fix: storybook env parsing vulnerability

[mkilpatrick]

No description provided.

[changeset-bot]

⚠️ No Changeset found

Latest commit: 8ea3e27

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[coderabbitai]

Walkthrough

This pull request updates the Storybook dependency version in the packages/pages-components/package.json file from ^8.6.14 to ^8.6.15. The change is a minor version bump within the same minor release line, affecting only the dependency declaration with no modifications to application code or functionality.

Possibly related PRs

• chore: upgrade storybook/test-runner #128: Modifies the same Storybook dependency declaration in packages/pages-components/package.json, bumping the version as part of dependency maintenance.

Suggested reviewers

• benlife5
• colton-demetriou
• asanehisa

Pre-merge checks

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Description check	❓ Inconclusive	No pull request description was provided, making it impossible to assess relevance to the changeset.	Add a description explaining the vulnerability, why the update fixes it, and any testing performed to validate the fix.

✅ Passed checks (1 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main change: updating storybook to fix an environment parsing vulnerability.

---

📜 Recent review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 43a77a0 and 8ea3e27.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (1)

• packages/pages-components/package.json

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (4)

• GitHub Check: call_test_matrix / Node 20 • React 18.2.0
• GitHub Check: call_test_matrix / Node 24 • React 18.2.0
• GitHub Check: call_test_matrix / Node 20 • React 19.2.3
• GitHub Check: semgrep/ci

🔇 Additional comments (1)

packages/pages-components/package.json (1)

91-91: The core vulnerability fix in 8.6.15 likely doesn't require updating the ecosystem packages.

This PR correctly addresses CVE-2025-68429, a high-severity vulnerability in Storybook where environment variables from .env files could be unexpectedly bundled into the build output, potentially exposing secrets in published builds. The fix in storybook 8.6.15 addresses the build/bundling process in the core package.

Since the vulnerability is specific to the core build system rather than the addons (@storybook/addon-*, @storybook/react, etc.), updating only the storybook package is appropriate. However, consider coordinating a full ecosystem update to 8.6.15 in a follow-up to maintain version consistency and avoid potential compatibility issues, even if not strictly necessary for this particular vulnerability.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}