chore: bump up storybook version to v10.1.10 [SECURITY] (#14131)

This PR contains the following updates:

| Package | Change |
[Age](https://docs.renovatebot.com/merge-confidence/) |
[Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
| [storybook](https://storybook.js.org)
([source](https://redirect.github.com/storybookjs/storybook/tree/HEAD/code/core))
| [`10.1.5` ->
`10.1.10`](https://renovatebot.com/diffs/npm/storybook/10.1.5/10.1.10) |
![age](https://developer.mend.io/api/mc/badges/age/npm/storybook/10.1.10?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/storybook/10.1.5/10.1.10?slim=true)
|

### GitHub Vulnerability Alerts

####
[CVE-2025-68429](https://redirect.github.com/storybookjs/storybook/security/advisories/GHSA-8452-54wp-rmv6)

On December 11th, the Storybook team received a responsible disclosure
alerting them to a potential vulnerability in certain built and
published Storybooks.

The vulnerability is a bug in how Storybook handles environment
variables defined in a `.env` file, which could, in specific
circumstances, lead to those variables being unexpectedly bundled into
the artifacts created by the `storybook build` command. When a built
Storybook is published to the web, the bundle’s source is viewable, thus
potentially exposing those variables to anyone with access. If those
variables contained secrets, they should be considered compromised.

## Who is impacted?

For a project to be vulnerable to this issue, it must:

- Build the Storybook (i.e. run `storybook build` directly or
indirectly) in a directory that contains a `.env` file (including
variants like `.env.local`)
- The `.env` file contains sensitive secrets
- Use Storybook version `7.0.0` or above
- Publish the built Storybook to the web

Storybooks built without a `.env` file at build time are not affected,
including common CI-based builds where secrets are provided via platform
environment variables rather than `.env` files.

Users' Storybook runtime environments (i.e. `storybook dev`) are not
affected. Deployed applications that share a repo with a project's
Storybook are not affected.

Storybook 6 and below are not affected.

## Recommended actions

First, Storybook recommends that everyone audit for any sensitive
secrets provided via `.env` files and rotate those keys.

Second, Storybook has released patched versions of all affected major
Storybook versions that no longer have this vulnerability. Projects
should upgrade their Storybook—on both local machines and CI
environments—to one of these versions **before publishing again**.

- `10.1.10+`
- `9.1.17+`
- `8.6.15+`
- `7.6.21+`

Finally, some projects may have been relying on the undocumented
behavior at the heart of this issue and will need to change how they
reference environment variables after this update. If a project can no
longer read necessary environmental variable values, it can either
prefix the variables with `STORYBOOK_` or use the [`env` property in
Storybook’s
configuration](https://storybook.js.org/docs/configure/environment-variables#using-storybook-configuration)
to manually specify values. In either case, **do not** include sensitive
secrets as they *will* be included in the built bundle.

## Further information

Details of the vulnerability can be found on the [Storybook
announcement](https://storybook.js.org/blog/security-advisory).

---

### Release Notes

<details>
<summary>storybookjs/storybook (storybook)</summary>

###
[`v10.1.10`](https://redirect.github.com/storybookjs/storybook/blob/HEAD/CHANGELOG.md#10110)

[Compare
Source](https://redirect.github.com/storybookjs/storybook/compare/v10.1.9...v10.1.10)

- Core: Fix `.env`-file parsing -
[#&#8203;33383](https://redirect.github.com/storybookjs/storybook/pull/33383),
thanks [@&#8203;JReinhold](https://redirect.github.com/JReinhold)!
- Next.js: Handle v14 compatibility for draftMode import -
[#&#8203;33341](https://redirect.github.com/storybookjs/storybook/pull/33341),
thanks [@&#8203;tanujbhaud](https://redirect.github.com/tanujbhaud)!

###
[`v10.1.9`](https://redirect.github.com/storybookjs/storybook/blob/HEAD/CHANGELOG.md#1019)

[Compare
Source](https://redirect.github.com/storybookjs/storybook/compare/v10.1.8...v10.1.9)

- Telemetry: Remove instance of check for sub-error handling -
[#&#8203;33356](https://redirect.github.com/storybookjs/storybook/pull/33356),
thanks
[@&#8203;valentinpalkovic](https://redirect.github.com/valentinpalkovic)!

###
[`v10.1.8`](https://redirect.github.com/storybookjs/storybook/compare/v10.1.7...7cd0cbca4ee2f2c082c9876de2fb2feba6c12bbf)

[Compare
Source](https://redirect.github.com/storybookjs/storybook/compare/v10.1.7...v10.1.8)

###
[`v10.1.7`](https://redirect.github.com/storybookjs/storybook/blob/HEAD/CHANGELOG.md#1017)

[Compare
Source](https://redirect.github.com/storybookjs/storybook/compare/v10.1.6...v10.1.7)

- Automigrate: Fix missing await -
[#&#8203;33333](https://redirect.github.com/storybookjs/storybook/pull/33333),
thanks
[@&#8203;valentinpalkovic](https://redirect.github.com/valentinpalkovic)!
- CLI: Remove REACT\_PROJECT projectType -
[#&#8203;33334](https://redirect.github.com/storybookjs/storybook/pull/33334),
thanks
[@&#8203;valentinpalkovic](https://redirect.github.com/valentinpalkovic)!
- Core: Exclude open from pre-bundling to make local xdg-open reachable
-
[#&#8203;33325](https://redirect.github.com/storybookjs/storybook/pull/33325),
thanks [@&#8203;Sidnioulz](https://redirect.github.com/Sidnioulz)!
- Nextjs-Vite: Install `vite` during migration if not installed yet -
[#&#8203;33316](https://redirect.github.com/storybookjs/storybook/pull/33316),
thanks [@&#8203;ghengeveld](https://redirect.github.com/ghengeveld)!
- Telemetry: Fix race condition in telemetry cache causing malformed
JSON -
[#&#8203;33323](https://redirect.github.com/storybookjs/storybook/pull/33323),
thanks
[@&#8203;valentinpalkovic](https://redirect.github.com/valentinpalkovic)!

