chore(deps-dev): bump storybook from 10.2.19 to 10.4.6#654
chore(deps-dev): bump storybook from 10.2.19 to 10.4.6#654dependabot[bot] wants to merge 1 commit into
Conversation
| @@ -3420,8 +3111,8 @@ packages: | |||
| engines: {node: '>=18'} | |||
| hasBin: true | |||
|
|
|||
| esbuild@0.27.4: | |||
| resolution: {integrity: sha512-Rq4vbHnYkK5fws5NF7MYTU68FPRE1ajX7heQ/8QXXWqNgqqJ/GkmmyxIzUnf2Sr/bakf8l54716CcMGHYhMrrQ==} | |||
| esbuild@0.27.7: | |||
There was a problem hiding this comment.
Risk: Affected versions of esbuild are vulnerable to Download of Code Without Integrity Check / Untrusted Search Path. esbuild's Deno distribution module (lib/deno/mod.ts) contains an import.meta.main CLI entrypoint that calls install() directly when the module is run as a script (deno run https://deno.land/x/esbuild@vX/mod.js). This download path has no SHA-256 integrity verification: if NPM_CONFIG_REGISTRY resolves to an attacker-controlled registry, the fetched binary is executed immediately, yielding arbitrary code execution without any API call in user code.
Manual Review Advice: A vulnerability from this advisory is reachable if you invoke the esbuild Deno module directly as a CLI tool (e.g. deno run https://deno.land/x/esbuild@vX/mod.js) and the NPM_CONFIG_REGISTRY environment variable resolves the binary download to an untrusted registry
Fix: Upgrade this library to at least version 0.28.1 at launchdarkly-toolbar/pnpm-lock.yaml:3114.
Reference(s): GHSA-gv7w-rqvm-qjhr
🍰 Removed in commit 45ee28d 🍰
Bumps [storybook](https://github.com/storybookjs/storybook/tree/HEAD/code/core) from 10.2.19 to 10.4.6. - [Release notes](https://github.com/storybookjs/storybook/releases) - [Changelog](https://github.com/storybookjs/storybook/blob/next/CHANGELOG.md) - [Commits](https://github.com/storybookjs/storybook/commits/v10.4.6/code/core) --- updated-dependencies: - dependency-name: storybook dependency-version: 10.4.2 dependency-type: direct:development update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
a75aee3 to
45ee28d
Compare
Bumps storybook from 10.2.19 to 10.4.6.
Release notes
Sourced from storybook's releases.
... (truncated)
Changelog
Sourced from storybook's changelog.
... (truncated)
Commits
5496a42Bump version from "10.4.5" to "10.4.6" [skip ci]a80a5afMerge pull request #34985 from TheSeydiCharyyev/fix/issue-34951-partial-globals5b929caMerge pull request #35157 from Kakadus/update-esbuild48e7b20Bump version from "10.4.4" to "10.4.5" [skip ci]730f744Merge pull request #35094 from storybookjs/jeppe-cursor/a236965cdc88f70Merge pull request #35053 from storybookjs/sidnioulz/double-gate-ai-optin5adebe7Bump version from "10.4.3" to "10.4.4" [skip ci]ce1491dMerge pull request #35085 from badams/fix/telemetry-fetch-timeout624e618Bump version from "10.4.2" to "10.4.3" [skip ci]c898822Merge pull request #34496 from NYCU-Chung/fix/docs-blocks-custom-mdx