Skip to content
This repository was archived by the owner on Jun 8, 2026. It is now read-only.

fix(deps): pin dependencies#29

Closed
renovate-sh-app[bot] wants to merge 1 commit into
mainfrom
renovate/pin-dependencies
Closed

fix(deps): pin dependencies#29
renovate-sh-app[bot] wants to merge 1 commit into
mainfrom
renovate/pin-dependencies

Conversation

@renovate-sh-app

@renovate-sh-app renovate-sh-app Bot commented May 27, 2026

Copy link
Copy Markdown

This PR contains the following updates:

Package Type Update Change
@rollup/plugin-terser (source) devDependencies pin ^0.4.40.4.4
@storybook/addon-actions (source) devDependencies pin ^8.0.88.6.18
@storybook/addon-essentials (source) devDependencies pin ^7.5.37.6.24
@storybook/addon-interactions (source) devDependencies pin ^7.5.37.6.24
@storybook/addon-links (source) devDependencies pin ^7.5.37.6.24
@storybook/addon-onboarding (source) devDependencies pin ^1.0.81.0.11
@storybook/blocks (source) devDependencies pin ^7.5.37.6.24
@storybook/client-api (source) devDependencies pin ^7.5.37.6.17
@storybook/preset-scss (source) devDependencies pin ^1.0.31.0.3
@storybook/react (source) devDependencies pin ^7.5.37.6.24
@storybook/react-webpack5 (source) devDependencies pin ^7.5.37.6.24
@storybook/test (source) devDependencies pin ^8.0.88.6.15
@swc/core (source) devDependencies pin ^1.3.961.15.40
@swc/jest (source) devDependencies pin ^0.2.290.2.39
@testing-library/jest-dom devDependencies pin ^6.1.46.9.1
@testing-library/react devDependencies pin ^16.0.016.3.2
@types/jest (source) devDependencies pin ^29.5.829.5.14
@types/node (source) devDependencies pin ^20.4.220.19.42
@types/node (source) devDependencies pin ^20.9.120.19.42
@typescript-eslint/eslint-plugin (source) devDependencies pin ^8.0.08.60.1
@typescript-eslint/parser (source) devDependencies pin ^8.0.08.60.1
actions/checkout action pinDigest 34e1148
actions/setup-node action pinDigest 49933ea
codecov/codecov-action action pinDigest b9fd7d1
css-loader devDependencies pin ^6.8.16.11.0
esbuild devDependencies pin ^0.19.50.19.12
eslint (source) devDependencies pin ^9.31.09.39.4
eslint-config-prettier devDependencies pin ^10.1.510.1.8
eslint-plugin-prettier devDependencies pin ^5.5.15.5.6
eslint-plugin-simple-import-sort devDependencies pin ^12.0.012.1.1
eslint-plugin-storybook (source) devDependencies pin ^9.0.179.0.17
identity-obj-proxy devDependencies pin ^3.0.03.0.0
jest (source) devDependencies pin ^29.7.029.7.0
jest-environment-jsdom (source) devDependencies pin ^29.7.029.7.0
prettier (source) devDependencies pin ^3.0.03.8.3
prettier (source) devDependencies pin ^3.1.03.8.3
rimraf devDependencies pin ^5.0.15.0.10
rimraf devDependencies pin ^5.0.55.0.10
rollup (source) devDependencies pin ^4.4.14.61.1
rollup-plugin-dts devDependencies pin ^5.3.05.3.1
rollup-plugin-dts devDependencies pin ^6.1.06.4.1
rollup-plugin-esbuild devDependencies pin ^5.0.05.0.0
rollup-plugin-esbuild devDependencies pin ^6.1.06.2.1
sass devDependencies pin ^1.69.51.100.0
sass-loader devDependencies pin ^13.3.213.3.3
storybook-dark-mode devDependencies pin ^3.0.13.0.3
style-loader devDependencies pin ^3.3.33.3.4
tslib (source) devDependencies pin ^2.6.02.8.1
tslib (source) devDependencies pin ^2.6.32.8.1
typescript (source) devDependencies pin ^5.1.65.9.3
typescript (source) devDependencies pin ^5.4.55.9.3
util devDependencies pin ^0.12.50.12.5

