@storybook/addon-essentials streamlines Storybook development by bundling essential addons, enhancing the UI and developer experience. Version 7.1.1 refines this suite, offering incremental improvements over the preceding 7.1.0. The core functionality remains the same: providing actions, backgrounds, controls, docs, measure, outline, toolbars, viewport, and highlight addons within one package.
The critical difference lies in the synchronized versioning of its dependencies. Both versions depend on many internal Storybook packages. Where the 7.1.0 version depends on version 7.1.0 of these packages, version 7.1.1 now depends on version 7.1.1 of these packages. This ensures overall consistency and stability within the Storybook ecosystem. For developers, upgrading to 7.1.1 is advisable to leverage the latest bug fixes, performance enhancements, and feature updates across all the included addons. While the surface-level functionality might appear unchanged, aligning with the newest releases of underlying components minimizes potential conflicts and maximizes compatibility, contributing to a smoother workflow, particularly when also using other Storybook addons or upgrading Storybook itself. The "react" and "react-dom" peer dependencies remain compatible with versions 16.8.0 through 18.0.0, ensuring broad compatibility with existing React-based projects.
All the vulnerabilities related to the version 7.1.1 of the package
esbuild enables any website to send any requests to the development server and read the response
esbuild allows any websites to send any request to the development server and read the response due to default CORS settings.
esbuild sets Access-Control-Allow-Origin: * header to all requests, including the SSE connection, which allows any websites to send any request to the development server and read the response.
https://github.com/evanw/esbuild/blob/df815ac27b84f8b34374c9182a93c94718f8a630/pkg/api/serve_other.go#L121 https://github.com/evanw/esbuild/blob/df815ac27b84f8b34374c9182a93c94718f8a630/pkg/api/serve_other.go#L363
Attack scenario:
http://malicious.example.com).fetch('http://127.0.0.1:8000/main.js') request by JS in that malicious web page. This request is normally blocked by same-origin policy, but that's not the case for the reasons above.http://127.0.0.1:8000/main.js.In this scenario, I assumed that the attacker knows the URL of the bundle output file name. But the attacker can also get that information by
/index.html: normally you have a script tag here/assets: it's common to have a assets directory when you have JS files and CSS files in a different directory and the directory listing feature tells the attacker the list of files/esbuild SSE endpoint: the SSE endpoint sends the URL path of the changed files when the file is changed (new EventSource('/esbuild').addEventListener('change', e => console.log(e.type, e.data)))The scenario above fetches the compiled content, but if the victim has the source map option enabled, the attacker can also get the non-compiled content by fetching the source map file.
npm inpm run watchfetch('http://127.0.0.1:8000/app.js').then(r => r.text()).then(content => console.log(content)) in a different website's dev tools.Users using the serve feature may get the source code stolen by malicious websites.