Update dependency storybook to v10.1.10 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
storybook (source)	10.0.2 -> 10.1.10

GitHub Vulnerability Alerts

CVE-2025-68429

On December 11th, the Storybook team received a responsible disclosure alerting them to a potential vulnerability in certain built and published Storybooks.

The vulnerability is a bug in how Storybook handles environment variables defined in a .env file, which could, in specific circumstances, lead to those variables being unexpectedly bundled into the artifacts created by the storybook build command. When a built Storybook is published to the web, the bundle’s source is viewable, thus potentially exposing those variables to anyone with access. If those variables contained secrets, they should be considered compromised.

Who is impacted?

For a project to be vulnerable to this issue, it must:

• Build the Storybook (i.e. run storybook build directly or indirectly) in a directory that contains a .env file (including variants like .env.local)
• The .env file contains sensitive secrets
• Use Storybook version 7.0.0 or above
• Publish the built Storybook to the web

Storybooks built without a .env file at build time are not affected, including common CI-based builds where secrets are provided via platform environment variables rather than .env files.

Users' Storybook runtime environments (i.e. storybook dev) are not affected. Deployed applications that share a repo with a project's Storybook are not affected.

Storybook 6 and below are not affected.

Recommended actions

First, Storybook recommends that everyone audit for any sensitive secrets provided via .env files and rotate those keys.

Second, Storybook has released patched versions of all affected major Storybook versions that no longer have this vulnerability. Projects should upgrade their Storybook—on both local machines and CI environments—to one of these versions before publishing again.

• 10.1.10+
• 9.1.17+
• 8.6.15+
• 7.6.21+

Finally, some projects may have been relying on the undocumented behavior at the heart of this issue and will need to change how they reference environment variables after this update. If a project can no longer read necessary environmental variable values, it can either prefix the variables with STORYBOOK_ or use the env property in Storybook’s configuration to manually specify values. In either case, do not include sensitive secrets as they will be included in the built bundle.

Further information

Details of the vulnerability can be found on the Storybook announcement.

---

Release Notes

storybookjs/storybook (storybook)

v10.1.10

Compare Source

10.1.10

• Core: Fix `.env`-file parsing - #​33383, thanks @​JReinhold!
• Next.js: Handle v14 compatibility for draftMode import - #​33341, thanks @​tanujbhaud!

v10.1.9

Compare Source

• Telemetry: Remove instance of check for sub-error handling - #​33356, thanks @​valentinpalkovic!

v10.1.8

Compare Source

v10.1.7

Compare Source

• Automigrate: Fix missing await - #​33333, thanks @​valentinpalkovic!
• CLI: Remove REACT_PROJECT projectType - #​33334, thanks @​valentinpalkovic!
• Core: Exclude open from pre-bundling to make local xdg-open reachable - #​33325, thanks @​Sidnioulz!
• Nextjs-Vite: Install vite during migration if not installed yet - #​33316, thanks @​ghengeveld!
• Telemetry: Fix race condition in telemetry cache causing malformed JSON - #​33323, thanks @​valentinpalkovic!

v10.1.6

Compare Source

• Manager: Do not display non-existing shortcuts in the settings page - #​32711, thanks @​DKER2!
• Preview: Enforce inert body if manager is focus-trapped - #​33186, thanks @​Sidnioulz!
• Telemetry: Await pending operations in getLastEvents to prevent race conditions - #​33285, thanks @​valentinpalkovic!
• UI: Fix keyboard navigation bug for "reset" option in Select - #​33268, thanks @​Sidnioulz!

v10.1.5

Compare Source

v10.1.4

Compare Source

• Core: Enhance getPrettier function to provide prettier interface - #​33260, thanks @​valentinpalkovic!
• NextJS: Alias image to use fileURLToPath for better resolution - #​33256, thanks @​ndelangen!
• Telemetry: Cache Storybook metadata by main config content hash - #​33247, thanks @​valentinpalkovic!

v10.1.3

Compare Source

• Angular: Honor --loglevel and --logfile in dev/build - #​33212, thanks @​valentinpalkovic!
• Core: Minor UI fixes - #​33218, thanks @​ghengeveld!
• Telemetry: Add playwright-prompt - #​33229, thanks @​valentinpalkovic!

v10.1.2

Compare Source

• Checklist: Fix how state changes are reported and drop some completion restrictions - #​33217, thanks @​ghengeveld!

v10.1.1

Compare Source

• Core: Improve globbing using dynamic CWD (REVERT) - #​33201, thanks @​ndelangen!
• Solid: Add Solid to the list of supported frameworks for addon-vitest - #​33084, thanks @​valentinpalkovic!
• UI: Fix excessive height in TabbedArgsTable - #​33205, thanks @​Sidnioulz!

