[Bug]: The storybook 7.6.* version depends on the highly vulnerable ip package

[sridhar614]

Describe the bug

I am encountering a high vulnerability issue flagged by npm audit related to the ip package. This issue is present in the storybook core-server dependency. I noticed that this vulnerability has been addressed in the latest release of Storybook (version 8.1.9). and it got fixed in #26014

can we reroll the path to 7.6.* which will be helpful for users who are on 7.6.*

Reproduction link

https://github.com/storybookjs/storybook

Reproduction steps

System

npx storybook@latest info

Storybook Environment Info:

  System:
    OS: macOS 14.5
    CPU: (10) arm64 Apple M1 Max
    Shell: 5.9 - /bin/zsh
  Binaries:
    Node: 20.12.2 - /opt/homebrew/opt/node@20/bin/node
    Yarn: 1.22.19 - /opt/homebrew/bin/yarn
    npm: 10.5.0 - /opt/homebrew/opt/node@20/bin/npm <----- active
  Browsers:
    Chrome: 125.0.6422.142
    Edge: 126.0.2592.56
    Safari: 17.5
  npmPackages:
    @storybook/addon-a11y: 7.6.17 => 7.6.17
    @storybook/addon-actions: 7.6.17 => 7.6.17
    @storybook/addon-controls: 7.6.17 => 7.6.17
    @storybook/addon-designs: 7.0.9 => 7.0.9
    @storybook/addon-docs: 7.6.17 => 7.6.17
    @storybook/addon-storysource: 7.6.17 => 7.6.17
    @storybook/addon-toolbars: 7.6.17 => 7.6.17
    @storybook/addon-viewport: 7.6.17 => 7.6.17
    @storybook/addons: 7.6.17 => 7.6.17
    @storybook/api: 7.6.17 => 7.6.17
    @storybook/cli: 7.6.17 => 7.6.17
    @storybook/client-api: 7.6.17 => 7.6.17
    @storybook/components: 7.6.17 => 7.6.17
    @storybook/core-client: 7.6.17 => 7.6.17
    @storybook/core-events: 7.6.17 => 7.6.17
    @storybook/core-server: 7.6.17 => 7.6.17
    @storybook/html: 7.6.17 => 7.6.17
    @storybook/manager-api: 7.6.17 => 7.6.17
    @storybook/preview-api: 7.6.17 => 7.6.17
    @storybook/source-loader: 7.6.17 => 7.6.17
    @storybook/theming: 7.6.17 => 7.6.17
    @storybook/web-components: 7.6.17 => 7.6.17
    @storybook/web-components-webpack5: 7.6.17 => 7.6.17
    storybook: 7.6.17 => 7.6.17

Additional context

No response

[shilman]

Please upgrade to the latest release.

Migration guide: https://storybook.js.org/docs/8.0/migration-guide

[msakrejda]

Storybook 8 requires node 18. We have some dependencies that require node 16 (they are deprecated and we are trying to migrate off, but it's not trivial). The migration guide says

If any of these new requirements or changes are blockers for your project, we recommend to continue using Storybook 7.x.

Should this be qualified? Or is there any chance this change will be backported to 7?

[sridhar614]

We are encountering similar issues with migrating our dependencies and replacing other add-on plugins for Storybook 8.

Since there is already a solution and fix available in Storybook, is it feasible to backport the patch to version 7?