###
[`v10.1.6`](https://redirect.github.com/storybookjs/storybook/blob/HEAD/CHANGELOG.md#1016)

[Compare
Source](https://redirect.github.com/storybookjs/storybook/compare/v10.1.5...v10.1.6)

- Manager: Do not display non-existing shortcuts in the settings page -
[#&#8203;32711](https://redirect.github.com/storybookjs/storybook/pull/32711),
thanks [@&#8203;DKER2](https://redirect.github.com/DKER2)!
- Preview: Enforce inert body if manager is focus-trapped -
[#&#8203;33186](https://redirect.github.com/storybookjs/storybook/pull/33186),
thanks [@&#8203;Sidnioulz](https://redirect.github.com/Sidnioulz)!
- Telemetry: Await pending operations in getLastEvents to prevent race
conditions -
[#&#8203;33285](https://redirect.github.com/storybookjs/storybook/pull/33285),
thanks
[@&#8203;valentinpalkovic](https://redirect.github.com/valentinpalkovic)!
- UI: Fix keyboard navigation bug for "reset" option in `Select` -
[#&#8203;33268](https://redirect.github.com/storybookjs/storybook/pull/33268),
thanks [@&#8203;Sidnioulz](https://redirect.github.com/Sidnioulz)!

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no
schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/toeverything/AFFiNE).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0Mi41OS4wIiwidXBkYXRlZEluVmVyIjoiNDIuNTkuMCIsInRhcmdldEJyYW5jaCI6ImNhbmFyeSIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
This commit is contained in:
renovate[bot]
2025-12-21 17:21:20 +08:00
committed by GitHub
parent 28a1ac4772
commit efbdee5508
+18 -8
View File
@@ -30109,15 +30109,15 @@ __metadata:
languageName: node
linkType: hard
"open@npm:^10.0.3, open@npm:^10.1.0":
version: 10.1.2
resolution: "open@npm:10.1.2"
"open@npm:^10.0.3, open@npm:^10.1.0, open@npm:^10.2.0":
version: 10.2.0
resolution: "open@npm:10.2.0"
dependencies:
default-browser: "npm:^5.2.1"
define-lazy-prop: "npm:^3.0.0"
is-inside-container: "npm:^1.0.0"
is-wsl: "npm:^3.1.0"
checksum: 10/dc0496486fd79289844d8cac678402384488696db60ae5c5a175748cd728c381689cd937527762685dc27530408da0f0dac7653769f9730e773aa439d6674b98
wsl-utils: "npm:^0.1.0"
checksum: 10/e6ad9474734eac3549dcc7d85e952394856ccaee48107c453bd6a725b82e3b8ed5f427658935df27efa76b411aeef62888edea8a9e347e8e7c82632ec966b30e
languageName: node
linkType: hard
@@ -34222,8 +34222,8 @@ __metadata:
linkType: hard
"storybook@npm:^10.1.5":
version: 10.1.5
resolution: "storybook@npm:10.1.5"
version: 10.1.10
resolution: "storybook@npm:10.1.10"
dependencies:
"@storybook/global": "npm:^5.0.0"
"@storybook/icons": "npm:^2.0.0"
@@ -34232,6 +34232,7 @@ __metadata:
"@vitest/expect": "npm:3.2.4"
"@vitest/spy": "npm:3.2.4"
esbuild: "npm:^0.18.0 || ^0.19.0 || ^0.20.0 || ^0.21.0 || ^0.22.0 || ^0.23.0 || ^0.24.0 || ^0.25.0 || ^0.26.0 || ^0.27.0"
open: "npm:^10.2.0"
recast: "npm:^0.23.5"
semver: "npm:^7.6.2"
use-sync-external-store: "npm:^1.5.0"
@@ -34243,7 +34244,7 @@ __metadata:
optional: true
bin:
storybook: ./dist/bin/dispatcher.js
checksum: 10/b7fd67f19c1e2492f6a958525421a3004bf1a7b0aee74b45326ef501bb8c761024492c7e4c1944be19bdb25e0aa212645065fabef71fca2b422c210e39ae309d
checksum: 10/c1f01c7ab57e80d2f2ef3a5c49baad5904e77c8e079199ad134e98a7ae455d52422390cd704e64142b36668874c055670dbffe0e334e1f4d541ebd4384052dd7
languageName: node
linkType: hard
@@ -37023,6 +37024,15 @@ __metadata:
languageName: node
linkType: hard
"wsl-utils@npm:^0.1.0":
version: 0.1.0
resolution: "wsl-utils@npm:0.1.0"
dependencies:
is-wsl: "npm:^3.1.0"
checksum: 10/de4c92187e04c3c27b4478f410a02e81c351dc85efa3447bf1666f34fc80baacd890a6698ec91995631714086992036013286aea3d77e6974020d40a08e00aec
languageName: node
linkType: hard
"xml2js@npm:^0.6.2":
version: 0.6.2
resolution: "xml2js@npm:0.6.2"