⚠️ Renovate's pin functionality does not currently wire in the release age for a package, so the Minimum Release Age checks can apply. You will need to manually validate the Minimum Release Age for these package(s).


esbuild enables any website to send any requests to the development server and read the response

GHSA-67mh-4wv8-2f99

More information

Details

Summary

esbuild allows any websites to send any request to the development server and read the response due to default CORS settings.

Details

esbuild sets Access-Control-Allow-Origin: * header to all requests, including the SSE connection, which allows any websites to send any request to the development server and read the response.

https://github.com/evanw/esbuild/blob/df815ac27b84f8b34374c9182a93c94718f8a630/pkg/api/serve_other.go#L121
https://github.com/evanw/esbuild/blob/df815ac27b84f8b34374c9182a93c94718f8a630/pkg/api/serve_other.go#L363

Attack scenario:

  1. The attacker serves a malicious web page (http://malicious.example.com).
  2. The user accesses the malicious web page.
  3. The attacker sends a fetch('http://127.0.0.1:8000/main.js') request by JS in that malicious web page. This request is normally blocked by same-origin policy, but that's not the case for the reasons above.
  4. The attacker gets the content of http://127.0.0.1:8000/main.js.

In this scenario, I assumed that the attacker knows the URL of the bundle output file name. But the attacker can also get that information by

  • Fetching /index.html: normally you have a script tag here
  • Fetching /assets: it's common to have a assets directory when you have JS files and CSS files in a different directory and the directory listing feature tells the attacker the list of files
  • Connecting /esbuild SSE endpoint: the SSE endpoint sends the URL path of the changed files when the file is changed (new EventSource('/esbuild').addEventListener('change', e => console.log(e.type, e.data)))
  • Fetching URLs in the known file: once the attacker knows one file, the attacker can know the URLs imported from that file

The scenario above fetches the compiled content, but if the victim has the source map option enabled, the attacker can also get the non-compiled content by fetching the source map file.

PoC
  1. Download reproduction.zip
  2. Extract it and move to that directory
  3. Run npm i
  4. Run npm run watch
  5. Run fetch('http://127.0.0.1:8000/app.js').then(r => r.text()).then(content => console.log(content)) in a different website's dev tools.

image

Impact

Users using the serve feature may get the source code stolen by malicious websites.

Severity

  • CVSS Score: 5.3 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


esbuild enables any website to send any requests to the development server and read the response

GHSA-67mh-4wv8-2f99

More information

Details

Summary

esbuild allows any websites to send any request to the development server and read the response due to default CORS settings.

Details

esbuild sets Access-Control-Allow-Origin: * header to all requests, including the SSE connection, which allows any websites to send any request to the development server and read the response.

https://github.com/evanw/esbuild/blob/df815ac27b84f8b34374c9182a93c94718f8a630/pkg/api/serve_other.go#L121
https://github.com/evanw/esbuild/blob/df815ac27b84f8b34374c9182a93c94718f8a630/pkg/api/serve_other.go#L363

Attack scenario:

  1. The attacker serves a malicious web page (http://malicious.example.com).
  2. The user accesses the malicious web page.
  3. The attacker sends a fetch('http://127.0.0.1:8000/main.js') request by JS in that malicious web page. This request is normally blocked by same-origin policy, but that's not the case for the reasons above.
  4. The attacker gets the content of http://127.0.0.1:8000/main.js.

