Update dependency storybook to v8.6.17 [SECURITY] #6
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "renovate/npm-storybook-vulnerability"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
This PR contains the following updates:
8.1.10→8.6.17Storybook manager bundle may expose environment variables during build
CVE-2025-68429 / GHSA-8452-54wp-rmv6
More information
Details
On December 11th, the Storybook team received a responsible disclosure alerting them to a potential vulnerability in certain built and published Storybooks.
The vulnerability is a bug in how Storybook handles environment variables defined in a
.envfile, which could, in specific circumstances, lead to those variables being unexpectedly bundled into the artifacts created by thestorybook buildcommand. When a built Storybook is published to the web, the bundle’s source is viewable, thus potentially exposing those variables to anyone with access. If those variables contained secrets, they should be considered compromised.Who is impacted?
For a project to be vulnerable to this issue, it must:
storybook builddirectly or indirectly) in a directory that contains a.envfile (including variants like.env.local).envfile contains sensitive secrets7.0.0or aboveStorybooks built without a
.envfile at build time are not affected, including common CI-based builds where secrets are provided via platform environment variables rather than.envfiles.Users' Storybook runtime environments (i.e.
storybook dev) are not affected. Deployed applications that share a repo with a project's Storybook are not affected.Storybook 6 and below are not affected.
Recommended actions
First, Storybook recommends that everyone audit for any sensitive secrets provided via
.envfiles and rotate those keys.Second, Storybook has released patched versions of all affected major Storybook versions that no longer have this vulnerability. Projects should upgrade their Storybook—on both local machines and CI environments—to one of these versions before publishing again.
10.1.10+9.1.17+8.6.15+7.6.21+Finally, some projects may have been relying on the undocumented behavior at the heart of this issue and will need to change how they reference environment variables after this update. If a project can no longer read necessary environmental variable values, it can either prefix the variables with
STORYBOOK_or use theenvproperty in Storybook’s configuration to manually specify values. In either case, do not include sensitive secrets as they will be included in the built bundle.Further information
Details of the vulnerability can be found on the Storybook announcement.
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:LReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Storybook Dev Server is Vulnerable to WebSocket Hijacking
CVE-2026-27148 / GHSA-mjf5-7g4m-gx5w
More information
Details
Summary
The WebSocket functionality in Storybook's dev server, used to create and update stories, is vulnerable to WebSocket hijacking. This vulnerability only affects the Storybook dev server; production builds are not impacted.
Details
Exploitation requires a developer to visit a malicious website while their local Storybook dev server is running. Because the WebSocket connection does not validate the origin of incoming connections, a malicious site can silently send WebSocket messages to the local instance without any further user interaction.
If a Storybook dev server is intentionally exposed publicly (e.g. for design reviews or stakeholder demos) the risk is higher, as no malicious site visit is required. Any unauthenticated attacker can send WebSocket messages to it directly.
The vulnerability affects the WebSocket message handlers for creating and saving stories, which can be exploited via unauthorized WebSocket connections to achieve persistent XSS or Remote Code Execution (RCE).
Note: recent versions of Chrome have some protections against this, but Firefox does not.
Impact
This vulnerability can lead to supply chain compromise. Key risks include:
Affected versions
8.1 and above. While the exploitable functionality was introduced in 8.1, the patch has been applied to 7.x as a precautionary measure given the underlying WebSocket behaviour.
Recommended actions
Update to one of the patched versions:
7.6.23,8.6.17,9.1.19,10.2.10.Severity
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:HReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Release Notes
storybookjs/storybook (storybook)
v8.6.17Compare Source
8.6.17
v8.6.16Compare Source
8.6.16
v8.6.15Compare Source
8.6.15
v8.6.14Compare Source
v8.6.13Compare Source
react-native-web- #31324, thanks @ndelangen!v8.6.12Compare Source
ember-template-compilerimport for ember 6+ - #30682, thanks @leoeuclids!node_modulesfrom docgen - #30981, thanks @JReinhold!v8.6.11Compare Source
v8.6.10Compare Source
v8.6.9Compare Source
v8.6.8Compare Source
v8.6.7Compare Source
v8.6.6Compare Source
v8.6.5Compare Source
@angular-devkit/build-angularto installed packages - #30790, thanks @kasperpeulen!svelte2tsx@0.7.35- #30784, thanks @JReinhold!crypto.randomUUID- #30781, thanks @JReinhold!v8.6.4Compare Source
node_modulesin stats file - #30711, thanks @JReinhold!v8.6.3Compare Source
v8.6.2Compare Source
v8.6.1Compare Source
v8.6.0Compare Source
The 8.6 release focuses on Storybook Test, which brings realtime component, accessibility, and visual UI tests to your favorite component workshop.
