Storybook: [Security] Vulnerability of Low severity in "@storybook/addon-info > marksy > marked"
Describe the bug
New vulnerability discovered in July in a sub dependency: @storybook/addon-info > marksy > marked
This is in version 5.1.11 of @storybook/addon-info.
https://www.npmjs.com/advisories/1076
Screenshots
System
Environment Info:
npmPackages:
@storybook/addon-actions: ^5.1.11 => 5.1.11
@storybook/addon-backgrounds: ^5.1.11 => 5.1.11
@storybook/addon-info: ^5.1.11 => 5.1.11
@storybook/addon-knobs: ^5.1.11 => 5.1.11
@storybook/addon-links: ^5.1.11 => 5.1.11
@storybook/addon-viewport: ^5.1.11 => 5.1.11
@storybook/react: ^5.1.11 => 5.1.11
Bazze
All 14 comments
Addon-info is being superceded by addon-docs, which fixes a bunch of bugs and is easier to maintain. Please give it a try! https://medium.com/storybookjs/storybook-docspage-e185bc3622bf
shilman
on 22 Aug 2019
Pointing to a beta release is not really an appropriate resolution for a security issue. Can we just get an updated 5.1.x release with remediated dependencies?
ZebraFlesh
on 30 Aug 2019
@ZebraFlesh PRs welcome
shilman
on 31 Aug 2019
I dug into this a bit and found the following:
- upgrading storybook's marksy dependency on marked generates some test failures
- using the marked demo, the same test input generates good output (example)
This leads me to believe that the renderers that marksy supplies to marked are bad, but I lack project familiarity to determine what the problem is.
ZebraFlesh
on 1 Sep 2019
Hi everyone! Seems like there hasn't been much going on in this issue lately. If there are still questions, comments, or bugs, please feel free to continue the discussion. Unfortunately, we don't have time to get to every issue. We are always open to contributions so please send us a pull request if you would like to help. Inactive issues will be closed after 30 days. Thanks!
![stale[bot] picture](https://avatars3.githubusercontent.com/in/1724?v=4&s=40)
stale[bot]
on 22 Sep 2019
Heyo, this is still present in @storybook/addon-info": "~5.2.1 can we get just fix related to that regexp DoS issue. I know there is a proposal to just move to addon-docs but at the project I am working on, there is a sceptical approach to new libraries (yeah I know how it sounds). So just rising this issue once again as I saw it already being marked as innactive
one-thunder
on 4 Oct 2019
Hi everyone! Seems like there hasn't been much going on in this issue lately. If there are still questions, comments, or bugs, please feel free to continue the discussion. Unfortunately, we don't have time to get to every issue. We are always open to contributions so please send us a pull request if you would like to help. Inactive issues will be closed after 30 days. Thanks!
stale[bot]
on 25 Oct 2019
Fix please
1Jesper1
on 11 Nov 2019
If anybody wants to issue a PR for a fix, I'm happy to get it merged. In the meantime, addon-docs has been released for two months and is getting better every day. Here's a good example of a production system using it:
https://reaviz.io/?path=/story/docs-intro--page
shilman
on 11 Nov 2019
Hi everyone! Seems like there hasn't been much going on in this issue lately. If there are still questions, comments, or bugs, please feel free to continue the discussion. Unfortunately, we don't have time to get to every issue. We are always open to contributions so please send us a pull request if you would like to help. Inactive issues will be closed after 30 days. Thanks!
stale[bot]
on 2 Dec 2019
fralewsmi
on 17 Dec 2019
Jiminy cricket!! I just released https://github.com/storybookjs/storybook/releases/tag/v5.3.0-rc.3 containing PR #9234 that references this issue. Upgrade today to try it out!
You can find this prerelease on the @next NPM tag.
Closing this issue. Please re-open if you think there's still more to do.
shilman
on 26 Dec 2019
Hi @shilman, I'm facing the same issue in npm audit. This is in version ^5.3.18 of @storybook/addon-info.
โโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ Moderate โ Regular Expression Denial of Service โ
โโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ Package โ marked โ
โโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ Patched in โ >=0.6.2 โ
โโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ Dependency of โ @storybook/addon-info [dev] โ
โโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ Path โ @storybook/addon-info > marksy > marked โ
โโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ More info โ https://npmjs.com/advisories/812 โ
โโโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
gohyifan
on 10 Jun 2020
@gohyifan https://github.com/storybookjs/storybook/issues/7842#issuecomment-523951188
shilman
on 11 Jun 2020
Related issues
rpersaud
ยท
3Comments
shilman
ยท
3Comments
MrOrz
ยท
3Comments
oriSomething
ยท
3Comments
Jonovono
ยท
3Comments
Most helpful comment
Jiminy cricket!! I just released https://github.com/storybookjs/storybook/releases/tag/v5.3.0-rc.3 containing PR #9234 that references this issue. Upgrade today to try it out!
You can find this prerelease on the
@nextNPM tag.Closing this issue. Please re-open if you think there's still more to do.