Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Dependencies: Upgrade ejs to 3.1.10 #27054

Merged
merged 1 commit into from
May 7, 2024
Merged

Conversation

RiuSalvi
Copy link

@RiuSalvi RiuSalvi commented May 7, 2024

What I did

I've created this PR to bump ejs to 3.1.10 in builder-manager and also in scripts, as the previous version was vulnerable.

Why

The builder-manager, both in 7.6.19 and 8.0.10, has "ejs": "^3.1.8" as a dependency in the package.json. This results in the vulnerable ejs 3.1.9 being used as can be seen on the yarn.lock file.

Resources:
https://security.snyk.io/package/npm/ejs
https://github.com/storybookjs/storybook/blob/v7.6.19/code/yarn.lock#L15305
https://github.com/storybookjs/storybook/blob/v8.0.10/code/yarn.lock#L13758
https://github.com/storybookjs/storybook/blob/v8.0.10/code/builders/builder-manager/package.json#L54
https://github.com/storybookjs/storybook/blob/v7.6.19/code/builders/builder-manager/package.json#L55

Checklist for Contributors

Testing

The changes in this PR are covered in the following automated tests:

  • stories
  • unit tests
  • integration tests
  • end-to-end tests

Manual testing

This section is mandatory for all contributions. If you believe no manual test is necessary, please state so explicitly. Thanks!

Documentation

  • Add or update documentation reflecting your changes
  • If you are deprecating/removing a feature, make sure to update
    MIGRATION.MD

Checklist for Maintainers

  • When this PR is ready for testing, make sure to add ci:normal, ci:merged or ci:daily GH label to it to run a specific set of sandboxes. The particular set of sandboxes can be found in code/lib/cli/src/sandbox-templates.ts

  • Make sure this PR contains one of the labels below:

    Available labels
    • bug: Internal changes that fixes incorrect behavior.
    • maintenance: User-facing maintenance tasks.
    • dependencies: Upgrading (sometimes downgrading) dependencies.
    • build: Internal-facing build tooling & test updates. Will not show up in release changelog.
    • cleanup: Minor cleanup style change. Will not show up in release changelog.
    • documentation: Documentation only changes. Will not show up in release changelog.
    • feature request: Introducing a new feature.
    • BREAKING CHANGE: Changes that break compatibility in some way with current major version.
    • other: Changes that don't fit in the above categories.

🦋 Canary release

This PR does not have a canary release associated. You can request a canary release of this pull request by mentioning the @storybookjs/core team here.

core team members can create a canary release here or locally with gh workflow run --repo storybookjs/storybook canary-release-pr.yml --field pr=<PR_NUMBER>

@JReinhold JReinhold self-assigned this May 7, 2024
@JReinhold JReinhold added maintenance User-facing maintenance tasks builder-manager ci:normal labels May 7, 2024
@JReinhold JReinhold changed the title Dependencies: Upgrade ejs to 3.1.10 Dependencies: Upgrade ejs to 3.1.10 May 7, 2024
Copy link

nx-cloud bot commented May 7, 2024

☁️ Nx Cloud Report

CI is running/has finished running commands for commit b218ba4. As they complete they will appear below. Click to see the status, the terminal output, and the build insights.

📂 See all runs for this CI Pipeline Execution


✅ Successfully ran 1 target

Sent with 💌 from NxCloud.

@JReinhold JReinhold merged commit d06d40d into storybookjs:next May 7, 2024
55 of 56 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
builder-manager ci:normal maintenance User-facing maintenance tasks
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants