storybook: [Bug]: The latest version depends on the highly vulnerable `ip` package

Describe the bug

The vulnerability is described here: https://github.com/advisories/GHSA-78xj-cgh5-2h22.

As far as I can see now, the ip package is used only ones in the core-server package here — https://github.com/storybookjs/storybook/blob/ece1fb269cc44f43a5384f986a2b9f48613b0095/code/lib/core-server/src/utils/server-address.ts#L13C1-L13C80

This can easily be swapped with some other package, like for instance https://www.npmjs.com/package/ip-address, the way socks’ lib maintainer did here — https://github.com/JoshGlazebrook/socks/pull/94/files.

WDYT guys? Is it a good candidate for a quick fix? I could participate if necessary with the PR, for sure.

To Reproduce

Install any storybook flavour via npm (most of them depend on the vulnerable package through core-server)

System

No response

Additional context

No response

About this issue

  • Original URL
  • State: closed
  • Created 5 months ago
  • Reactions: 74
  • Comments: 19 (6 by maintainers)

Most upvoted comments

I definitely plan to patch this back to 7.6.x!

+29
valentinpalkovic on Feb 14, 2024

Just to set some context for the ip vulnerability:

The affected ip.isPublic() method is not used by Storybook. Hence, the vulnerability reported by npm audit doesn’t affect Storybook users. We should still consider replacing the package with another one since it isn’t maintained anymore.

@fyodorio Please feel free to create a PR with the quick fix 😃

+14
valentinpalkovic on Feb 13, 2024

@valentinpalkovic made the suggestion via https://github.com/storybookjs/storybook/pull/26025, please review, any feedback is welcome, as I’m a first-time contributor here.

+12
fyodorio on Feb 14, 2024

Heads up: The 7.6.17 release contains the fix.

+7
valentinpalkovic on Feb 20, 2024

I’m replacing ip with https://www.npmjs.com/package/ip-address in some of my packages. I wanted to share this because it took some time for me to figure what the ip should be replaced with.

+4
grybykm on Feb 15, 2024

Seems to be fixed with 2.0.1: https://github.com/indutny/node-ip/pull/138#issuecomment-1951710634

There is also a PR https://github.com/storybookjs/storybook/pull/26086 (crosslinking https://github.com/storybookjs/storybook/issues/26011)

+3
jase88 on Feb 19, 2024

Please use the 👍 emoji reaction on the initial issue message to upvote the issue, otherwise all core maintainers and participants get notified every time someone posts a „+1“ message, which additionally adds a lot of noise to the thread.

+3
valentinpalkovic on Feb 14, 2024

Correct! next is the right branch.

+2
valentinpalkovic on Feb 14, 2024

For those looking for inspiration, sock replaced ip with ip-address and proxy-agents just inlined the methods they were using

+2
G-Rath on Feb 14, 2024

+1

+1
JulienMalcouronne on Feb 14, 2024

Oh no! Into next. Based on my research the Release bot generates changes.

For example this PR#25907 commits into next. And release bot takes it as a generated changelog and commits into latest-release PR#25843.

image

+1
letavocado on Feb 14, 2024

+1

+1
shajjhusein on Feb 14, 2024

+1

+1
emangoro-sc on Feb 14, 2024
Read more comments on GitHub
← storybook: [Bug]: string-width dependency stops storybook from executing
storybook: [Bug]: The `Primary` doc block in an attached MDX file shows invalid code preview →