v10.1.0

Compare Source

Easier to setup, more accessible to use

Storybook 10.1 focuses on two key improvements: installation and accessibility:

• ♿ UI overhaul to fix hundreds of a11y issues
• 🧑‍💻 CLI overhaul for faster, more reliable install
• ✅ Checklist-based onboarding guide for new users

The release also contains compatibility fixes for:

• 🅰️ Angular 21 support
• 🦀 RSbuild install support in CLI
• ⚡️ Preact support for Vitest addon

Finally, it contains two highly-requested experimental features:

• 📋 Component manifest for Storybook MCP
• ⚛️ Improved JSX code snippets for React

List of all updates

• A11y: Add aria-selected attribute to tab buttons - #​32656, thanks @​Nischit-Ekbote!
• A11y: Make search clear button keyboard accessible - #​32590, thanks @​ritoban23!
• Addon-Vitest: Ensure Storybook starts correctly across platforms by using shell in spawn - #​33116, thanks @​valentinpalkovic!
• Angular: Add preset entry point for framework - #​33154, thanks @​valentinpalkovic!
• Angular: Add support for v21 - #​33098, thanks @​valentinpalkovic!
• Angular: Don't kill dev command by using observables - #​33185, thanks @​valentinpalkovic!
• Angular: Migrate from RxJS to async/await in command builders and run Compodoc utility as spinner - #​33156, thanks @​valentinpalkovic!
• Angular: Replace deprecated import of ApplicationConfig - #​33125, thanks @​EtiennePasteur!
• Automigration: Update description and link for addon-a11y-addon-test - #​33133, thanks @​valentinpalkovic!
• Build: Add Rsbuild-based sandboxes - #​33039, thanks @​valentinpalkovic!
• Build: Fix async telemetry event sending - #​33115, thanks @​valentinpalkovic!
• Build: Update dependencies in yarn.lock and clean up comments - #​33089, thanks @​ndelangen!
• Checklist: Autocomplete "See what's new" on URL navigation - #​33167, thanks @​ghengeveld!
• Checklist: Data improvements - #​33129, thanks @​ghengeveld!
• CLI: Change yarn package manager value to yarn1 - #​33099, thanks @​valentinpalkovic!
• CLI: Fix 'beforeVersion' evaluation for Storybook package - #​33141, thanks @​valentinpalkovic!
• CLI: Fix access to getOptionValue in postAction hook - #​33119, thanks @​valentinpalkovic!
• CLI: Fix framework config validation path and messages - #​33146, thanks @​valentinpalkovic!
• CLI: Fix passing flags for bun users during init - #​33166, thanks @​valentinpalkovic!
• CLI: Fix Vitest v3 installs and refactor AddonVitestService; align create‑storybook usage - #​33131, thanks @​valentinpalkovic!
• CLI: In csf-factories codemod only remove types which are unused - #​33020, thanks @​yannbf!
• CLI: Minor improvements - #​33180, thanks @​valentinpalkovic!
• CLI: Modernize Storybook CLI with new init workflow, Clack UI, and Generator System - #​32717, thanks @​valentinpalkovic!
• CLI: Standardize debug log messages across the application - #​33123, thanks @​valentinpalkovic!
• CLI: Update clack - #​33151, thanks @​valentinpalkovic!
• CLI: Update compatibility guidance link in summary message - #​33117, thanks @​valentinpalkovic!
• CLI: Update postAction hook to use command parameter for logfile retrieval - #​33137, thanks @​valentinpalkovic!
• CLI: Update upgrade message - #​33182, thanks @​yannbf!
• Core: Fix getDocsUrl for canary versions - #​33128, thanks @​ghengeveld!
• Core: Fix testing widget focus outline - #​33172, thanks @​ghengeveld!
• Core: Improve globbing using dynamic CWD - #​32990, thanks @​ia319!
• Core: Rename Listbox component to ActionList and use it in TagsFilterPanel - #​33140, thanks @​ghengeveld!
• Core: Significantly improve Storybook's own accessibility - #​32458, thanks @​Sidnioulz!
• Core: Update getDocsUrl to add a default ref param and set guide as ref for links in the Guide - #​33111, thanks @​ghengeveld!
• Guide: Collapse checklist items by default - #​33160, thanks @​ghengeveld!
• Guide: Hide items for which their required feature is disabled (controls, viewport, interactions) - #​33113, thanks @​ghengeveld!
• Maintenance: Enable syntax minification for dead code elimination - #​33001, thanks @​mrginglymus!
• Manager: Added tokens and a dark color scheme for status colors - #​33081, thanks @​MichaelArestad!
• Middleware: Prepend file:// to middleware import for Windows support - #​32955, thanks @​ndelangen!
• Onboarding: Guided tour checklist - #​32795, thanks @​ghengeveld!
• React: Add isPackage flag to component imports for better package identification - #​33090, thanks @​kasperpeulen!
• React: Add manifests/components.html page - #​32905, thanks @​kasperpeulen!
• React: Change examples to stories in manifests and show correct examples and prop types - #​32908, thanks @​kasperpeulen!
• React: Experimental code examples - #​32813, thanks @​kasperpeulen!
• React: Implement manifests/component.json for React - #​32751, thanks @​kasperpeulen!
• React: Improve automatic component, automatic imports, support barrel files and enhance story filtering - #​32939, thanks @​kasperpeulen!
• React: Improve error handling of component manifest generation - #​32855, thanks @​kasperpeulen!
• React: Improve error messages in component manifest - #​32954, thanks @​kasperpeulen!
• React: Improve import rewriting when tsconfig paths are used - #​33072, thanks @​kasperpeulen!
• Remove yarn esbuild pnp plugin - #​33097, thanks @​mrginglymus!
• Theming: Set themes.normal according to user preference and export getPreferredColorScheme - #​28721, thanks @​elisezhg!
• UI: Add padding for ArgsTable shadow in TabbedArgsTable - #​33034, thanks @​Sidnioulz!
• UI: Add VRTs to FileSearchModal in light theme - #​33022, thanks @​Sidnioulz!
• UI: Fix crashes in Select when passed falsy non-string options - #​33164, thanks @​Sidnioulz!
• UI: Fix regression on addon panel empty content fontsize - #​33021, thanks @​Sidnioulz!
• UI: Fix trivial RefBlocks ARIA violations - #​33026, thanks @​Sidnioulz!
• UI: Improve status handling in sidebar nodes - #​32965, thanks @​yannbf!
• UI: Increase border contrast of Checkbox, Radio, and Range - #​33064, thanks @​MichaelArestad!
• UI: Refocus search input after clearing it - #​33165, thanks @​Sidnioulz!
• UI: Rework default background of Color swatch for dark mode - #​33023, thanks @​Sidnioulz!
• Upgrade: Satellite compatible with 10.1 prerelease - #​32877, thanks @​ndelangen!

