Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

postcss Security Vulnerability

See original GitHub issue

Hello!

Thought it would be good to open the discussion and see if someone might have an idea on how to proceed.

postcss versions less than 8.2.10 are vulnerable as per: https://npmjs.com/advisories/1693

It appears several projects under Storybook are using an old version of css-loader (< 5) or postcss-flexbugs-fixes (< 5) or autoprefixer (< 10) which have a dependency on postcss 7. For example:

Core-Server

Builder-Webpack4

Addon-postcss

Angular

These dependencies on older versions of postcss are preventing us from updating to a later version to address this vulnerability.

Is this something on the Storybook team’s radar/planned for upcoming update?

Issue Analytics

  • State:closed
  • Created 2 years ago
  • Reactions:33
  • Comments:10 (8 by maintainers)

github_iconTop GitHub Comments

5reactions
shilmancommented, Jun 17, 2021

Ermahgerd!! I just released https://github.com/storybookjs/storybook/releases/tag/v6.3.0-rc.9 containing PR #15276 that references this issue. Upgrade today to the @next NPM tag to try it out!

npx sb upgrade --prerelease

Closing this issue. Please re-open if you think there’s still more to do.

4reactions
mayank99commented, May 11, 2021

@storybook/addon-docs and @storybook/react also indirectly use postcss7

From dependabot

image

Read more comments on GitHub >

github_iconTop Results From Across the Web

postcss vulnerabilities - Snyk
version published direct vulnerabilities 8.4.20 11 Dec, 2022 0. C. 0. H. 0. M. 0. L 8.4.19 10 Nov, 2022 0. C. 0. H. 0....
Read more >
postcss security vulnerability 'Regular Expression Denial of ...
Description: Dependency "postcss": "^8.1.2" has security vulnerabilities reported by yarn audit : Regular Expression Denial of Service.
Read more >
Postcss Postcss * : Related security vulnerabilities - CVE Details
This page lists vulnerability statistics for Postcss Postcss * * * *. Vulnerability statistics provide a quick overview for security vulnerabilities of ...
Read more >
Postcss Postcss vulnerability list - SecAlerts - Security vulnerabilities ...
The package postcss before 8.2.13 are vulnerable to Regular Expression Denial of Service (ReDoS) via getAnnotationURL() and loadAnnotation() in lib/previous-map ...
Read more >
postcss 7.0.0 - 8.2.9 Severity: moderate Regular Expression ...
0 vulnerabilities found - Packages audited: 999 ✨ Done in 1.10s. ... This command will only ignore postcss package from the security check....
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

Webpack5 + @storybook/lit 6.3.0-alpha.24 unable to start

Next page

Webpack5 + type: module = require is not defined