[Bug]: semver vulnerability in @storybook/manager-webpack5

[dougy-fresh]

Describe the bug

Currently, @storybook/manager-webpack5 has a transitive dependency on semver@^5.6.0

node_modules/@babel/register/node_modules/semver
  semver@"^5.6.0" from make-dir@2.1.0
  node_modules/@babel/register/node_modules/make-dir
    make-dir@"^2.1.0" from @babel/register@7.21.0
    node_modules/@babel/register
      @babel/register@"^7.12.1" from @storybook/core-common@7.0.0-alpha.10
      node_modules/@storybook/core-webpack/node_modules/@storybook/core-common
        @storybook/core-common@"7.0.0-alpha.10" from @storybook/core-webpack@7.0.0-alpha.10
        node_modules/@storybook/core-webpack
          @storybook/core-webpack@"7.0.0-alpha.10" from @storybook/manager-webpack5@7.0.0-alpha.10
          node_modules/@storybook/manager-webpack5
            dev @storybook/manager-webpack5@"^7.0.0-alpha.10" from the root project

This version of semver has an outstanding CVE against it

Weaknesses

CWE-1333

CVE ID

CVE-2022-25883

GHSA ID

GHSA-c2qf-rxjj-qqgw

To Reproduce

» npm init --yes
» npm i -S @storybook/manager-webpack5
» npx snyk test

Note that we are getting our error report via Dependabot, rather than snyk, but this was the minimal repro I could come up with -- I didn't want to file a repro that required setting up a github repository.

System

Environment Info:

  System:
    OS: macOS 13.4.1
    CPU: (8) arm64 Apple M1
  Binaries:
    Node: 18.14.1 - /usr/local/bin/node
    Yarn: 1.22.19 - /usr/local/bin/yarn
    npm: 9.3.1 - /usr/local/bin/npm
  Browsers:
    Chrome: 115.0.5790.98
    Safari: 16.5.2
  npmPackages:
    @storybook/manager-webpack5: ^6.5.16 => 6.5.16

Additional context

This is loosely connected to #23546

[dougy-fresh]

I don't think that we can fix this just now -- it looks like the most recent version of @babel/register still has this vulnerability; I'll link the appropriate issue once I find or file it.

[shilman]

Thanks for the heads up! Also, when we do get a chance to fix this, it's likely that the fix will only be available in 7.x

[shilman]

@yannbf at some point recently you mentioned setting up some sandboxes outside of the monorepo. would you also be able to set up snyk or something similar on that repo to catch stuff like this automatically? as i recall there are reasons we don't want it on the monorepo (@ndelangen can say more) but i think having it on a satellite sandbox-style repo should be useful

[ndelangen]

Well normally there's nothing we can really about transitive dependencies.

Do we want to get notifications we can't do anything about?

When security issues happen, very those dependencies of storybook are in version ranges, that allow users to pick the newest releases without our intervention/release to happen.

[abdouthetif]

After update to storybook 7.1.0, the only package causing this vulnerability is simple-update-notifier@1.1.0 which uses semver@7.0.0

[ndelangen]

Which we're on the latest version of:

storybook/code/lib/cli/package.json

Line 92 in 7e0dabc

"simple-update-notifier": "^2.0.0",

[abdouthetif]

no it's not on the latest version, storybook@7.1.1 still have simple-update-notifier@1.1.0. The update is on this PR which have been merged to storybookjs:next 5 hours ago. So it's not in the storybook@7.1.1 release

[valentinpalkovic]

Closing this as completed in #23547. The fix will be released with 7.2.0