Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

[Security] Vulnerability of medium severity disclosed in transitive dependencies

See original GitHub issue

Bug or support request summary

On December 10th 2019, a Cross-site Scripting vulnerability was disclosed in the Serialize-javascript package in versions below 2.1.1.

Storybook transitively depends on vulnerable versions of this package through the following paths:

@storybook/react > @storybook/core > corejs-upgrade-webpack-plugin > webpack > terser-webpack-plugin > serialize-javascript

@storybook/react > @storybook/core > webpack > terser-webpack-plugin > serialize-javascript

@storybook/react > webpack > terser-webpack-plugin > serialize-javascript

@storybook/react > @storybook/core > terser-webpack-plugin > serialize-javascript

Please specify which version of Storybook and optionally any affected addons that you’re running

However, this was last updated to 5.2.6. I’ve confirmed that as of 9e66d9f26c49fee2a2c527775be5e638ff011b5d these vulnerabilities are still present in Storybook according to yarn audit.

Affected platforms

  • If UI related, please indicate browser, OS, and version
  • If dependency related, please include relevant version numbers
  • If developer tooling related, please include the platform information

Screenshots / Screencast / Code Snippets (Optional)

// code here

End bug report support request - delete the rest below

Issue Analytics

  • State:closed
  • Created 4 years ago
  • Reactions:1
  • Comments:5 (4 by maintainers)

github_iconTop GitHub Comments

1reaction
shilmancommented, Mar 17, 2020

thanks @mattmoreira !

1reaction
mattmoreiracommented, Mar 16, 2020

@shilman, as this was solved by #10071, can we close it?

Read more comments on GitHub >

github_iconTop Results From Across the Web

Analyzing the Direct and Transitive Impact of Vulnerabilities ...
vulnerabilities may influence libraries via long transitive dependency chains and that a vulnerability in a single library may.
Read more >
4 steps to address vulnerable dependencies - Snyk
Vulnerabilities are classified into High/Medium/Low severity for easy prioritization, and you can click through to see detailed test reports.
Read more >
Vulnerable Dependency Management Cheat Sheet
The objective of the cheat sheet is to provide a proposal of approach regarding the handling of vulnerable third-party dependencies when they are...
Read more >
.NET Information Disclosure Vulnerability
Microsoft is releasing this security advisory to provide information about a vulnerability in .NET, .NET Core and .NET Framework's System.
Read more >
How to resolve issues in pom due to transitive dependencies
To see more details about a vulnerable component, click on the yellow bulb and then "Show in dependency tree". The yellow bulb should...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

Add alphabetical and easy-to-use custom sorting options to storySort parameter

Next page

Render pseudoclass states, so :hover etc can be snapshot-tested