Skip to content
This repository has been archived by the owner on Mar 6, 2024. It is now read-only.

Set up postinstall as a bin command #57

Merged
merged 5 commits into from
Jun 29, 2023
Merged

Set up postinstall as a bin command #57

merged 5 commits into from
Jun 29, 2023

Conversation

ShaunEvening
Copy link
Contributor

@ShaunEvening ShaunEvening commented Jun 23, 2023
edited by github-actions bot
Loading

📦 Published PR as canary version: 1.3.2--canary.57.dd63cf2.0

✨ Test out this PR locally via:

npm install @storybook/addon-styling@1.3.2--canary.57.dd63cf2.0
# or 
yarn add @storybook/addon-styling@1.3.2--canary.57.dd63cf2.0

@ShaunEvening ShaunEvening self-assigned this Jun 27, 2023
@socket-security
Copy link

New and updated dependencies detected. Learn more about Socket for GitHub ↗︎

Packages Version New capabilities Transitives Size Publisher
@babel/types 7.22.5 None +2 2.47 MB nicolo-ribaudo
@storybook/csf-tools 7.0.12...7.0.24 None +29/-40 16.6 MB
@storybook/core-common 7.0.12...7.0.24 None +41/-70 218 MB
@babel/cli 7.14.3...7.22.5 eval, network +29/-59 10.5 MB nicolo-ribaudo
@storybook/react-vite 7.0.12...7.0.24 None +105/-188 242 MB
@storybook/builder-webpack5 7.0.12...7.0.24 None +120/-181 230 MB
vitest 0.31.0...0.31.4 None +44/-61 214 MB oreanno
vite 4.2.1...4.3.9 None +32/-49 212 MB vitebot
prop-types 15.7.2...15.8.1 None +0/-0 94.5 kB ljharb
storybook 7.0.12...7.0.24 None +200/-320 238 MB shilman
sass-loader 13.2.2...13.3.2 None +33/-42 10 MB evilebottnawi
css-loader 6.7.3...6.8.1 None +38/-46 10.6 MB evilebottnawi
@babel/preset-react 7.13.13...7.22.5 None +34/-42 9.68 MB nicolo-ribaudo
@storybook/react 7.0.12...7.0.24 None +78/-120 223 MB shilman
@babel/preset-typescript 7.13.0...7.22.5 None +38/-40 10 MB nicolo-ribaudo
@babel/core 7.14.3...7.22.5 None +26/-34 9.53 MB nicolo-ribaudo
@babel/preset-env 7.14.4...7.22.5 None +102/-116 12.7 MB nicolo-ribaudo
@babel/template 7.20.7...7.22.5 None +6/-5 6.3 MB nicolo-ribaudo
@storybook/addon-essentials 7.0.12...7.0.24 None +109/-187 237 MB shilman
babel-loader 8.2.2...8.3.0 None +56/-73 19.3 MB nicolo-ribaudo
style-loader 3.3.2...3.3.3 None +33/-41 10.1 MB evilebottnawi
zx 1.14.1...1.15.2 None +4/-4 7.45 MB google-wombot
concurrently 6.2.0...6.5.1 None +4/-14 7.13 MB gustavohenke
postcss-loader 7.2.4...7.3.3 None +42/-50 12.5 MB evilebottnawi
auto 10.29.2...10.46.0 None +58/-62 17.4 MB alisowski

🚮 Removed packages: @storybook/api@7.0.12, @storybook/components@7.0.12, @storybook/core-events@7.0.12, @storybook/manager-api@7.0.12, @storybook/node-logger@7.0.12, @storybook/preview-api@7.0.12, @storybook/theming@7.0.12, @storybook/types@7.0.12, boxen@5.0.1, less-loader@11.1.0

@socket-security
Copy link

🚨 Potential security issues detected. Learn more about Socket for GitHub ↗︎

To accept the risk, merge this PR and you will not be notified again.