Here’s what’s new:
List of all updates
--yesand fix--features- #30534, thanks @ghengeveld!UniversalStoreAPI to sync state/events between multiple environments - #30445, thanks @JReinhold!node_modules- #30643, thanks @ndelangen!addon-essentialsnot working when used withgetAbsolutePath- #30557, thanks @JReinhold!+page.sveltefiles - #30369, thanks @xeho91!vitest.config.tswith workspaces, otherwise createvitest.workspace.ts- #30583, thanks @ghengeveld!v8.5.8Compare Source
esbuild@^0.25- #30574, thanks @JReinhold!v8.5.7Compare Source
v8.5.6Compare Source
v8.5.5Compare Source
v8.5.4Compare Source
v8.5.3Compare Source
globalstoextract()- #30415, thanks @ndelangen!v8.5.2Compare Source
v8.5.1Compare Source
interaction test->component test- #30333, thanks @kylegach!v8.5.0Compare Source
Storybook 8.5 is packed with powerful features to enhance your development workflow. This release makes it easier than ever to build accessible, well-tested UIs. Here’s what’s new:
List of all updates
@vitest/coverage-v8during postinstall if no coverage reporter is installed - #29993, thanks @ghengeveld!vitestdetects missing deps - #29763, thanks @ndelangen!test.includepatterns - #30029, thanks @JReinhold!vitestcrashes - #29751, thanks @ndelangen!vitest.setup.js- #30233, thanks @JReinhold!experimental-nextjs-vite- #29814, thanks @ndelangen!globwithtinyglobby- #29817, thanks @ghengeveld!staticDirswith Vitest - #29811, thanks @ghengeveld!require.resolve- #30026, thanks @ndelangen!storybookcommand - #29480, thanks @toothlessdev!TESTING_MODULE_RUN_ALL_REQUESTfor backward compatibility - #29711, thanks @ghengeveld!ERR_PACKAGE_PATH_NOT_EXPORTEDin@storybook/node-logger- #30093, thanks @JReinhold!scrollIntoViewbehavior and reimplement testing module time rendering - #30044, thanks @ghengeveld!@types/nodetodevDepsconsistently - #30163, thanks @ndelangen!useSharedState- #30259, thanks @JReinhold!react-confettiwith@neoconfetti/react- #30098, thanks @ndelangen!@storybook/testas optional peer dependency - #29754, thanks @yannbf!TooltipLinkListand use it in main menu - #29507, thanks @ghengeveld!optimizeDeps- #30117, thanks @ndelangen!@fs- #28941, thanks @tobiasdiez!viteFinal- #30105, thanks @JReinhold!vue-component-metadocgen HMR not working - #29518, thanks @IonianPlayboy!v8.4.7Compare Source
v8.4.6Compare Source
@sveltejs/vite-plugin-sveltev5 - #29731, thanks @JReinhold!v8.4.5Compare Source
v8.4.4Compare Source
v8.4.3Compare Source
v8.4.2Compare Source
@storybook/test- #29514, thanks @shilman!v8.4.1Compare Source
v8.4.0Compare Source
Storybook 8.4 comes with a ton of exciting new features designed to give you the best experience developing, testing, and debugging tests in the browser!
