@storybook/react version 8.1.5 represents a minor update over its predecessor, version 8.1.4, primarily focusing on internal dependency alignment and bug fixes, although no notable features are introduced in this release. Both versions share the core functionality of rendering React components within the Storybook environment, offering developers a robust platform for UI development and testing. The dependency lists reveal a synchronized ecosystem, with the majority of packages like acorn, lodash, semver, and react-element-to-jsx-string remaining consistent across both versions. Key Storybook components such as @storybook/types, @storybook/global, @storybook/docs-tools, @storybook/preview-api, @storybook/client-logger, and @storybook/react-dom-shim also exhibit version parity, ensuring a cohesive development experience.
The peer dependencies, specifying compatible versions of react, react-dom, and typescript, remain unchanged, indicating that upgrading from 8.1.4 to 8.1.5 should not necessitate adjustments to your project's core dependencies. Similarly, the development dependencies like expect-type, @storybook/test, and babel-plugin-react-docgen are consistent, suggesting no alterations in the testing or documentation generation processes. The update is more about bringing the whole package up to date and fixing small reported bugs, rather than introducing features.
Developers can seamlessly transition to version 8.1.5, expecting continued stability and compatibility with existing Storybook configurations. While the update may not introduce groundbreaking features, it contributes to the ongoing refinement of the Storybook ecosystem, ensuring a reliable platform for building and showcasing React components. The minor version bump indicates that that current users should strongly consider updating to the latest version. The releaseDate show how recent is the tool.
All the vulnerabilities related to the version 8.1.5 of the package
esbuild enables any website to send any requests to the development server and read the response
esbuild allows any websites to send any request to the development server and read the response due to default CORS settings.
esbuild sets Access-Control-Allow-Origin: * header to all requests, including the SSE connection, which allows any websites to send any request to the development server and read the response.
https://github.com/evanw/esbuild/blob/df815ac27b84f8b34374c9182a93c94718f8a630/pkg/api/serve_other.go#L121 https://github.com/evanw/esbuild/blob/df815ac27b84f8b34374c9182a93c94718f8a630/pkg/api/serve_other.go#L363
Attack scenario:
http://malicious.example.com).fetch('http://127.0.0.1:8000/main.js') request by JS in that malicious web page. This request is normally blocked by same-origin policy, but that's not the case for the reasons above.http://127.0.0.1:8000/main.js.In this scenario, I assumed that the attacker knows the URL of the bundle output file name. But the attacker can also get that information by
/index.html: normally you have a script tag here/assets: it's common to have a assets directory when you have JS files and CSS files in a different directory and the directory listing feature tells the attacker the list of files/esbuild SSE endpoint: the SSE endpoint sends the URL path of the changed files when the file is changed (new EventSource('/esbuild').addEventListener('change', e => console.log(e.type, e.data)))The scenario above fetches the compiled content, but if the victim has the source map option enabled, the attacker can also get the non-compiled content by fetching the source map file.
npm inpm run watchfetch('http://127.0.0.1:8000/app.js').then(r => r.text()).then(content => console.log(content)) in a different website's dev tools.Users using the serve feature may get the source code stolen by malicious websites.