Issue Package Version Note Source
New author supports-hyperlinks 2.3.0
New author @babel/plugin-syntax-import-meta 7.10.4
New author fb-watchman 2.0.2
New author defaults 1.0.4
New author fast-diff 1.3.0
Shell access @storybook/cli 7.0.24
Shell access ts-node 10.9.1
Uses eval telejson 7.1.0
Uses eval uglify-js 3.17.4
Uses eval @nicolo-ribaudo/chokidar-2 2.1.8-no-fsevents.3

Next steps

What is new author?

A new npm collaborator published a version of the package for the first time. New collaborators are usually benign additions to a project, but do indicate a change to the security surface area of a package.

Scrutinize new collaborator additions to packages because they now have the ability to publish code into your dependency tree. Packages should avoid frequent or unnecessary additions or changes to publishing rights.

What is shell access?

This module accesses the system shell. Accessing the system shell increases the risk of executing arbitrary code.

Packages should avoid accessing the shell which can reduce portability, and make it easier for malicious shell access to be introduced.

What is eval?

Package uses eval() which is a dangerous function. This prevents the code from running in certain environments and increases the risk that the code may contain exploits or malicious behavior.

Avoid packages that use eval, since this could potentially execute any code.

Take a deeper look at the dependency

Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support [AT] socket [DOT] dev.

Remove the package

If you happen to install a dependency that Socket reports as Known Malware you should immediately remove it and select a different dependency. For other alert types, you may may wish to investigate alternative packages or consider if there are other ways to mitigate the specific risk posed by the dependency.

Mark a package as acceptable risk

To ignore an alert, reply with a comment starting with @SocketSecurity ignore followed by a space separated list of package-name@version specifiers. e.g. @SocketSecurity ignore foo@1.0.0 bar@* or ignore all packages with @SocketSecurity ignore-all

  • @SocketSecurity ignore telejson@7.1.0
  • @SocketSecurity ignore uglify-js@3.17.4
  • @SocketSecurity ignore @nicolo-ribaudo/chokidar-2@2.1.8-no-fsevents.3
  • @SocketSecurity ignore supports-hyperlinks@2.3.0
  • @SocketSecurity ignore @babel/plugin-syntax-import-meta@7.10.4
  • @SocketSecurity ignore fb-watchman@2.0.2
  • @SocketSecurity ignore defaults@1.0.4
  • @SocketSecurity ignore fast-diff@1.3.0
  • @SocketSecurity ignore @storybook/cli@7.0.24
  • @SocketSecurity ignore ts-node@10.9.1

@ShaunEvening ShaunEvening changed the base branch from main to june28-patch June 28, 2023 14:22
@ShaunEvening ShaunEvening merged commit 3b20a06 into june28-patch Jun 29, 2023
2 of 3 checks passed
@ShaunEvening ShaunEvening deleted the bin-command branch June 29, 2023 14:12
@ShaunEvening ShaunEvening removed the request for review from ndelangen June 29, 2023 14:12
ShaunEvening pushed a commit that referenced this pull request Jun 29, 2023
Patch release (#62)
a8a6247 
* feat: configure css-loader options (#61)
Co-authored-by: Jeffrey <jeffrey@jeffreyzutt.nl>

* Set up postinstall as a bin command (#57)
  * Set up postinstall as a bin command
  * Check peerDeps when deciding to configure
  * Fix tailwind codemod

* Do not configure addon options for Angular (#63)
  * Update docs
  * Add options skip for Angular tailwind

---------
Co-authored-by: Jeffrey <jeffrey@jeffreyzutt.nl>
@ndelangen
Copy link
Member

@integrayshaun I was tagged / notified of this PR, but I fail to understand it.

Could you add a description to this RP explaining what the change is about?

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers
No reviews
Assignees

@ShaunEvening ShaunEvening

Labels
None yet
Projects
Styling addon backlog
Status: Done
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@ShaunEvening @ndelangen