-
-
Notifications
You must be signed in to change notification settings - Fork 9.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Low severity vulnerability in @storybooks/cli #4241
Comments
Thanks for reporting this! We'll be looking for an alternative that's secure, do you happen to have any recommendations? |
Maybe this: |
Hi everyone! Seems like there hasn't been much going on in this issue lately. If there are still questions, comments, or bugs, please feel free to continue the discussion. Unfortunately, we don't have time to get to every issue. We are always open to contributions so please send us a pull request if you would like to help. Inactive issues will be closed after 30 days. Thanks! |
Hey there, it's me again! I am going close this issue to help our maintainers focus on the current development roadmap instead. If the issue mentioned is still a concern, please open a new ticket and mention this old one. Cheers and thanks for using Storybook! |
I'm still seeing this problem. Any update on this? Thanks |
Hi everyone! Seems like there hasn't been much going on in this issue lately. If there are still questions, comments, or bugs, please feel free to continue the discussion. Unfortunately, we don't have time to get to every issue. We are always open to contributions so please send us a pull request if you would like to help. Inactive issues will be closed after 30 days. Thanks! |
Hello, Any news on this ?
|
I've updated Storybook's direct dependencies on lodash in another PR, will take a look at this transitive one as well if no-one else is on it yet |
I think it would be better to get rid of this Looking at the code, the dependency is used only to synchronously copy some directory A in some directory B (the content of A overriding in case of conflicts). I know from (existing code) import path from 'path';
import mergeDirs from 'merge-dirs';
// ...
mergeDirs(path.resolve(__dirname, 'template/'), '.', 'overwrite'); to (new code) import path from 'path';
import fse from 'fs-extra';
// ...
fse.copySync(path.resolve(__dirname, 'template/'), '.', {overwrite: true}); |
@debel27 Sounds like you would be able to open a PR changing this? Would be appreciated a lot! |
You got it! |
Huzzah!! I just released https://github.com/storybookjs/storybook/releases/tag/v5.2.0-alpha.27 containing PR #7100 that references this issue. Upgrade today to try it out! Because it's a pre-release you can find it on the Closing this issue. Please re-open if you think there's still more to do. |
Whoopee!! I just released https://github.com/storybookjs/storybook/releases/tag/v5.1.10 containing PR #7100 that references this issue. Upgrade today to try it out! |
Bug or support request summary
When installing my project's dependencies or running
npm audit
I get a vulnerability alert. The vulnerability is caused by themerge-dirs
dependency which doesn't seem to be maintained anymore (last release was 3 years ago and the issues posted there doesn't seem to get any attention).I get the following from
npm install @storybook/cli
:From
npm audit
:Steps to reproduce
Please specify which version of Storybook and optionally any affected addons that you're running
Affected platforms
The text was updated successfully, but these errors were encountered: