4

After running NPM audit I have identified 5 critical issues. I have tried updating @storybook/addon-essentials & @storybook/react in order to resolve 4 of these as they say patched in >=x.x.x which implies to me they have been resolved in the atleast the latest versions.

I ran npm i @storybook/addon-essentials@latest @storybook/react@latest and can see package.json (and lock) have latest versions but running an audit again shows the same critical vulnerabilities.

Is there something else I need to update in order to resolve these or have I done something wrong when updating to latest?

There are also some moderate and high vulnerabilities but I have grepped just the critical in order to focus on them for now

I should also add we are using a private registery for our npm installs but it doesn't support audit so having to run npm audit --registry=https://registry.npmjs.org against NPM registry. Not sure if this will make a difference.

enter image description here

Stretch0
  • 8,362
  • 13
  • 71
  • 133
  • Pay attention to the Path section. You use `@storybook/react` which depends on `@storybook/core` which depends on a chain of things all the way down to `immer` which has a vulnerability. The entire chain needs an update released to pull in the newer version. – Quentin Dec 13 '21 at 11:51
  • But isn't `@storybook/core` a dependency of `@storybook/react`? Meaning if I update `@storybook/react` it should update it's dependencies (assuming they have been updated in their latest versions) – Stretch0 Dec 13 '21 at 11:54
  • 1
    "assuming they have been updated in their latest versions" is the operative part there. – Quentin Dec 13 '21 at 11:55
  • Yes but in the screenshot of the audit output in my original post, it shows "patched in >=x.x.x". Does that not imply it has been fixed in the latest version? – Stretch0 Dec 13 '21 at 11:57
  • The latest version of immer. Doesn't mean that react-dev-tools has been patched to depend on that version of immer. Or, if it has, that @storybook/builder-webpack4 has been patched to depend on that version of react-dev-tools. etc. – Quentin Dec 13 '21 at 11:58
  • In this case, while `react-dev-utils`'s [package.json](https://github.com/facebook/create-react-app/blob/main/packages/react-dev-utils/package.json) has been updated at some point, since then, no new package has been released. Not sure how bad that is, as it seems this package is only installed as a devDependency—you might not even have it on-disk (try `npm ls --all`). – RickN Dec 13 '21 at 12:21
  • I have the same problem now. Did you managed to find any solution for this? @Stretch0 – Lazar Nikolic Jan 06 '22 at 11:45
  • I have not yet been able to resolve this yet but one thought I had was perhaps using [npm overrides](https://docs.npmjs.com/cli/v8/configuring-npm/package-json#overrides) to force the package that has a bad dependency to use a newer version. Not sure if this will work or not, might depend on if there are breaking changes? – Stretch0 Jan 06 '22 at 11:49

1 Answers1

-1

Try running npm audit fix (Documentation)

Lars Johan
  • 314
  • 2
  • 10
  • I should have added that I had tried this. This resolves some of the moderate ones but still shows 5 critical – Stretch0 Dec 13 '21 at 11:51