Please upgrade dependencies to fix audit failures

[liftyourgame]

Describe the bug
Storybook triggering 13 audit failures in my project

To Reproduce
Just install the latest @storybook.
In particular upgrade@mdx-js/mdx

System

Environment Info:

System:
OS: macOS 12.3.1
CPU: (10) arm64 Apple M1 Max
Binaries:
Node: 14.19.1 - ~/.nvm/versions/node/v14.19.1/bin/node
npm: 6.14.16 - ~/.nvm/versions/node/v14.19.1/bin/npm
Browsers:
Chrome: 101.0.4951.54
Safari: 15.4
npmPackages:
@storybook/addon-actions: ^6.4.22 => 6.4.22
@storybook/addon-essentials: ^6.4.22 => 6.4.22
@storybook/addon-interactions: ^6.4.22 => 6.4.22
@storybook/addon-links: ^6.4.22 => 6.4.22
@storybook/react: ^6.4.22 => 6.4.22
@storybook/testing-library: 0.0.9 => 0.0.9

Additional context
Add any other context about the problem here.

[KyleTryon]

Up to 22

[luanmm]

There are security errors in @storybook/cli package (in version 7, that is in beta) too:

# npm audit report

got  <=11.8.3
Severity: high
Got allows a redirect to a UNIX socket - https://github.com/advisories/GHSA-pfrx-2q88-qq97
Depends on vulnerable versions of cacheable-request
fix available via `npm audit fix --force`
Will install @storybook/cli@6.5.16, which is a breaking change
node_modules/got
  download-tarball  *
  Depends on vulnerable versions of got
  node_modules/download-tarball
    @storybook/cli  >=7.0.0-alpha.0
    Depends on vulnerable versions of download-tarball
    node_modules/@storybook/cli

http-cache-semantics  <4.1.1
Severity: high
http-cache-semantics vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-rc47-6667-2j5j
fix available via `npm audit fix --force`
Will install @storybook/cli@6.5.16, which is a breaking change
node_modules/http-cache-semantics
  cacheable-request  0.1.0 - 2.1.4
  Depends on vulnerable versions of http-cache-semantics
  node_modules/cacheable-request

5 vulnerabilities (2 moderate, 3 high)

[chartinger]

And according to

└─┬ storybook@7.0.0-beta.48
  └─┬ @storybook/cli@7.0.0-beta.48
    └─┬ download-tarball@2.0.0
      └─┬ got@8.3.2
        └─┬ cacheable-request@2.1.4
          └── http-cache-semantics@3.8.1

It seems to be caused by download-tarball that has not been updated in 4 years

(edit: which seems to be a new addition in 7.0.0-beta.48: 62e37c0)

[ndelangen]

@chartinger thank you for reporting, if you wouldn't mind giving the issue upstream a thumbs-up?

If there's any other way you could assist to get this resolved, any help would be appreciated!

[ndelangen]

I opened a PR to modernize the dependency:
kesla/download-tarball#6

[chartinger]

As the package code is about 26 lines, I wonder if it would be easier to just have a helper function :)

[shilman]

Jeepers creepers!! I just released https://github.com/storybookjs/storybook/releases/tag/v7.0.0-beta.58 containing PR #21201 that references this issue. Upgrade today to the @next NPM tag to try it out!

npx sb@next upgrade --prerelease