[Security] Vulnerability of Low severity in "@storybook/addon-info > marksy > marked"

[Bazze]

Describe the bug
New vulnerability discovered in July in a sub dependency: @storybook/addon-info > marksy > marked

This is in version 5.1.11 of @storybook/addon-info.

https://www.npmjs.com/advisories/1076

Screenshots

System

Environment Info:
  npmPackages:
    @storybook/addon-actions: ^5.1.11 => 5.1.11
    @storybook/addon-backgrounds: ^5.1.11 => 5.1.11
    @storybook/addon-info: ^5.1.11 => 5.1.11
    @storybook/addon-knobs: ^5.1.11 => 5.1.11
    @storybook/addon-links: ^5.1.11 => 5.1.11
    @storybook/addon-viewport: ^5.1.11 => 5.1.11
    @storybook/react: ^5.1.11 => 5.1.11

[shilman]

Addon-info is being superceded by addon-docs, which fixes a bunch of bugs and is easier to maintain. Please give it a try! https://medium.com/storybookjs/storybook-docspage-e185bc3622bf

[ZebraFlesh]

Pointing to a beta release is not really an appropriate resolution for a security issue. Can we just get an updated 5.1.x release with remediated dependencies?

[shilman]

@ZebraFlesh PRs welcome

[ZebraFlesh]

I dug into this a bit and found the following:

• upgrading storybook's marksy dependency on marked generates some test failures
• using the marked demo, the same test input generates good output (example)

This leads me to believe that the renderers that marksy supplies to marked are bad, but I lack project familiarity to determine what the problem is.

[stale]

Hi everyone! Seems like there hasn't been much going on in this issue lately. If there are still questions, comments, or bugs, please feel free to continue the discussion. Unfortunately, we don't have time to get to every issue. We are always open to contributions so please send us a pull request if you would like to help. Inactive issues will be closed after 30 days. Thanks!

[reanimatedmanx]

Heyo, this is still present in @storybook/addon-info": "~5.2.1 can we get just fix related to that regexp DoS issue. I know there is a proposal to just move to addon-docs but at the project I am working on, there is a sceptical approach to new libraries (yeah I know how it sounds). So just rising this issue once again as I saw it already being marked as innactive

[stale]

Hi everyone! Seems like there hasn't been much going on in this issue lately. If there are still questions, comments, or bugs, please feel free to continue the discussion. Unfortunately, we don't have time to get to every issue. We are always open to contributions so please send us a pull request if you would like to help. Inactive issues will be closed after 30 days. Thanks!

[1Jesper1]

Fix please

[shilman]

If anybody wants to issue a PR for a fix, I'm happy to get it merged. In the meantime, addon-docs has been released for two months and is getting better every day. Here's a good example of a production system using it:

https://reaviz.io/?path=/story/docs-intro--page

[stale]

Hi everyone! Seems like there hasn't been much going on in this issue lately. If there are still questions, comments, or bugs, please feel free to continue the discussion. Unfortunately, we don't have time to get to every issue. We are always open to contributions so please send us a pull request if you would like to help. Inactive issues will be closed after 30 days. Thanks!

[fralewsmi]

Related: storybookjs/marksy#78

[shilman]

Jiminy cricket!! I just released https://github.com/storybookjs/storybook/releases/tag/v5.3.0-rc.3 containing PR #9234 that references this issue. Upgrade today to try it out!

You can find this prerelease on the @next NPM tag.

Closing this issue. Please re-open if you think there's still more to do.

[imgyf]

Hi @shilman, I'm facing the same issue in npm audit. This is in version ^5.3.18 of @storybook/addon-info.

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Regular Expression Denial of Service                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ marked                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=0.6.2                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @storybook/addon-info [dev]                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ @storybook/addon-info > marksy > marked                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/812                             │
└───────────────┴──────────────────────────────────────────────────────────────┘

[shilman]

@gohyifan #7842 (comment)