[Bug]: High vulnerabilities in Storybook 7.5.0 when used

[shajjhusein]

We have identified high-severity vulnerabilities in projects using Storybook version "^7.5.0" alongside TypeScript version 5. The issue arises when integrating the latest TypeScript with Storybook, potentially affecting the security and stability of the development environment. These vulnerabilities could compromise the application's security or affect its functionality, posing a significant risk to projects using this configuration.

To Reproduce

Initialize a new project with Storybook "^7.5.0" and TypeScript "^5.0.0".
Configure TypeScript according to the recommended setup for use with Storybook.
Run a security audit using npm audit or another vulnerability scanning tool.
Observe the reported vulnerabilities directly related to the Storybook and TypeScript integration.
Expected Behavior:
Using Storybook with TypeScript should not introduce high-severity vulnerabilities into the project. The integration should be secure and stable, allowing developers to leverage both tools' features without compromising security.

Actual Behavior:
The security audit reveals high-severity vulnerabilities when Storybook "^7.5.0" is used in conjunction with TypeScript v5. These vulnerabilities could lead to potential security risks for the project.

Screenshots/Logs:

System

Storybook Environment Info:

  System:
    OS: Linux 5.15 Ubuntu 20.04.6 LTS (Focal Fossa)
    CPU: (12) x64 12th Gen Intel(R) Core(TM) i7-1255U
    Shell: 5.0.17 - /bin/bash
  Binaries:
    Node: 20.10.0 - ~/.nvm/versions/node/v20.10.0/bin/node
    Yarn: 1.22.19 - /usr/bin/yarn
    npm: 10.2.3 - ~/.nvm/versions/node/v20.10.0/bin/npm <----- active
  Browsers:
    Chrome: 121.0.6167.160
  npmPackages:
    @storybook/addon-a11y: ^7.5.0 => 7.6.13 
    @storybook/addon-actions: ^7.5.0 => 7.6.13 
    @storybook/addon-backgrounds: ^7.5.0 => 7.6.13 
    @storybook/addon-controls: ^7.5.0 => 7.6.13 
    @storybook/addon-coverage: ^0.0.9 => 0.0.9 
    @storybook/addon-designs: ^7.0.7 => 7.0.9 
    @storybook/addon-docs: ^7.5.0 => 7.6.13 
    @storybook/addon-interactions: ^7.5.1 => 7.6.13 
    @storybook/addon-links: ^7.5.0 => 7.6.13 
    @storybook/addon-measure: ^7.5.0 => 7.6.13 
    @storybook/addon-outline: 7.5.0 => 7.5.0 
    @storybook/addon-storyshots: ^7.5.0 => 7.6.13 
    @storybook/addon-storysource: ^7.5.0 => 7.6.13 
    @storybook/addon-themes: ^7.5.3 => 7.6.13 
    @storybook/addon-viewport: ^7.5.0 => 7.6.13 
    @storybook/jest: ^0.2.3 => 0.2.3 
    @storybook/preview-api: ^7.5.0 => 7.6.13 
    @storybook/react-webpack5: ^7.5.1 => 7.6.13 
    @storybook/test-runner: ^0.16.0 => 0.16.0 
    @storybook/testing-library: ^0.2.2 => 0.2.2 
    storybook: ^7.5.0 => 7.6.13