In this scenario, I assumed that the attacker knows the URL of the bundle output file name. But the attacker can also get that information by

  • Fetching /index.html: normally you have a script tag here
  • Fetching /assets: it's common to have a assets directory when you have JS files and CSS files in a different directory and the directory listing feature tells the attacker the list of files
  • Connecting /esbuild SSE endpoint: the SSE endpoint sends the URL path of the changed files when the file is changed (new EventSource('/esbuild').addEventListener('change', e => console.log(e.type, e.data)))
  • Fetching URLs in the known file: once the attacker knows one file, the attacker can know the URLs imported from that file

The scenario above fetches the compiled content, but if the victim has the source map option enabled, the attacker can also get the non-compiled content by fetching the source map file.

PoC
  1. Download reproduction.zip
  2. Extract it and move to that directory
  3. Run npm i
  4. Run npm run watch
  5. Run fetch('http://127.0.0.1:8000/app.js').then(r => r.text()).then(content => console.log(content)) in a different website's dev tools.

image

Impact

Users using the serve feature may get the source code stolen by malicious websites.

Severity

  • CVSS Score: 5.3 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Add the preset :preserveSemverRanges to your config if you don't want to pin your dependencies.


Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.


  • If you want to rebase/retry this PR, check this box

Need help?

You can ask for more help in the following Slack channel: #proj-renovate-self-hosted. In that channel you can also find ADR and FAQ docs in the Resources section.

@renovate-sh-app

renovate-sh-app Bot commented May 27, 2026

Copy link
Copy Markdown
Author

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

  • any of the package files in this branch needs updating, or
  • the branch becomes conflicted, or
  • you click the rebase/retry checkbox if found above, or
  • you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: package-lock.json
npm warn Unknown env config "store". This will stop working in the next major version of npm. See `npm help npmrc` for supported config options.
npm error code ERESOLVE
npm error ERESOLVE unable to resolve dependency tree
npm error
npm error While resolving: @volkovlabs/components@4.6.0
npm error Found: storybook@9.1.20
npm error node_modules/storybook
npm error   dev storybook@"^9.0.17" from @volkovlabs/components@4.6.0
npm error   packages/components
npm error     @volkovlabs/components@4.5.0
npm error     node_modules/@volkovlabs/components
npm error       workspace packages/components from the root project
npm error
npm error Could not resolve dependency:
npm error peer storybook@"^8.6.18" from @storybook/addon-actions@8.6.18
npm error node_modules/@storybook/addon-actions
npm error   dev @storybook/addon-actions@"8.6.18" from @volkovlabs/components@4.6.0
npm error   packages/components
npm error     @volkovlabs/components@4.5.0
npm error     node_modules/@volkovlabs/components
npm error       workspace packages/components from the root project
npm error
npm error Fix the upstream dependency conflict, or retry this command with --force or --legacy-peer-deps to accept an incorrect (and potentially broken) dependency resolution.
npm error
npm error
npm error For a full report see:
npm error /tmp/renovate/cache/others/npm/_logs/2026-06-08T11_17_28_172Z-eresolve-report.txt
npm error A complete log of this run can be found in: /tmp/renovate/cache/others/npm/_logs/2026-06-08T11_17_28_172Z-debug-0.log

