Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

@storybook/core-server pins cli-table3 to v0.6.0, which prevents upgrades to v0.6.1, which includes a security fix #17179

Closed
epmatsw opened this issue Jan 9, 2022 · 13 comments
Closed

@storybook/core-server pins cli-table3 to v0.6.0, which prevents upgrades to v0.6.1, which includes a security fix #17179

epmatsw opened this issue Jan 9, 2022 · 13 comments
Labels
bug dependencies security

Comments

@epmatsw
Copy link

epmatsw commented Jan 9, 2022

Describe the bug
colors intentionally published a DoS in 1.4.1 and higher. cli-table3 v0.6.1 locks their dependency to known-good versions of colors. However, @storybook/core-server pins cli-table3 to v0.6.0, which prevents taking that update:

storybook/lib/core-server/package.json

Line 61 in cc14131

"cli-table3": "0.6.0",

It's not clear to me why that version is so strict (given that there are other 0.x dependencies in that package.json using ^ ranges), but it seems like one of the following would be a nice improvement:

  • Allow ~0.6.0 to allow bugfix updates in general
  • Require 0.6.1 if a specific version if required for some reason (this might be breaking?)
  • Allow ^0.6.0 to allow maximum compatibility
@nzacca nzacca mentioned this issue Jan 10, 2022
Closed
@shilman
Copy link
Member

shilman commented Jan 10, 2022

@epmatsw thanks so much for the heads up. i'm not sure why this version is restricted (@ndelangen) but will release a careted version to get things unstuck for now & then potentially revise later if needed.

@shilman shilman mentioned this issue Jan 10, 2022
Merged
@shilman
Copy link
Member

shilman commented Jan 10, 2022

Jiminy cricket!! I just released https://github.com/storybookjs/storybook/releases/tag/v6.5.0-alpha.12 containing PR #17180 that references this issue. Upgrade today to the @next NPM tag to try it out!

npx sb upgrade --prerelease

Closing this issue. Please re-open if you think there's still more to do.

@shilman shilman closed this as completed Jan 10, 2022
@shilman
Copy link
Member

shilman commented Jan 10, 2022

Jiminy cricket!! I just released https://github.com/storybookjs/storybook/releases/tag/v6.4.10 containing PR #17180 that references this issue. Upgrade today to the @latest NPM tag to try it out!

npx sb upgrade

@shilman
Copy link
Member

shilman commented Jan 10, 2022

Son of a gun!! I just released https://github.com/storybookjs/storybook/releases/tag/v6.3.13 containing PR #17180 that references this issue. Upgrade today to the @latest NPM tag to try it out!

npx sb upgrade

@shilman shilman mentioned this issue Jan 10, 2022
Merged
@shilman
Copy link
Member

shilman commented Jan 10, 2022

Crikey!! I just released https://github.com/storybookjs/storybook/releases/tag/v5.3.22 containing PR #17182 that references this issue. Upgrade today to the @latest NPM tag to try it out!

npx sb upgrade

@epmatsw
Copy link
Author

epmatsw commented Jan 10, 2022

No problem! Thanks for the quick turnaround!

This was referenced Jan 10, 2022
Closed
Closed
Closed
Closed
Merged
@shilman shilman mentioned this issue Jan 11, 2022
Closed
@bozdoz
Copy link

bozdoz commented Jan 11, 2022

FYI, for the 0.X.X versions, the tilde and caret work differently, only allowing patch updates. i.e. ^0.6.0 doesn't include 0.7.0. Whereas ^1.6.0 does include 1.7.0. Check it out here: https://semver.npmjs.com/

Doesn't impact the fix for cli-table3. Just FYI 😄

@shilman
Copy link
Member

shilman commented Jan 11, 2022

@bozdoz thanks for the reminder! 🙏

@okraciunas
Copy link

Hey everyone!

I have a project that uses the 5.3.17 version. I'm trying to update the dependencies to 5.3.22 and the cli-table3 didn't updated.

My package.json before the update:

image

Command to update to latest version from major 5:

npm i --D @storybook/addon-a11y@5 @storybook/addon-actions@5 @storybook/addon-backgrounds@5 @storybook/addon-docs@5 @storybook/addon-knobs@5 @storybook/addon-links@5 @storybook/addon-options@5 @storybook/addon-viewport@5 @storybook/addons@5 @storybook/react@5

The package.json after:

image

Looking for cli-table3 in package-lock.json, the version is still the same - 0.5.1 - and the version of @storybook/core is 5.3.21:

image

image

What I have already done, and didn't work:

  • Removed all Storybook dependencies;
  • Removed node_modules;
  • Installed project dependencies;
  • Installed Storybook dependencies;

I created a blank repository with basic Storybook config and I got the same result.

What I did wrong? Could you help me with this issue?

Thanks!

@shilman
Copy link
Member

shilman commented Jan 17, 2022

@okraciunas it looks like the 5.3.22 publish failed somehow. i'll try to look into it this week. however when i ran your repro, i didn't see any color.js stuff ... so is 5.3.22 actually needed?

@okraciunas
Copy link

@shilman Thanks a lot!

In this repository it's not needed, 'cause it is a simple configuration that I tried to reproduce the situation when updating the Storybook. But in my other repository - it's a private one - it's necessary.

@asakatauskas-pagseguro
Copy link

@shilman, i have the same problem as @okraciunas ... still stuck on version 5.3.21.

@NicoMazitelli
Copy link

any news on v5.3.22? :(

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug dependencies security
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@shilman @epmatsw @bozdoz @okraciunas @NicoMazitelli @asakatauskas-pagseguro