List of all updates
@vitest/browserv2.1.2 - #29407, thanks @strozw!es-toolkit- #29259, thanks @JReinhold!@storybook/addon-linksby default - #29177, thanks @tobiasdiez!.gitignoreupdated via CLI ends with a newline - #29124, thanks @3w36zj6!yarndetection - #29448, thanks @ndelangen!chalktopicocolors- #28262, thanks @43081j!export { X }parsing - #29344, thanks @vctqs1!prettieran optional peer dependency - #29223, thanks @JReinhold!expresstopolka- #29230, thanks @43081j!qstopicoquery- #28315, thanks @43081j!handlebarsusage - #29208, thanks @ndelangen!file-system-cache- #29256, thanks @ndelangen!fs-extrawith the native APIs - #29126, thanks @ziebam!lodashwithes-toolkit- #28981, thanks @ndelangen!esbuild, broadening version range - #29254, thanks @ndelangen!renderers/react's dependencies - #29298, thanks @ndelangen!svelte2tsx- support runes - #29423, thanks @JReinhold!utildependency - #29310, thanks @JReinhold!reactin manager - #29197, thanks @ndelangen!optimizeDeps- #29179, thanks @tobiasdiez!v8.3.7Compare Source
v8.3.7
v8.3.6Compare Source
v8.3.5Compare Source
v8.3.4Compare Source
v8.3.3Compare Source
v8.3.2Compare Source
storybook dev- #29152, thanks @valentinpalkovic!v8.3.1Compare Source
v8.3.0Compare Source
Fresh out of the oven! Storybook 8.3 brings you:
List of all updates
StoryGlobals-mode - #29025, thanks @JReinhold!as const satisfiesmodifiers - #29000, thanks @shilman!tsconfigto emitreact-jsx- #28541, thanks @williamhelmrath!utilto regular dependency - #29008, thanks @ndelangen!ESMexport todocs-tools&node-loggerpackages - #28539, thanks @ndelangen!@storybook/addon-interactions- #28518, thanks @ndelangen!commander- #28857, thanks @43081j!node:-prefix to node core-modules - #28860, thanks @ndelangen!lodash- #28609, thanks @ndelangen!vue-component-metadocgen plugin - #28760, thanks @larsrickert!v8.2.10Compare Source
8.2.10
v8.2.9Compare Source
init --skip-install- #28853, thanks @ndelangen!v8.2.8Compare Source
v8.2.7Compare Source
v8.2.6Compare Source
v8.2.5Compare Source
@storybook/theming/createalias - #28643, thanks @Averethel!v8.2.4Compare Source
storybookpackage is missing - #28604, thanks @kasperpeulen!v8.2.3Compare Source
theming/createaliases in docs preset - #28570, thanks @ndelangen!core-events- #28573, thanks @ndelangen!v8.2.2Compare Source
ESMexport todocs-tools&node-loggerpackages - #28539, thanks @ndelangen!@storybook/addon-interactions- #28518, thanks @ndelangen!v8.2.1Compare Source
v8.2.0Compare Source
Hold onto your hats! Storybook 8.2 has dropped, packed with a treasure trove of new features and bug fixes:
beforeAllplayfunctionList of all updates
tocbot- #28318, thanks @shilman!--no-devoption toinit- #26918, thanks @fastfrwrd!--devand--no-devoptions tostorybook initCLI - #26918, thanks @fastfrwrd!@storybook/addon-svelte-csfwhen initializing new projects - #27070, thanks @benmccann!beforeAllhook - #28255, thanks @ghengeveld!pkg-dirtofd-package-json- #28270, thanks @43081j!loading->rendering->playing- #28431, thanks @kasperpeulen!.stories.mdxhandling - #25973, thanks @JReinhold!CJSforcore/components- #28440, thanks @ndelangen!preview.jsglobalstoinitialGlobals- #27517, thanks @shilman!markdown-to-jsxto v7.4.5 - #26694, thanks @xyy94813!webpack-virtual-modulesto 0.6.0 - #27102, thanks @fyodorovandrei!read-pkg-uptofd-package-json- #28272, thanks @43081j!doctrinewithjsdoc-type-pratt-parser- #26305, thanks @43081j!Storiesblock, error when referenced in MDX - #28434, thanks @kasperpeulen!TypesetDoc blockfontSizestype - #26475, thanks @noranda!env.bugfixesin SWC so destructuring is never transpiled - #28363, thanks @kasperpeulen!mountin react, svelte, and vue renderers - #28385, thanks @kasperpeulen!CompatibleString- #27180, thanks @sni-J!v8.1.11Compare Source
Configuration
📅 Schedule: (UTC)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate.
ebe65cd09ato8fe749cbdd