@renovate-sh-app renovate-sh-app Bot force-pushed the renovate/pin-dependencies branch 4 times, most recently from d3a2d92 to b672af2 Compare June 3, 2026 11:24
@renovate-sh-app renovate-sh-app Bot changed the title chore(deps): pin dependencies fix(deps): pin dependencies Jun 3, 2026
@renovate-sh-app renovate-sh-app Bot force-pushed the renovate/pin-dependencies branch from b672af2 to 8820544 Compare June 4, 2026 08:16
| datasource | package                          | from     | to       |
| ---------- | -------------------------------- | -------- | -------- |
| npm        | @rollup/plugin-terser            | 0.4.4    | 0.4.4    |
| npm        | @storybook/addon-actions         | 8.6.18   | 8.6.18   |
| npm        | @storybook/addon-essentials      | 7.6.24   | 7.6.24   |
| npm        | @storybook/addon-interactions    | 7.6.24   | 7.6.24   |
| npm        | @storybook/addon-links           | 7.6.24   | 7.6.24   |
| npm        | @storybook/addon-onboarding      | 1.0.11   | 1.0.11   |
| npm        | @storybook/blocks                | 7.6.24   | 7.6.24   |
| npm        | @storybook/client-api            | 7.6.17   | 7.6.17   |
| npm        | @storybook/preset-scss           | 1.0.3    | 1.0.3    |
| npm        | @storybook/react                 | 7.6.24   | 7.6.24   |
| npm        | @storybook/react-webpack5        | 7.6.24   | 7.6.24   |
| npm        | @storybook/test                  | 8.6.15   | 8.6.15   |
| npm        | @swc/core                        | 1.15.40  | 1.15.40  |
| npm        | @swc/jest                        | 0.2.39   | 0.2.39   |
| npm        | @testing-library/jest-dom        | 6.9.1    | 6.9.1    |
| npm        | @testing-library/react           | 16.3.2   | 16.3.2   |
| npm        | @types/jest                      | 29.5.14  | 29.5.14  |
| npm        | @types/node                      | 20.19.42 | 20.19.42 |
| npm        | @typescript-eslint/eslint-plugin | 8.60.1   | 8.60.1   |
| npm        | @typescript-eslint/parser        | 8.60.1   | 8.60.1   |
| npm        | css-loader                       | 6.11.0   | 6.11.0   |
| npm        | esbuild                          | 0.19.12  | 0.19.12  |
| npm        | eslint                           | 9.39.4   | 9.39.4   |
| npm        | eslint-config-prettier           | 10.1.8   | 10.1.8   |
| npm        | eslint-plugin-prettier           | 5.5.6    | 5.5.6    |
| npm        | eslint-plugin-simple-import-sort | 12.1.1   | 12.1.1   |
| npm        | eslint-plugin-storybook          | 9.0.17   | 9.0.17   |
| npm        | identity-obj-proxy               | 3.0.0    | 3.0.0    |
| npm        | jest                             | 29.7.0   | 29.7.0   |
| npm        | jest-environment-jsdom           | 29.7.0   | 29.7.0   |
| npm        | prettier                         | 3.8.3    | 3.8.3    |
| npm        | rimraf                           | 5.0.10   | 5.0.10   |
| npm        | rollup                           | 4.61.1   | 4.61.1   |
| npm        | rollup-plugin-dts                | 5.3.1    | 5.3.1    |
| npm        | rollup-plugin-dts                | 6.4.1    | 6.4.1    |
| npm        | rollup-plugin-esbuild            | 5.0.0    | 5.0.0    |
| npm        | rollup-plugin-esbuild            | 6.2.1    | 6.2.1    |
| npm        | sass                             | 1.100.0  | 1.100.0  |
| npm        | sass-loader                      | 13.3.3   | 13.3.3   |
| npm        | storybook-dark-mode              | 3.0.3    | 3.0.3    |
| npm        | style-loader                     | 3.3.4    | 3.3.4    |
| npm        | tslib                            | 2.8.1    | 2.8.1    |
| npm        | typescript                       | 5.9.3    | 5.9.3    |
| npm        | util                             | 0.12.5   | 0.12.5   |


Signed-off-by: renovate-sh-app[bot] <219655108+renovate-sh-app[bot]@users.noreply.github.com>
@renovate-sh-app renovate-sh-app Bot force-pushed the renovate/pin-dependencies branch from 8820544 to 6b0d39b Compare June 5, 2026 23:18
@tleopold

tleopold commented Jun 8, 2026

Copy link
Copy Markdown

Closing this pull request: the repository is being archived and transferred to cold storage.

@tleopold tleopold closed this Jun 8, 2026
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant