Skip to content

Update dependency storybook to v10.2.10 [SECURITY]#5259

Open
renovate[bot] wants to merge 1 commit intomainfrom
renovate/npm-storybook-vulnerability
Open

Update dependency storybook to v10.2.10 [SECURITY]#5259
renovate[bot] wants to merge 1 commit intomainfrom
renovate/npm-storybook-vulnerability

Conversation

@renovate
Copy link
Contributor

@renovate renovate bot commented Mar 1, 2026

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package Change Age Confidence
storybook (source) ^9.1.17^10.0.0 age confidence
storybook (source) 10.1.1110.2.10 age confidence

GitHub Vulnerability Alerts

CVE-2026-27148

Summary

The WebSocket functionality in Storybook's dev server, used to create and update stories, is vulnerable to WebSocket hijacking. This vulnerability only affects the Storybook dev server; production builds are not impacted.

Details

Exploitation requires a developer to visit a malicious website while their local Storybook dev server is running. Because the WebSocket connection does not validate the origin of incoming connections, a malicious site can silently send WebSocket messages to the local instance without any further user interaction.

If a Storybook dev server is intentionally exposed publicly (e.g. for design reviews or stakeholder demos) the risk is higher, as no malicious site visit is required. Any unauthenticated attacker can send WebSocket messages to it directly.

The vulnerability affects the WebSocket message handlers for creating and saving stories, which can be exploited via unauthorized WebSocket connections to achieve persistent XSS or Remote Code Execution (RCE).

Note: recent versions of Chrome have some protections against this, but Firefox does not.

Impact

This vulnerability can lead to supply chain compromise. Key risks include:

  • Remote Code Execution: The vulnerability can allow attackers to execute malicious code, with the extent of impact depending on the configuration. Server-side RCE is possible in non-default configurations, such as when stories are executed via portable stories in JSDOM, potentially allowing attackers to exfiltrate credentials and environment variables, access source code and the filesystem, establish backdoors, or pivot to internal network resources.
  • Persistent XSS: Malicious payloads are written directly into story source files. If the malicious payload is committed to version control, it becomes part of the codebase and can propagate to deployed Storybook documentation sites, affecting developers and stakeholders who view them.
  • Supply Chain Propagation: If the modified source files are committed, injected code can spread to other team members via git, execute in CI/CD pipelines, and affect shared component libraries used across multiple projects.

Affected versions

8.1 and above. While the exploitable functionality was introduced in 8.1, the patch has been applied to 7.x as a precautionary measure given the underlying WebSocket behaviour.

Recommended actions

Update to one of the patched versions: 7.6.23, 8.6.17, 9.1.19, 10.2.10.

Release Notes

storybookjs/storybook (storybook)

v10.2.10

Compare Source

v10.2.9

Compare Source

v10.2.8

Compare Source

v10.2.7

Compare Source

v10.2.6

Compare Source

v10.2.5

Compare Source

v10.2.4

Compare Source

v10.2.3

Compare Source

v10.2.2

Compare Source

v10.2.1

Compare Source

v10.2.0

Compare Source

Improved UI and story authoring ergonomics

Storybook 10.2 contains hundreds of fixes and improvement including:

  • 💅 New Viewports and Zoom UI
  • 🏭 Typesafe CSF factories for Vue, Angular, Web Components (preview)
  • 📄 MDX support for Storybook MCP (experimental)
List of all updates

v10.1.11

Compare Source

v10.1.10

Compare Source

v10.1.9

Compare Source

v10.1.8

Compare Source

v10.1.7

Compare Source

v10.1.6

Compare Source

v10.1.5

Compare Source

v10.1.4

Compare Source

v10.1.3

Compare Source

v10.1.2

Compare Source

  • Checklist: Fix how state changes are reported and drop some completion restrictions - #​33217, thanks @​ghengeveld!

v10.1.1

Compare Source

v10.1.0

Compare Source

Easier to setup, more accessible to use

Storybook 10.1 focuses on two key improvements: installation and accessibility:

  • ♿ UI overhaul to fix hundreds of a11y issues
  • 🧑‍💻 CLI overhaul for faster, more reliable install
  • ✅ Checklist-based onboarding guide for new users

The release also contains compatibility fixes for:

