Severity: high
Regular Expression Denial of Service in trim-newlines - https://github.com/advisories/GHSA-7p7h-4mm5-852v
fix available via `npm audit fix`
node_modules/trim-newlines
  meow  3.4.0 - 5.0.0
  Depends on vulnerable versions of trim-newlines
  node_modules/meow

The results of npx sb@next info :

Environment Info:

  System:
    OS: macOS 12.0.1
    CPU: (4) x64 Intel(R) Core(TM) i5-5257U CPU @ 2.70GHz
  Binaries:
    Node: 16.13.0 - ~/.nvm/versions/node/v16.13.0/bin/node
    Yarn: 1.22.17 - ~/.nvm/versions/node/v16.13.0/bin/yarn
    npm: 8.3.0 - ~/.nvm/versions/node/v16.13.0/bin/npm
  Browsers:
    Chrome: 96.0.4664.110
    Firefox: 94.0.2
    Safari: 15.1
  npmPackages:
    @storybook/addon-actions: ^6.5.0-alpha.9 => 6.5.0-alpha.9 
    @storybook/addon-docs: ^6.5.0-alpha.9 => 6.5.0-alpha.9 
    @storybook/addon-essentials: ^6.5.0-alpha.9 => 6.5.0-alpha.9 
    @storybook/addon-links: ^6.5.0-alpha.9 => 6.5.0-alpha.9 
    @storybook/react: ^6.5.0-alpha.9 => 6.5.0-alpha.9
@shilman
Copy link
Member

shilman commented Jan 6, 2022

closing as dupe to #14603

@shilman shilman closed this as completed Jan 6, 2022
@farideliyev
Copy link

farideliyev commented Mar 7, 2022
edited

Hi @shilman, this is not entirely dupe of #14603, because of trim-newlines library.
@storybook/core-server > x-default-browser > default-browser-id > meow > trim-newlines

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug dependencies duplicate security
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@shilman @farideliyev @othierry-asi