Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Init @storybook/addon-webpack5-compiler-babel #1

Merged
merged 16 commits into from
Jan 3, 2024
Merged

Init @storybook/addon-webpack5-compiler-babel #1

merged 16 commits into from
Jan 3, 2024

Conversation

valentinpalkovic
Copy link
Contributor

@valentinpalkovic valentinpalkovic commented Jan 3, 2024
edited by github-actions bot
Loading

Relates to storybookjs/storybook#25172

I have created an addon package, which adds babel support to Storybook Webpack5 projects.

Additional information

  • I am using biome for lining and formatting instead of eslint
  • I have set type="module" to the package.json. I am still outputting cjs and esm files via ts-up. The only difference is that the ESM files have the default .js extension, whereas the cjs files have the .cjs extension. I don't think this is a problem (cc @ndelangen). While testing the addon, everything seemed to work. I have even tested to just output ESM files, but it seems that we call require to resolve presets and addons and therefore it was unfortunately not working.
📦 Published PR as canary version: 0.0.1--canary.1.cc990b6.0

✨ Test out this PR locally via:

npm install @storybook/[email protected]
# or 
yarn add @storybook/[email protected]

@socket-security Socket Security
Copy link

socket-security bot commented Jan 3, 2024
edited
Loading

New dependencies detected. Learn more about Socket for GitHub ↗︎

Packages Version New capabilities Transitives Size Publisher
tsup 8.0.1 eval, filesystem, shell, environment +53 444 MB egoist
@biomejs/biome 1.4.1 None +0 89.7 kB dominionl
auto 11.0.4 filesystem, shell, environment +55 442 MB alisowski
typescript 5.3.3 filesystem +0 32 MB typescript-bot

@socket-security Socket Security
Copy link

socket-security bot commented Jan 3, 2024
edited
Loading

🚨 Potential security issues detected. Learn more about Socket for GitHub ↗︎

To accept the risk, merge this PR and you will not be notified again.

Issue Package Version Note Source
New author merge-stream 2.0.0
New author html-minifier-terser 6.1.0
New author handlebars 4.7.8
Uses eval handlebars 4.7.8
Shell access @swc/core 1.3.102
Shell access esbuild 0.18.20
Shell access update-browserslist-db 1.0.13
Uses eval rollup 4.9.2
Uses eval tsup 8.0.1
Uses eval terser 5.26.0

Next steps

What is new author?

A new npm collaborator published a version of the package for the first time. New collaborators are usually benign additions to a project, but do indicate a change to the security surface area of a package.

Scrutinize new collaborator additions to packages because they now have the ability to publish code into your dependency tree. Packages should avoid frequent or unnecessary additions or changes to publishing rights.

What is eval?

Package uses eval() which is a dangerous function. This prevents the code from running in certain environments and increases the risk that the code may contain exploits or malicious behavior.

Avoid packages that use eval, since this could potentially execute any code.

What is shell access?

This module accesses the system shell. Accessing the system shell increases the risk of executing arbitrary code.

Packages should avoid accessing the shell which can reduce portability, and make it easier for malicious shell access to be introduced.

Take a deeper look at the dependency

Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support [AT] socket [DOT] dev.

Remove the package

If you happen to install a dependency that Socket reports as Known Malware you should immediately remove it and select a different dependency. For other alert types, you may may wish to investigate alternative packages or consider if there are other ways to mitigate the specific risk posed by the dependency.

Mark a package as acceptable risk

To ignore an alert, reply with a comment starting with @SocketSecurity ignore followed by a space separated list of package-name@version specifiers. e.g. @SocketSecurity ignore [email protected] bar@* or ignore all packages with @SocketSecurity ignore-all

@valentinpalkovic valentinpalkovic force-pushed the valentin/add-addon-webpack5-compiler-babel branch from 04b5c8c to 4166c3d Compare January 3, 2024 09:50
@valentinpalkovic valentinpalkovic added the major Increment the major version when merged label Jan 3, 2024
@valentinpalkovic valentinpalkovic self-assigned this Jan 3, 2024
@valentinpalkovic valentinpalkovic marked this pull request as ready for review January 3, 2024 10:36
@valentinpalkovic valentinpalkovic merged commit ef79618 into main Jan 3, 2024
3 of 4 checks passed
@valentinpalkovic valentinpalkovic deleted the valentin/add-addon-webpack5-compiler-babel branch January 3, 2024 14:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@yannbf yannbf yannbf approved these changes

@ndelangen ndelangen Awaiting requested review from ndelangen

Assignees

@valentinpalkovic valentinpalkovic

Labels
major Increment the major version when merged
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@valentinpalkovic @yannbf