  • 🅰️ Angular 21 support
  • 🦀 RSbuild install support in CLI
  • ⚡️ Preact support for Vitest addon

Finally, it contains two highly-requested experimental features:

  • 📋 Component manifest for Storybook MCP
  • ⚛️ Improved JSX code snippets for React
List of all updates

v10.0.8

Compare Source

v10.0.7

Compare Source

v10.0.6

Compare Source

v10.0.5

Compare Source

[v10.0.4](https://redirect.github.com/storybookjs/storybook/blob/HEAD/

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate
Copy link
Contributor Author

renovate bot commented Mar 1, 2026
edited
Loading

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

  • any of the package files in this branch needs updating, or
  • the branch becomes conflicted, or
  • you click the rebase/retry checkbox if found above, or
  • you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: pnpm-lock.yaml
Scope: all 25 workspace projects
.                                        |  WARN  `node_modules` is present. Lockfile only installation will make it out-of-date
Progress: resolved 1, reused 0, downloaded 0, added 0
Progress: resolved 32, reused 0, downloaded 0, added 0
demo/admin                               |  WARN  deprecated lodash.isequal@4.5.0
Progress: resolved 63, reused 0, downloaded 0, added 0
Progress: resolved 85, reused 0, downloaded 0, added 0
Progress: resolved 99, reused 0, downloaded 0, added 0
Progress: resolved 117, reused 0, downloaded 0, added 0
Progress: resolved 133, reused 0, downloaded 0, added 0
Progress: resolved 145, reused 0, downloaded 0, added 0
Progress: resolved 171, reused 0, downloaded 0, added 0
packages/admin/admin-generator           |  WARN  deprecated glob@11.1.0
Progress: resolved 196, reused 0, downloaded 0, added 0
packages/api/brevo-api                   |  WARN  deprecated rimraf@3.0.2
Progress: resolved 252, reused 0, downloaded 0, added 0
Progress: resolved 296, reused 0, downloaded 0, added 0
Progress: resolved 322, reused 0, downloaded 0, added 0
Progress: resolved 323, reused 0, downloaded 0, added 0
Progress: resolved 453, reused 0, downloaded 0, added 0
Progress: resolved 474, reused 0, downloaded 0, added 0
Progress: resolved 510, reused 0, downloaded 0, added 0
Progress: resolved 563, reused 0, downloaded 0, added 0
Progress: resolved 638, reused 0, downloaded 0, added 0
Progress: resolved 723, reused 0, downloaded 0, added 0
Progress: resolved 756, reused 0, downloaded 0, added 0
Progress: resolved 933, reused 0, downloaded 0, added 0
Progress: resolved 985, reused 0, downloaded 0, added 0
Progress: resolved 1004, reused 0, downloaded 0, added 0
Progress: resolved 1267, reused 0, downloaded 0, added 0
Progress: resolved 1338, reused 0, downloaded 0, added 0
Progress: resolved 1432, reused 0, downloaded 0, added 0
Progress: resolved 1609, reused 0, downloaded 0, added 0
Progress: resolved 1622, reused 0, downloaded 0, added 0
Progress: resolved 1686, reused 0, downloaded 0, added 0
Progress: resolved 1757, reused 0, downloaded 0, added 0
Progress: resolved 1798, reused 0, downloaded 0, added 0
Progress: resolved 1916, reused 0, downloaded 0, added 0
Progress: resolved 2014, reused 0, downloaded 0, added 0
Progress: resolved 2102, reused 0, downloaded 0, added 0
Progress: resolved 2106, reused 0, downloaded 0, added 0
Progress: resolved 2172, reused 0, downloaded 0, added 0
Progress: resolved 2300, reused 0, downloaded 0, added 0
Progress: resolved 2380, reused 0, downloaded 0, added 0
Progress: resolved 2542, reused 0, downloaded 0, added 0
Progress: resolved 2568, reused 0, downloaded 0, added 0
Progress: resolved 2634, reused 0, downloaded 0, added 0
Progress: resolved 2949, reused 0, downloaded 0, added 0
Progress: resolved 3067, reused 0, downloaded 0, added 0
Progress: resolved 3123, reused 0, downloaded 0, added 0
Progress: resolved 3298, reused 0, downloaded 0, added 0
Progress: resolved 3461, reused 0, downloaded 0, added 0
Progress: resolved 3469, reused 0, downloaded 0, added 0
 WARN  19 deprecated subdependencies found: @apollo/server-plugin-landing-page-graphql-playground@4.0.1, @babel/plugin-proposal-class-properties@7.18.6, @babel/plugin-proposal-object-rest-spread@7.20.7, @graphql-tools/prisma-loader@8.0.17, @humanwhocodes/config-array@0.13.0, @humanwhocodes/object-schema@2.0.3, @koa/router@14.0.0, @sinonjs/text-encoding@0.7.2, eslint@8.57.1, fstream@1.0.12, glob@10.5.0, glob@7.2.3, inflight@1.0.6, lodash.get@4.4.2, lodash.omit@4.5.0, node-domexception@1.0.0, rimraf@2.7.1, sinon@9.2.4, subscriptions-transport-ws@0.11.0
Progress: resolved 3469, reused 0, downloaded 0, added 0, done
 ERR_PNPM_PEER_DEP_ISSUES  Unmet peer dependencies

