Skip to content

chore(deps): update dependency storybook to v9.1.19 [security] #891

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
ham-renovate wants to merge 1 commit into
base: main
Choose a base branch
from
+401 −400
Open

chore(deps): update dependency storybook to v9.1.19 [security] #891

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion infrastructure/eid-wallet/package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -78,7 +78,7 @@
"cupertino-pane": "^1.4.22",
"playwright": "^1.51.1",
"postcss": "^8.5.3",
"storybook": "^8.6.7",
"storybook": "^9.0.0",
Copy link
Contributor

@coderabbitai coderabbitai bot Feb 26, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# First check if the package.json file exists and show its Storybook dependencies
echo "=== Checking infrastructure/eid-wallet/package.json ==="
if [ -f "infrastructure/eid-wallet/package.json" ]; then
  cat infrastructure/eid-wallet/package.json | python3 - <<'PY'
import sys, json
data = json.load(sys.stdin)
dev = data.get("devDependencies", {})
sb = {k: v for k, v in dev.items() if k == "storybook" or k.startswith("@storybook/")}
print("Storybook-related dependencies:")
for k, v in sorted(sb.items()):
    print(f"  {k}: {v}")
PY
else
  echo "File not found"
fi

echo ""
echo "=== Checking for lock files ==="
fd -a 'pnpm-lock.yaml|package-lock.json|yarn.lock' | head -20

echo ""
echo "=== Checking lock file for storybook versions ==="
if [ -f "pnpm-lock.yaml" ]; then
  echo "Found pnpm-lock.yaml"
  rg -i 'storybook.*9\.0|@storybook.*8\.6' pnpm-lock.yaml | head -30 || echo "No direct matches found"
fi

Repository: MetaState-Prototype-Project/prototype

Length of output: 874

🏁 Script executed:

# Check the actual lines in the file
if [ -f "infrastructure/eid-wallet/package.json" ]; then
  echo "=== Lines around 59-65 and 81 in package.json ==="
  wc -l infrastructure/eid-wallet/package.json
  echo ""
  echo "Lines 55-70:"
  sed -n '55,70p' infrastructure/eid-wallet/package.json
  echo ""
  echo "Lines 78-85:"
  sed -n '78,85p' infrastructure/eid-wallet/package.json
fi

Repository: MetaState-Prototype-Project/prototype

Length of output: 1106

🏁 Script executed:

# Check if other package.json mentioned in review exists
if [ -f "platforms/pictique/client/package.json" ]; then
  echo "=== platforms/pictique/client/package.json Storybook dependencies ==="
  sed -n '1,100p' platforms/pictique/client/package.json | grep -A 1 -B 1 '"storybook\|"@storybook' || echo "No storybook dependencies found"
fi

echo ""
echo "=== Searching for all package.json files ==="
fd -t f 'package\.json$' | head -20

echo ""
echo "=== Checking for lock files ==="
fd -t f '(pnpm-lock\.yaml|package-lock\.json|yarn\.lock)$'

Repository: MetaState-Prototype-Project/prototype

Length of output: 1553

🌐 Web query:

CVE-2026-27148 Storybook 9.1.19 security update

💡 Result:

CVE-2026-27148 (Storybook) — fixed in Storybook 9.1.19

  • What it is: A WebSocket hijacking issue in the Storybook dev server (used by storybook dev) that can allow an attacker to send unauthorized WebSocket messages (no Origin validation) and potentially achieve persistent XSS or RCE via unsanitized input (e.g., componentFilePath) in story create/save handlers. Production builds are not impacted. [1][2]
  • When it’s exploitable: If a developer visits a malicious website while their local dev server is running; risk is higher if the dev server is exposed publicly. [1][2]
  • Fixed versions: Upgrade to one of 7.6.23, 8.6.17, 9.1.19, or 10.2.10 (depending on your major). [1][2]

Recommended update (for Storybook 9)

  • Upgrade Storybook packages to 9.1.19 (keep all storybook / @storybook/* on the same version). [1]
    • Practical approach: run the Storybook upgrade tool and target 9.1.19 (Storybook documents using npx storybook@... upgrade). [3]

Extra mitigations (if you can’t upgrade immediately)

  • Don’t expose the dev server to untrusted networks; avoid running it publicly for demos/reviews, and be cautious about browsing untrusted sites while it’s running. [1][2]

Sources: GitHub Security Advisory GHSA-mjf5-7g4m-gx5w (CVE-2026-27148) [1], OSV CVE record [2], Storybook upgrade docs [3].

[1] (github.com)
[2] (osv.dev)
[3] (storybook.js.org)

Citations:

Storybook dependencies have version skew and do not enforce the security floor required by CVE-2026-27148.

The storybook: "^9.0.0" constraint does not guarantee the patched version (9.1.19), and this file keeps @storybook/* packages on ^8.6.7, creating a major/minor version mismatch. Per the CVE-2026-27148 security advisory for the WebSocket hijacking vulnerability in the dev server, all Storybook packages must remain on the same version. The same issue affects platforms/pictique/client/package.json (which has @storybook/* at ^8.6.12).

Suggested fix 
-        "@storybook/addon-essentials": "^8.6.7",
-        "@storybook/addon-interactions": "^8.6.7",
-        "@storybook/blocks": "^8.6.7",
-        "@storybook/experimental-addon-test": "^8.6.7",
-        "@storybook/svelte": "^8.6.7",
-        "@storybook/sveltekit": "^8.6.7",
-        "@storybook/test": "^8.6.7",
+        "@storybook/addon-essentials": "^9.1.19",
+        "@storybook/addon-interactions": "^9.1.19",
+        "@storybook/blocks": "^9.1.19",
+        "@storybook/experimental-addon-test": "^9.1.19",
+        "@storybook/svelte": "^9.1.19",
+        "@storybook/sveltekit": "^9.1.19",
+        "@storybook/test": "^9.1.19",
@@
-        "storybook": "^9.0.0",
+        "storybook": "^9.1.19",
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
"storybook": "^9.0.0",
"storybook": "^9.1.19",
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@infrastructure/eid-wallet/package.json` at line 81, The Storybook dependency
versions are inconsistent and do not ensure the patched release addressing
CVE-2026-27148; update the package.json entries so all Storybook packages use
the same patched version (at least 9.1.19) to avoid major/minor skew.
Specifically, change the top-level "storybook" dependency and every `@storybook/`*
entry in this package and in platforms/pictique/client/package.json to the
identical version spec (e.g., "9.1.19"), then reinstall (npm/yarn) and verify
package-lock / yarn.lock reflects the unified version and run a security audit
to confirm the CVE is resolved.

"svelte": "^5.0.0",
"svelte-check": "^4.0.0",
"svelte-gestures": "^5.1.3",
Expand Down
2 changes: 1 addition & 1 deletion platforms/pictique/client/package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -40,7 +40,7 @@
"prettier": "^3.4.2",
"prettier-plugin-svelte": "^3.3.3",
"prettier-plugin-tailwindcss": "^0.7.0",
"storybook": "^8.6.12",
"storybook": "^9.0.0",
Copy link
Contributor

@coderabbitai coderabbitai bot Feb 26, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

cat -n platforms/pictique/client/package.json | head -50

Repository: MetaState-Prototype-Project/prototype

Length of output: 2030

🌐 Web query:

Storybook 9.0.0 compatibility with @storybook packages version alignment requirements

💡 Result:

Storybook 9.0.0 compatibility / @storybook/* version-alignment rules

  • Don’t mix major versions: If you’re on Storybook 9.0.0, keep Storybook dependencies on 9.x (avoid combinations like storybook@9 with @storybook/*@8, which can lead to “mismatched versions” problems the upgrade/doctor flow explicitly checks for). [3][5]
  • Prefer upgrading as a set: Use the upgrade tool, which updates “all Storybook packages” together and then runs storybook doctor to catch common issues like duplicated deps, incompatible addons, and mismatched versions. [3]
  • Many @storybook/* packages were consolidated into the single storybook package in v9 (and some were removed). If you still list removed/consolidated packages, you should migrate imports to the new storybook/... export paths. [1][2]
  • Addon authors (peer deps): For Storybook 9, addons should generally depend on storybook (not a long list of @storybook/* packages) and set peerDependencies: { "storybook": "^9.0.0" } so the addon uses the host project’s Storybook version and avoids duplicate Storybook copies. [2]
  • Packages that became empty in Storybook 9: @storybook/addon-essentials, @storybook/addon-interactions, @storybook/addon-links, and @storybook/blocks are empty since Storybook 9 and should be removed from dependencies (they’re not published going forward). [4]

Practical recommendation for a SB 9.0.0 app: keep storybook and your framework package (e.g. @storybook/react-vite, @storybook/angular, etc.) on the same 9.x line, run npx storybook@9 upgrade, and fix anything npx storybook doctor reports about mismatched versions. [3]

Sources

[1] Storybook migration guide (8 → 9): package consolidation/removals and new import paths
[2] Addon migration guide for Storybook 9.0: dependency/peerDependency guidance (storybook as peer dep)
[3] Storybook “Upgrading” docs: upgrade upgrades all Storybook packages together + doctor checks mismatched versions
[4] Addon migration guide for Storybook 10.0: notes specific packages are empty since Storybook 9
[5] storybook doctor diagnostics categories: includes version mismatches/peer-dep issues

🌐 Web query:

CVE-2026-27148 Storybook security vulnerability patch version

💡 Result:

For CVE-2026-27148 (Storybook dev server WebSocket hijacking), the vulnerability is fixed in:

  • 7.6.23
  • 8.6.17
  • 9.1.19
  • 10.2.10 (upgrade to this or any later version in the same major line) [1][2]

Align Storybook packages: storybook 9.0.0 mixed with @storybook/ 8.6.12 is incompatible.*

Line 43 specifies "storybook": "^9.0.0" while @storybook/addon-essentials, @storybook/blocks, @storybook/svelte, @storybook/sveltekit, and @storybook/test remain on ^8.6.12. This major version mismatch is unsupported and can cause runtime issues. Additionally, @storybook/addon-essentials and @storybook/blocks were consolidated into storybook 9 and should be removed from devDependencies. Upgrade all Storybook packages to 9.1.19 (or later in the 9.x line) to patch CVE-2026-27148 and remove the consolidated packages.

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@platforms/pictique/client/package.json` at line 43, The package.json
currently mixes "storybook": "^9.0.0" with `@storybook/`* packages at ^8.6.12,
causing an incompatible major-version mismatch; update all Storybook packages to
a consistent 9.x line (recommend 9.1.19 or later) by changing versions for
`@storybook/addon-essentials`, `@storybook/blocks`, `@storybook/svelte`,
`@storybook/sveltekit`, and `@storybook/test` to 9.1.19 (or later) and remove the
now-consolidated packages `@storybook/addon-essentials` and `@storybook/blocks` from
devDependencies (since core "storybook" 9.x includes them) to resolve the
incompatibility and address CVE-2026-27148.

"svelte": "^5.0.0",
"svelte-check": "^4.0.0",
"svelte-gestures": "^5.1.3",
Expand Down
Loading