v10.0.8

Compare Source

• React Native Web: Fix react native resuables and nativewind - #​33056, thanks @​dannyhw!
• React Native Web: Update vite-plugin-rnw for overall improvements - #​32991, thanks @​dannyhw!
• WebComponents: Fix custom-elements.json not being loaded - #​33045, thanks @​ndelangen!

v10.0.7

Compare Source

• ESLint: Only apply csf-strict rules on stories files - #​31963, thanks @​cylewaitforit!
• Next.js: Update SWC loader to support new wasm detection - #​33003, thanks @​yannbf!

v10.0.6

Compare Source

• CSF: Fix export interface declaration for NextPreview - #​32914, thanks @​icopp!
• Controls: Add range validation in Number Control - #​32539, thanks @​ia319!
• Fix: Export interface declaration for ReactMeta - #​32915, thanks @​icopp!
• Vitest Addon: Add support for Preact - #​32948, thanks @​yannbf!

v10.0.5

Compare Source

• Core: Add reentry guard to focus patch - #​32655, thanks @​ia319!
• Nextjs Vite: Update internal plugin to support svgr use cases - #​32957, thanks @​yannbf!

v10.0.4

Compare Source

• CLI: Fix issue with running Storybook after being initialized - #​32929, thanks @​yannbf!
• CRA: Fix module not defined in ESM - #​32940, thanks @​ndelangen!

v10.0.3

Compare Source

• Core: Better handling for TypeScript satisfies/as syntaxes - #​32891, thanks @​yannbf!
• Core: Fix wrong import to fix Yarn PnP support - #​32928, thanks @​yannbf!
• ESlint: Update @storybook/experimental-nextjs-vite in no-renderer-packages rule - #​32909, thanks @​ndelangen!
• React Native: Update withStorybook setup instructions - #​32919, thanks @​dannyhw!

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - "at 10am on Monday except on 25th of December in 2023 and 1st of January 2024 and 1st of April 2024 and 20th of May 2024 and 19th of August 2024" (UTC).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Never, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[viktorbenei]

Summary

Security update: Upgraded storybook from v10.0.2 to v10.1.10 to fix CVE-2025-68429, a vulnerability where environment variables from .env files could be unexpectedly bundled into built Storybook artifacts and exposed publicly.

[bitrise-devs-bot]

Storybook uploaded to: https://storybook.services.bitrise.dev/projects/wfe/pr-1683/