packages/admin/admin
├─┬ @storybook/addon-docs 9.1.17
│ ├── ✕ unmet peer storybook@^9.1.17: found 10.1.11
│ ├─┬ @storybook/csf-plugin 9.1.17
│ │ └── ✕ unmet peer storybook@^9.1.17: found 10.1.11
│ └─┬ @storybook/react-dom-shim 9.1.17
│   └── ✕ unmet peer storybook@^9.1.17: found 10.1.11
├─┬ @storybook/react-webpack5 9.1.17
│ ├── ✕ unmet peer storybook@^9.1.17: found 10.1.11
│ ├─┬ @storybook/preset-react-webpack 9.1.17
│ │ ├── ✕ unmet peer storybook@^9.1.17: found 10.1.11
│ │ └─┬ @storybook/core-webpack 9.1.17
│ │   └── ✕ unmet peer storybook@^9.1.17: found 10.1.11
│ ├─┬ @storybook/builder-webpack5 9.1.17
│ │ └── ✕ unmet peer storybook@^9.1.17: found 10.1.11
│ └─┬ @storybook/react 9.1.17
│   └── ✕ unmet peer storybook@^9.1.17: found 10.1.11
├─┬ eslint-plugin-storybook 9.1.16
│ └── ✕ unmet peer storybook@^9.1.16: found 10.1.11
└─┬ storybook-addon-tag-badges 2.0.4
  └── ✕ unmet peer storybook@^9.0.0: found 10.1.11

storybook
├─┬ @storybook/addon-docs 9.1.17
│ ├── ✕ unmet peer storybook@^9.1.17: found 10.1.11
│ ├─┬ @storybook/csf-plugin 9.1.17
│ │ └── ✕ unmet peer storybook@^9.1.17: found 10.1.11
│ └─┬ @storybook/react-dom-shim 9.1.17
│   └── ✕ unmet peer storybook@^9.1.17: found 10.1.11
├─┬ @storybook/react-webpack5 9.1.17
│ ├── ✕ unmet peer storybook@^9.1.17: found 10.1.11
│ ├─┬ @storybook/preset-react-webpack 9.1.17
│ │ ├── ✕ unmet peer storybook@^9.1.17: found 10.1.11
│ │ └─┬ @storybook/core-webpack 9.1.17
│ │   └── ✕ unmet peer storybook@^9.1.17: found 10.1.11
│ ├─┬ @storybook/builder-webpack5 9.1.17
│ │ └── ✕ unmet peer storybook@^9.1.17: found 10.1.11
│ └─┬ @storybook/react 9.1.17
│   └── ✕ unmet peer storybook@^9.1.17: found 10.1.11
└─┬ eslint-plugin-storybook 9.1.16
  └── ✕ unmet peer storybook@^9.1.16: found 10.1.11
hint: To disable failing on peer dependency issues, add the following to pnpm-workspace.yaml in your project root:

  strictPeerDependencies: false

@renovate renovate bot force-pushed the renovate/npm-storybook-vulnerability branch from 7589fbc to bd5be5f Compare March 18, 2026 00:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies major

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants