Core: Replace ip function with a small helper function to address security concerns

[cosieLq]

Closes #26014

What I did

I've listened to the suggestion from #26025 and added a small helper function to replace ip.address, so that we can remove the insecure package ip. What the helper function does is essentially the same as ip.address: it returns the first remotely accessible IPv4 address or otherwise the loopback.

Checklist for Contributors

Testing

The changes in this PR are covered in the following automated tests:

• stories
• unit tests
• integration tests
• end-to-end tests

Manual testing

This section is mandatory for all contributions. If you believe no manual test is necessary, please state so explicitly. Thanks!

Documentation

• Add or update documentation reflecting your changes
• If you are deprecating/removing a feature, make sure to update
  MIGRATION.MD

Checklist for Maintainers

• When this PR is ready for testing, make sure to add ci:normal, ci:merged or ci:daily GH label to it to run a specific set of sandboxes. The particular set of sandboxes can be found in code/lib/cli/src/sandbox-templates.ts

• Make sure this PR contains one of the labels below:

  Available labels

  • bug: Internal changes that fixes incorrect behavior.
  • maintenance: User-facing maintenance tasks.
  • dependencies: Upgrading (sometimes downgrading) dependencies.
  • build: Internal-facing build tooling & test updates. Will not show up in release changelog.
  • cleanup: Minor cleanup style change. Will not show up in release changelog.
  • documentation: Documentation only changes. Will not show up in release changelog.
  • feature request: Introducing a new feature.
  • BREAKING CHANGE: Changes that break compatibility in some way with current major version.
  • other: Changes that don't fit in the above categories.

🦋 Canary release

This PR does not have a canary release associated. You can request a canary release of this pull request by mentioning the @storybookjs/core team here.

core team members can create a canary release here or locally with gh workflow run --repo storybookjs/storybook canary-release-pr.yml --field pr=<PR_NUMBER>

[socket-security]

Removed dependencies detected. Learn more about Socket for GitHub ↗︎

🚮 Removed packages: npm/@types/ip@1.1.3

View full report↗︎

[AhmedMuhammedElsaid]

waiting for this PR to be merged ASAP !
ThanQ

[victordas]

Isn't 0.0.0.0 better suited for the else part?

[cosieLq]

Good point. I've changed this to 0.0.0.0.

[valentinpalkovic]

I am curious whether returning 0.0.0.0 makes sense. Can the Storybook server be reached in the browser when 0.0.0.0 is used? If not, I would rather return null/undefined and handle it appropriately in the getServerAddresses function. It should return networkAddress: undefined. In this case, the network address shouldn't be logged at all to the user's console, after the server starts.

[cosieLq]

I'm not sure which returned value is better. The Storybook server is reachable via 0.0.0.0 in my browsers. Maybe it also depends on how to interpret 'On your network' in the log.

[valentinpalkovic]

@cosieLq Thank you so much for your contribution!

But I think we can close this. It seems that the security vulnerability was resolved in ip. A new version of ip was just released a couple of hours ago.

[valentinpalkovic]

Superseded by #26086

[cosieLq]

@cosieLq Thank you so much for your contribution!

But I think we can close this. It seems that the security vulnerability was resolved in ip. A new version of ip was just released a couple of hours ago.

Sure! But I sort of agree with the suggestion from #26025 . Since Storybook uses only part of one function from ip, maybe it's worthy of thinking about whether to keep it as a dependency or just replace it.

[tony19]

FYI, ip 2.0.1 didn't completely fix the bug, and a new CVE might be coming. Maybe we should reconsider this PR to factor out the unstable module, especially since Storybook only uses one of its functions that can easily be recreated.

[ouuan]

FYI, the usage here is not affected by CVE-2023-42282, because your network interface will not provide malformed addresses. However, the current implementation of the ip.address() function is incorrect, see indutny/node-ip#61. It returns public addresses when the argument is 'private' and vice-versa. It's documented to return a private address when no argument is provided but actually it's returning a public address instead.

[xfournet]

Since we have again a security issue with ip (see CVE-2024-29415), wouldn't be the time to re-open this PR to definitively get rid off this lib ?
in my (relatively large) codebase only storybook still use this dependency

[hobadams]

Can this be re-opened? I'm still getting this issue in storybook 8.1.5. Is there a way to work around this without an official release?

[Shaun1]

Also still getting this issue and the (automated) way npm wants to resolve it is to downgrade to storybook@6.5.16.

This needs to be fixed if we are to be comfortable using storybook in a production environment.

[valentinpalkovic]

The original repo got deleted, so I can't reopen the PR. Is someone willing to put together a new PR?

[tony19]

@valentinpalkovic The PR's branch could still be checked out locally. I've copied the PR as-is to #27529.