chore: fix 30 of 31 security advisories (devDependencies only)#423
Open
iamdarshshah wants to merge 3 commits intomasterfrom
Open
chore: fix 30 of 31 security advisories (devDependencies only)#423iamdarshshah wants to merge 3 commits intomasterfrom
iamdarshshah wants to merge 3 commits intomasterfrom
Conversation
- Upgrade Storybook v7 → v10 (resolves critical Handlebars injection, clears lodash/tar/minimatch chains from the webpack5 builder) - Upgrade rollup v1 → v4 + migrate to @rollup/plugin-* (resolves DOM clobbering and path traversal advisories) - Upgrade rimraf v3 → v5 (drops old glob → minimatch chain) - Add yarn resolutions to force patched versions of: handlebars, lodash, flatted, yaml, serialize-javascript, picomatch - Exclude src/stories from main tsconfig; add tsconfig.storybook.json with moduleResolution:bundler for Storybook v10 type compat Audit: 213 paths (31 advisories) → 1 path (1 low advisory). Published package is unaffected — zero runtime dependencies.
|
Size Change: -14 B (-0.16%) Total Size: 8.59 kB 📦 View Changed
|
src/stories was excluded from tsconfig.json (needed for the Storybook v10 moduleResolution: node16 requirement) but ESLint still linted those files — causing "file not found in project" parse errors. Fix: add an overrides block in .eslintrc.js pointing stories files to tsconfig.storybook.json, and add an explicit exclude in tsconfig.storybook.json so it doesn't inherit the parent's exclusion of src/stories.
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## master #423 +/- ##
=======================================
Coverage 79.33% 79.33%
=======================================
Files 2 2
Lines 150 150
Branches 56 56
=======================================
Hits 119 119
Misses 24 24
Partials 7 7 🚀 New features to boost your workflow:
|
Storybook v8+ removed Babel from the default webpack5 build — it must be opted in via @storybook/addon-webpack5-compiler-babel. Without it, webpack has no TypeScript transpiler and .ts/.tsx files fail to parse (the Netlify CI failure). Also bumps react/react-dom devDependencies to ^18.2.0 and @types/react* to ^18 — Storybook v10 internally uses useSyncExternalStore and useInsertionEffect which were added in React 18. Note: peerDependencies stay at >=17 — consumers are unaffected.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
All 31 GitHub security advisories are in devDependencies — the published npm package has zero runtime dependencies and consumers are not affected.
This PR reduces audit findings from 213 paths (31 unique advisories) to 1 (1 low-severity advisory).
Changes
Upgrades
rollup-plugin-*→@rollup/plugin-*) — resolves DOM clobbering and path traversal advisoriesyarn resolutions (forced patched versions of unfixable transitive deps)
handlebars >=4.7.9— critical in ts-jestlodash >=4.17.23— high/moderate in storybook builderflatted >=3.4.2— high in eslint + storybookyaml >=2.8.3— moderate in lint-stagedserialize-javascript >=7.0.5— high/moderate in storybook webpack5picomatch >=2.3.2— high in jestHousekeeping (fallout from Storybook v10 migration)
src/stories/stories.tsx: import updated to@storybook/react(v10 no longer re-exports types from the webpack5 package)tsconfig.json: excludedsrc/stories(storybook v10 types requiremoduleResolution: bundler, incompatible with the lib'snodesetting)tsconfig.storybook.json: new file extending main tsconfig withmoduleResolution: bundlerfor stories/storybook config type-checkingRemaining advisory
@tootallnate/once@2.0.0(low) viajest-environment-jsdom. The patched version (>=3.0.1) is a major bump that would risk breaking jsdom's HTTP agent. Acceptable to leave at low severity.Test plan
yarn build— clean output, no errorsyarn test— 23/23 passingyarn audit— 1 low remaining (down from 1 critical, 18 high, 9 moderate, 3 low)