Additional context

my packages list
├── @babel/core@7.23.9
├── @babel/preset-env@7.22.10
├── @babel/preset-react@7.22.5
├── @babel/preset-typescript@7.22.5
├── @emotion/eslint-plugin@11.11.0
├── @emotion/jest@11.11.0
├── @emotion/react@11.11.3
├── @emotion/styled@11.11.0
├── @mui/material@5.15.9
├── @mui/system@5.15.9
├── @mui/x-data-grid@6.19.3
├── @mui/x-date-pickers@5.0.20
├── @react-pdf-viewer/core@3.12.0
├── @react-pdf-viewer/default-layout@3.12.0
├── @rollup/plugin-commonjs@25.0.7
├── @rollup/plugin-node-resolve@15.2.3
├── @rollup/plugin-terser@0.4.4
├── @rollup/plugin-typescript@11.1.6
├── @rollup/plugin-url@8.0.2
├── @storybook/addon-a11y@7.6.13
├── @storybook/addon-actions@7.6.13
├── @storybook/addon-backgrounds@7.6.13
├── @storybook/addon-controls@7.6.13
├── @storybook/addon-coverage@0.0.9
├── @storybook/addon-designs@7.0.9
├── @storybook/addon-docs@7.6.13
├── @storybook/addon-interactions@7.6.13
├── @storybook/addon-links@7.6.13
├── @storybook/addon-measure@7.6.13
├── @storybook/addon-outline@7.5.0
├── @storybook/addon-storyshots@7.6.13
├── @storybook/addon-storysource@7.6.13
├── @storybook/addon-themes@7.6.13
├── @storybook/addon-viewport@7.6.13
├── @storybook/jest@0.2.3
├── @storybook/preview-api@7.6.13
├── @storybook/react-webpack5@7.6.13
├── @storybook/test-runner@0.16.0
├── @storybook/testing-library@0.2.2
├── @svgr/cli@6.5.1
├── @svgr/rollup@8.1.0
├── @svgr/webpack@6.5.1
├── @testing-library/dom@8.20.1
├── @testing-library/jest-dom@5.17.0
├── @testing-library/react@13.4.0
├── @testing-library/user-event@13.5.0
├── @types/css-mediaquery@0.1.4
├── @types/jest@29.5.12
├── @types/node@16.18.79
├── @types/react-dom@18.2.19
├── @types/react-slick@0.23.13
├── @types/react@18.2.55
├── @types/uuid@9.0.8
├── @typescript-eslint/eslint-plugin@5.62.0
├── @typescript-eslint/parser@5.62.0
├── babel-loader@8.3.0
├── babel-plugin-require-context-hook@1.0.0
├── core-js@3.32.1
├── cross-env@7.0.3
├── css-loader@6.10.0
├── css-mediaquery@0.1.2
├── date-fns@2.30.0
├── eslint-config-prettier@8.10.0
├── eslint-plugin-jsx-a11y@6.8.0
├── eslint-plugin-prettier@4.2.1
├── eslint-plugin-react@7.33.2
├── eslint@8.56.0
├── gh-pages@3.2.3
├── husky@8.0.3
├── identity-obj-proxy@3.0.0
├── is-ci@3.0.1
├── jest-environment-jsdom@29.7.0
├── jest-transform-stub@2.0.0
├── jest@29.7.0
├── marked@9.1.6
├── prettier@2.8.8
├── react-dom@18.2.0
├── react-dropzone@14.2.3
├── react-number-format@4.9.4
├── react-player@2.14.1
├── react-router-dom@6.22.0
├── react-simple-image-viewer@1.2.2
├── react-slick@0.29.0
├── react@18.2.0
├── rimraf@3.0.2
├── rollup-plugin-peer-deps-external@2.2.4
├── rollup-plugin-postcss@4.0.2
├── rollup-plugin-visualizer@5.12.0
├── rollup@2.79.1
├── slick-carousel@1.8.1
├── storybook@7.6.13
├── style-loader@3.3.4
├── ts-jest@29.1.2
├── ts-node@10.9.2
└── typescript@5.3.3

[shajjhusein]

npm audit
Debugger listening on ws://127.0.0.1:43613/cd365c07-54a9-4975-97a3-c63c855de8f7
For help, see: https://nodejs.org/en/docs/inspector
Debugger attached.

npm audit report

ip *
Severity: high
NPM IP package vulnerable to Server-Side Request Forgery (SSRF) attacks - GHSA-78xj-cgh5-2h22
fix available via npm audit fix --force
Will install storybook@6.5.16, which is a breaking change
node_modules/ip
@storybook/core-server *
Depends on vulnerable versions of ip
node_modules/@storybook/core-server
@storybook/cli <=0.0.0-pr-26000-sha-a16f2ba7 || >=6.5.17-alpha.0
Depends on vulnerable versions of @storybook/core-server
node_modules/@storybook/cli
storybook <=0.0.0-pr-26000-sha-a16f2ba7 || >=6.5.17-alpha.0
Depends on vulnerable versions of @storybook/cli
node_modules/storybook

4 high severity vulnerabilities

[valentinpalkovic]

Just to set some context for the ip vulnerability:

The affected ip.isPublic() method is not used by Storybook. Hence, the vulnerability reported by npm audit doesn't affect Storybook users. We still might consider replacing the package with another one, since it doesn't seem to be maintained anymore.

cc @shilman, @vanessayuenn

[shajjhusein]

@valentinpalkovic While the affected ip.isPublic() method is not currently utilized within Storybook, it's worth considering its presence in the project, especially given the reported vulnerability and the fact that the package seems to be unmaintained. Even though it may not directly impact Storybook users at the moment, having potentially vulnerable or unmaintained dependencies in the codebase could pose risks in the future. Therefore, it might be prudent to explore replacing the package with an alternative that is actively maintained and free of vulnerabilities

[valentinpalkovic]

I agree! Let’s continue the discussion about the ip vulnerability here.

[cm-kato-moqrin]

I will work on it!

[valentinpalkovic]

Just fyi. The ip vulnerability is already handled here #26025