Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

@storybook/addon-storyshots: NPM Audit warning - braces >= 2.3.1 #6110

Closed
danielfigueiredo opened this issue Mar 15, 2019 · 11 comments
Closed

@storybook/addon-storyshots: NPM Audit warning - braces >= 2.3.1 #6110

danielfigueiredo opened this issue Mar 15, 2019 · 11 comments
Labels
addon: storyshots dependencies security
Milestone
5.1.x

Comments

@danielfigueiredo
Copy link

danielfigueiredo commented Mar 15, 2019
edited

When running NPM / yarn audit throws Regular Expression Denial of Service.
In yarn this is a bit worse because it fails with process code 1 and thus CI.

The following path of dependencies depicts the root origin of the error:

@storybook/addon-storyshots > jest-specific-snapshot >  jest-snapshot > jest-message-util > micromatch > braces

Most libraries have gotten rid of this vulnerability from braces.

Steps to reproduce

Install latest @storybook/framework and @storybook/addon-storyshots and run NPM audit.

Please specify which version of Storybook and optionally any affected addons that you're running

Affected platforms

I'm on macOS but I don't see why it would be different in another OS.

angular_—screen___Users_daniel_Projects_coast_coast-web-ui—-bash—_272×68
@danielfigueiredo danielfigueiredo changed the title NPM Audit warning - braces >= 2.3.1 @storybook/addon-storyshots: NPM Audit warning - braces >= 2.3.1 Mar 15, 2019
@shilman shilman added this to the 5.0.x milestone Mar 15, 2019
@arturopie arturopie mentioned this issue Mar 22, 2019
Closed
@stale
Copy link

stale bot commented Apr 5, 2019

Hi everyone! Seems like there hasn't been much going on in this issue lately. If there are still questions, comments, or bugs, please feel free to continue the discussion. Unfortunately, we don't have time to get to every issue. We are always open to contributions so please send us a pull request if you would like to help. Inactive issues will be closed after 30 days. Thanks!

@stale stale bot added the inactive label Apr 5, 2019
@flexiblefactory
Copy link

flexiblefactory commented Apr 12, 2019
edited

Still relevant. There are also another 8 issues flagged by npm audit in addition to this one.

@stale stale bot removed the inactive label Apr 12, 2019
@stale
Copy link

stale bot commented May 3, 2019

Hi everyone! Seems like there hasn't been much going on in this issue lately. If there are still questions, comments, or bugs, please feel free to continue the discussion. Unfortunately, we don't have time to get to every issue. We are always open to contributions so please send us a pull request if you would like to help. Inactive issues will be closed after 30 days. Thanks!

@stale stale bot added the inactive label May 3, 2019
@devina91
Copy link

devina91 commented May 7, 2019

I agree, still relevant, I too have this vulnerability. in addition to #6622

@stale stale bot removed the inactive label May 7, 2019
@stale
Copy link

stale bot commented May 28, 2019

Hi everyone! Seems like there hasn't been much going on in this issue lately. If there are still questions, comments, or bugs, please feel free to continue the discussion. Unfortunately, we don't have time to get to every issue. We are always open to contributions so please send us a pull request if you would like to help. Inactive issues will be closed after 30 days. Thanks!

@stale stale bot added the inactive label May 28, 2019
@arturopie
Copy link

This issue is still relevant. I tried to help by fixing it on a PR, but I couldn't setup the project to run all the tests. If you can point me to the right documentation for setting up my environment to work on this project, I can make a PR.

@stale stale bot removed the inactive label May 28, 2019
@shilman
Copy link
Member

shilman commented May 28, 2019

@arturopie There's a development guide in CONTRIBUTING.md. Did you take a look at that?

https://github.com/storybooks/storybook/blob/next/CONTRIBUTING.md#reproductions

@arturopie
Copy link

Yes, I did and got 6 failed test and 3 failed snapshots after running the core tests.

@shilman
Copy link
Member

shilman commented May 29, 2019

@arturopie Failed tests in the next branch?

@arturopie
Copy link

Yes

@shilman shilman modified the milestones: 5.0.x, 5.1.x Jun 5, 2019
@agwells
Copy link

agwells commented Jun 7, 2019

Upgrading to @storybook/addon-storyshots@5.1.3 resolved this issue for me.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
addon: storyshots dependencies security
Projects
None yet
Milestone
5.1.x
Development

No branches or pull requests
7 participants
@agwells @shilman @arturopie @flexiblefactory @ndelangen @danielfigueiredo @devina91