Storybook: NPM Audit - Security Vultnerability - mem - Storybook/cli

Created on 27 Feb 2020 · 7Comments · Source: storybookjs/storybook

Describe the bug
I just upgraded from storybook 5.2.8 -> 5.3.14, and am getting this security issue.

Code snippets
=== npm audit security report ===

                             Manual Review                                  
         Some vulnerabilities require your attention to resolve                                                                               
      Visit https://go.npm.me/audit-guide for additional guidance

Low Denial of Service
Package mem
Patched in >=4.0.0
Dependency of @storybook/cli [dev]
Path @storybook/cli > pkg-add-deps > libnpm > lock-verify >
@iarna/cli > yargs > os-locale > mem
More info https://npmjs.com/advisories/1084

System:
Environment Info:
System:
OS: Windows 10 10.0.17763
CPU: (8) x64 Intel(R) Core(TM) i7-8650U CPU @ 1.90GHz
Binaries:
Node: 10.16.0 - C:Program Filesnodejsnode.EXE
npm: 6.9.0 - C:Program Filesnodejsnpm.CMD
Browsers:
Edge: 44.17763.831.0

Additional context
Have tried removing node_modules, package-lock and clearing npm cache with fresh install, same issue.
Also seen it identified in snyk
https://snyk.io/test/npm/@storybook/cli

dependencies security

Source

jme-s

Most helpful comment

Fyi, the package acorn also has some security issue.

                   === npm audit security report ===                        


                             Manual Review                                  
         Some vulnerabilities require your attention to resolve             

      Visit https://go.npm.me/audit-guide for additional guidance

Moderate Regular Expression Denial of Service

Package acorn

Patched in >=7.1.1

Dependency of @storybook/react [dev]

Path @storybook/react > @storybook/core >
corejs-upgrade-webpack-plugin > webpack > acorn

More info https://nodesecurity.io/advisories/1488

Moderate Regular Expression Denial of Service

Package acorn

Patched in >=7.1.1

Dependency of @storybook/react [dev]

Path @storybook/react > @storybook/core > webpack > acorn

More info https://nodesecurity.io/advisories/1488

Moderate Regular Expression Denial of Service

Package acorn

Patched in >=7.1.1

Dependency of @storybook/react [dev]

Path @storybook/react > webpack > acorn

More info https://nodesecurity.io/advisories/1488

found 3 moderate severity vulnerabilities in 52778 scanned packages
3 vulnerabilities require manual review. See the full report for details.

lhz516 on 8 Mar 2020

👍4

All 7 comments

ツ yarn why mem                                                                                                                                            [±core/ingestion ●▴]
yarn why v1.21.1
[1/4] 🤔  Why do we have the module "mem"...?
[2/4] 🚚  Initialising dependency graph...
[3/4] 🔍  Finding dependency...
[4/4] 🚡  Calculating file sizes...
=> Found "[email protected]"
info Reasons this module exists
   - "_project_#os-locale" depends on it
   - Hoisted from "_project_#os-locale#mem"
info Disk size without dependencies: "48KB"
info Disk size with unique dependencies: "132KB"
info Disk size with transitive dependencies: "152KB"
info Number of shared dependencies: 4
=> Found "@iarna/cli#[email protected]"
info Reasons this module exists
   - "_project_#@storybook#cli#pkg-add-deps#libnpm#lock-verify#@iarna#cli#yargs#os-locale" depends on it
   - Hoisted from "_project_#@storybook#cli#pkg-add-deps#libnpm#lock-verify#@iarna#cli#yargs#os-locale#mem"
info Disk size without dependencies: "16KB"
info Disk size with unique dependencies: "32KB"
info Disk size with transitive dependencies: "32KB"
info Number of shared dependencies: 1
✨  Done in 1.96s.

ndelangen on 6 Mar 2020

Fyi, the package acorn also has some security issue.

                   === npm audit security report ===                        


                             Manual Review                                  
         Some vulnerabilities require your attention to resolve             

      Visit https://go.npm.me/audit-guide for additional guidance

Moderate Regular Expression Denial of Service

Package acorn

Patched in >=7.1.1

Dependency of @storybook/react [dev]

Path @storybook/react > @storybook/core >
corejs-upgrade-webpack-plugin > webpack > acorn

More info https://nodesecurity.io/advisories/1488

Moderate Regular Expression Denial of Service

Package acorn

Patched in >=7.1.1

Dependency of @storybook/react [dev]

Path @storybook/react > @storybook/core > webpack > acorn

More info https://nodesecurity.io/advisories/1488

Moderate Regular Expression Denial of Service

Package acorn

Patched in >=7.1.1

Dependency of @storybook/react [dev]

Path @storybook/react > webpack > acorn

More info https://nodesecurity.io/advisories/1488

found 3 moderate severity vulnerabilities in 52778 scanned packages
3 vulnerabilities require manual review. See the full report for details.

lhz516 on 8 Mar 2020

👍4

@here what is the fix for this? still getting the vulnerability in version 5.3.17 for mem

roniRamon on 11 May 2020

We depend on:
https://github.com/storybookjs/storybook/blob/ff445da08f82a7b0931647754394b4de0a2a34f9/addons/docs/package.json#L57

Do you have a lockfile?

ndelangen on 12 May 2020

Why is this closed, has it been resolved somehow?

knuhol on 12 Jun 2020

$ npm list mem
├─┬ @storybook/[email protected]
│ └─┬ [email protected]
│   └─┬ [email protected]
│     └─┬ [email protected]
│       └─┬ @iarna/[email protected]
│         └─┬ [email protected]
│           └─┬ [email protected]
│             └── [email protected]

knuhol on 12 Jun 2020

Son of a gun!! I just released https://github.com/storybookjs/storybook/releases/tag/v6.0.0-beta.27 containing PR #11143 that references this issue. Upgrade today to try it out!

You can find this prerelease on the @next NPM tag.