Storybook: Please update dependency of url-loader due to transitive dependency vulnerability

Created on 26 Jan 2018  路  5Comments  路  Source: storybookjs/storybook

Issue details

Storybook/angular 3.3.10 and 3.4.0-alpha.5 both pull in "url-loader": "^0.5.8" (0.5.9) and this brings along [email protected] which has a high vulnerability risk report.

mime: https://nodesecurity.io/advisories/535

  • Vulnerable: < 1.4.1 || > 2.0.0 < 2.0.3
  • Patched: >= 1.4.1 < 2.0.0 || >= 2.0.3

[email protected] (current latest) brings in [email protected] and would resolve this issue

Steps to reproduce

npm install of current storybook@angular versions

Please specify which version of Storybook and optionally any affected addons that you're running

  • @ storybook/angular 3.3.10
  • @ storybook/angular 3.4.0-alpha.5

Affected platforms

See advisory above

picture Stephanemw

Most helpful comment

Yeah I'm thinking it's something along those lines. The lerna components are a little non-typical in that way, and I do see a specific place where it could throw a wrench into things. Fortunately, I do think that the revised "v2" stuff we're in the middle of has this solved -- now we just need to get it released!

picture davegaeddert on 29 Jan 2018
👍21

All 5 comments

Thanks @Stephanemw, will upgrade that.

@davegaeddert any idea why dependencies.io doesn't offer this upgrade?
https://app.dependencies.io/projects/github/storybooks/storybook/builds

Hypnosphi picture Hypnosphi on 27 Jan 2018
👍1

@Hypnosphi I will have to do some digging. Looks like it was the only instance of url-loader that was missed though? Is there any chance it was updated in one of the PRs but didn't get merged?

davegaeddert picture davegaeddert on 29 Jan 2018

I think it was updated in other packages (react, vue) even before angular PR was merged. Is there a chance that dependencies.io keeps track of "already upgraded" deps not taking into account the particular subpackages where upgrade took place?

Hypnosphi picture Hypnosphi on 29 Jan 2018

Yeah I'm thinking it's something along those lines. The lerna components are a little non-typical in that way, and I do see a specific place where it could throw a wrench into things. Fortunately, I do think that the revised "v2" stuff we're in the middle of has this solved -- now we just need to get it released!

davegaeddert picture davegaeddert on 29 Jan 2018
👍21

Released as 3.3.12

Hypnosphi picture Hypnosphi on 3 Feb 2018
Was this page helpful?
0 / 5 - 0 ratings

Related issues

shilman picture shilman  路  3Comments
rpersaud picture rpersaud  路  3Comments
alexanbj picture alexanbj  路  3Comments
dnlsandiego picture dnlsandiego  路  3Comments
levithomason picture levithomason  路  3Comments