Skip to content

fix: storybook env parsing vulnerability#140

Merged
mkilpatrick merged 2 commits intomainfrom
storybook
Dec 30, 2025
Merged

fix: storybook env parsing vulnerability#140
mkilpatrick merged 2 commits intomainfrom
storybook

Conversation

@mkilpatrick
Copy link
Collaborator

No description provided.

@changeset-bot
Copy link

changeset-bot bot commented Dec 30, 2025

⚠️ No Changeset found

Latest commit: 8ea3e27

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@coderabbitai
Copy link

coderabbitai bot commented Dec 30, 2025

Walkthrough

This pull request updates the Storybook dependency version in the packages/pages-components/package.json file from ^8.6.14 to ^8.6.15. The change is a minor version bump within the same minor release line, affecting only the dependency declaration with no modifications to application code or functionality.

Possibly related PRs

Suggested reviewers

  • benlife5
  • colton-demetriou
  • asanehisa

Pre-merge checks

❌ Failed checks (1 inconclusive)
Check name Status Explanation Resolution
Description check ❓ Inconclusive No pull request description was provided, making it impossible to assess relevance to the changeset. Add a description explaining the vulnerability, why the update fixes it, and any testing performed to validate the fix.
✅ Passed checks (1 passed)
Check name Status Explanation
Title check ✅ Passed The title accurately describes the main change: updating storybook to fix an environment parsing vulnerability.

📜 Recent review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 43a77a0 and 8ea3e27.

⛔ Files ignored due to path filters (1)
  • pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml
📒 Files selected for processing (1)
  • packages/pages-components/package.json
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (4)
  • GitHub Check: call_test_matrix / Node 20 • React 18.2.0
  • GitHub Check: call_test_matrix / Node 24 • React 18.2.0
  • GitHub Check: call_test_matrix / Node 20 • React 19.2.3
  • GitHub Check: semgrep/ci
🔇 Additional comments (1)
packages/pages-components/package.json (1)

91-91: The core vulnerability fix in 8.6.15 likely doesn't require updating the ecosystem packages.

This PR correctly addresses CVE-2025-68429, a high-severity vulnerability in Storybook where environment variables from .env files could be unexpectedly bundled into the build output, potentially exposing secrets in published builds. The fix in storybook 8.6.15 addresses the build/bundling process in the core package.

Since the vulnerability is specific to the core build system rather than the addons (@storybook/addon-*, @storybook/react, etc.), updating only the storybook package is appropriate. However, consider coordinating a full ecosystem update to 8.6.15 in a follow-up to maintain version consistency and avoid potential compatibility issues, even if not strictly necessary for this particular vulnerability.


Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@mkilpatrick mkilpatrick merged commit c69d691 into main Dec 30, 2025
22 checks passed
@mkilpatrick mkilpatrick deleted the storybook branch December 30, 2025 15:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants