Is it possible to remove the vulnerability introduced by react-dev-utils?

[vincentsum777]

Hi, @shilman @gaetanmaisse, I stumbled upon a vulnerability introduced by package react-dev-utils@9.1.0:

Issue Description

When I build my project, I notice that @storybook/react@5.3.21 transitively depends on react-dev-utils@9.1.0. However, the vulnerability CVE-2021-24033 is detected in package react-dev-utils<11.0.4.
As far as I aware, @storybook/react@5.3.21 is so popular that a large number of projects depend on it (170,758 downloads per week and about 1,385 downstream projects, e.g., @types/storybook__addon-info 5.2.4, @types/storybook-react-router 1.0.1, @types/storybook-addon-jsx 7.0.2, @types/storybook-readme 5.0.5, sku 10.14.0, etc.).
In this case, the vulnerability CVE-2021-24033 can be propagated into these downstream projects and expose security threats to them.
As you can see, @storybook/react@5.3.21 is introduced into the above projects via the following package dependency paths:
(1)@useweb/lib@0.23.0 ➔ storybook-addon-responsive-views@2.3.0 ➔ @storybook/react@5.3.21 ➔ @storybook/core@5.3.21 ➔ react-dev-utils@9.1.0
......

I know that it's kind of you to have removed the vulnerability since @storybook/react@6.0.0-beta.0. But, in fact, the above large amount of downstream projects cannot easily upgrade @storybook/react from version 5.3.* to (>=6.0.0-beta.0):
The projects such as storybook-addon-responsive-views, which introduced @storybook/react@5.3.21, are not maintained anymore. These unmaintained packages can neither upgrade @storybook/react nor be easily migrated by the large amount of affected downstream projects.

Given the large number of downstream users, is it possible to release a new patched version with the updated dependency to remove the vulnerability from package @storybook/react@5.3.21?

Suggested Solution

Since these inactive projects set a version constaint 5.3.* for @storybook/react on the above vulnerable dependency paths, if @storybook/react removes the vulnerability from 5.3.21 and releases a new patched version @storybook/react@5.3.22, such a vulnerability patch can be automatically propagated into the downstream projects.

The simplest way to remove the vulnerability is to perform the following upgrade in @storybook/react@5.3.22:
@storybook/core 5.3.21 ➔ 6.1.20;
Note:
@storybook/core@6.1.20(>=6.1.20) directly depends on react-dev-utils@11.0.4 which has fixed the vulnerability (CVE-2021-24033)
Of course, you are welcome to share other ways to deal with the issue.

Thank you for your help.^_^

[shilman]

@vincentsum777 can I ask why you aren't able to upgrade Storybook 6.x? I'd rather devote energy to removing any blockers to upgrades since 6.x contains lots of security fixes (not to mention better performance, features, etc.). Thanks! 🙏

[shilman]

Closing this as fixed in 6.5 with #17022