New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
@storybook/core-server pins cli-table3 to v0.6.0, which prevents upgrades to v0.6.1, which includes a security fix #17179
Comments
@epmatsw thanks so much for the heads up. i'm not sure why this version is restricted (@ndelangen) but will release a careted version to get things unstuck for now & then potentially revise later if needed. |
Jiminy cricket!! I just released https://github.com/storybookjs/storybook/releases/tag/v6.5.0-alpha.12 containing PR #17180 that references this issue. Upgrade today to the
Closing this issue. Please re-open if you think there's still more to do. |
Jiminy cricket!! I just released https://github.com/storybookjs/storybook/releases/tag/v6.4.10 containing PR #17180 that references this issue. Upgrade today to the
|
Son of a gun!! I just released https://github.com/storybookjs/storybook/releases/tag/v6.3.13 containing PR #17180 that references this issue. Upgrade today to the
|
Crikey!! I just released https://github.com/storybookjs/storybook/releases/tag/v5.3.22 containing PR #17182 that references this issue. Upgrade today to the
|
No problem! Thanks for the quick turnaround! |
FYI, for the 0.X.X versions, the tilde and caret work differently, only allowing patch updates. i.e. Doesn't impact the fix for cli-table3. Just FYI 😄 |
@bozdoz thanks for the reminder! 🙏 |
Hey everyone! I have a project that uses the 5.3.17 version. I'm trying to update the dependencies to 5.3.22 and the My Command to update to latest version from major 5: npm i --D @storybook/addon-a11y@5 @storybook/addon-actions@5 @storybook/addon-backgrounds@5 @storybook/addon-docs@5 @storybook/addon-knobs@5 @storybook/addon-links@5 @storybook/addon-options@5 @storybook/addon-viewport@5 @storybook/addons@5 @storybook/react@5 The Looking for What I have already done, and didn't work:
I created a blank repository with basic Storybook config and I got the same result.
What I did wrong? Could you help me with this issue? Thanks! |
@okraciunas it looks like the 5.3.22 publish failed somehow. i'll try to look into it this week. however when i ran your repro, i didn't see any |
@shilman Thanks a lot! In this repository it's not needed, 'cause it is a simple configuration that I tried to reproduce the situation when updating the Storybook. But in my other repository - it's a private one - it's necessary. |
@shilman, i have the same problem as @okraciunas ... still stuck on version 5.3.21. |
any news on v5.3.22? :( |
Describe the bug
colors intentionally published a DoS in 1.4.1 and higher. cli-table3 v0.6.1 locks their dependency to known-good versions of
colors
. However, @storybook/core-server pins cli-table3 to v0.6.0, which prevents taking that update:storybook/lib/core-server/package.json
Line 61 in cc14131
It's not clear to me why that version is so strict (given that there are other 0.x dependencies in that package.json using
^
ranges), but it seems like one of the following would be a nice improvement:~0.6.0
to allow bugfix updates in general0.6.1
if a specific version if required for some reason (this might be breaking?)^0.6.0
to allow maximum compatibilityThe text was updated successfully, but these errors were encountered: