⬆️(dependencies) update storybook to v8.6.17 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
storybook (source)	8.6.8 → 8.6.17

GitHub Vulnerability Alerts

CVE-2025-68429

On December 11th, the Storybook team received a responsible disclosure alerting them to a potential vulnerability in certain built and published Storybooks.

The vulnerability is a bug in how Storybook handles environment variables defined in a .env file, which could, in specific circumstances, lead to those variables being unexpectedly bundled into the artifacts created by the storybook build command. When a built Storybook is published to the web, the bundle’s source is viewable, thus potentially exposing those variables to anyone with access. If those variables contained secrets, they should be considered compromised.

Who is impacted?

For a project to be vulnerable to this issue, it must:

• Build the Storybook (i.e. run storybook build directly or indirectly) in a directory that contains a .env file (including variants like .env.local)
• The .env file contains sensitive secrets
• Use Storybook version 7.0.0 or above
• Publish the built Storybook to the web

Storybooks built without a .env file at build time are not affected, including common CI-based builds where secrets are provided via platform environment variables rather than .env files.

Users' Storybook runtime environments (i.e. storybook dev) are not affected. Deployed applications that share a repo with a project's Storybook are not affected.

Storybook 6 and below are not affected.

Recommended actions

First, Storybook recommends that everyone audit for any sensitive secrets provided via .env files and rotate those keys.

Second, Storybook has released patched versions of all affected major Storybook versions that no longer have this vulnerability. Projects should upgrade their Storybook—on both local machines and CI environments—to one of these versions before publishing again.

• 10.1.10+
• 9.1.17+
• 8.6.15+
• 7.6.21+

Finally, some projects may have been relying on the undocumented behavior at the heart of this issue and will need to change how they reference environment variables after this update. If a project can no longer read necessary environmental variable values, it can either prefix the variables with STORYBOOK_ or use the env property in Storybook’s configuration to manually specify values. In either case, do not include sensitive secrets as they will be included in the built bundle.

Further information

Details of the vulnerability can be found on the Storybook announcement.

CVE-2026-27148

Summary

The WebSocket functionality in Storybook's dev server, used to create and update stories, is vulnerable to WebSocket hijacking. This vulnerability only affects the Storybook dev server; production builds are not impacted.

Details

Exploitation requires a developer to visit a malicious website while their local Storybook dev server is running. Because the WebSocket connection does not validate the origin of incoming connections, a malicious site can silently send WebSocket messages to the local instance without any further user interaction.

If a Storybook dev server is intentionally exposed publicly (e.g. for design reviews or stakeholder demos) the risk is higher, as no malicious site visit is required. Any unauthenticated attacker can send WebSocket messages to it directly.

The vulnerability affects the WebSocket message handlers for creating and saving stories, which can be exploited via unauthorized WebSocket connections to achieve persistent XSS or Remote Code Execution (RCE).

Note: recent versions of Chrome have some protections against this, but Firefox does not.

Impact

This vulnerability can lead to supply chain compromise. Key risks include:

• Remote Code Execution: The vulnerability can allow attackers to execute malicious code, with the extent of impact depending on the configuration. Server-side RCE is possible in non-default configurations, such as when stories are executed via portable stories in JSDOM, potentially allowing attackers to exfiltrate credentials and environment variables, access source code and the filesystem, establish backdoors, or pivot to internal network resources.
• Persistent XSS: Malicious payloads are written directly into story source files. If the malicious payload is committed to version control, it becomes part of the codebase and can propagate to deployed Storybook documentation sites, affecting developers and stakeholders who view them.
• Supply Chain Propagation: If the modified source files are committed, injected code can spread to other team members via git, execute in CI/CD pipelines, and affect shared component libraries used across multiple projects.

Affected versions

8.1 and above. While the exploitable functionality was introduced in 8.1, the patch has been applied to 7.x as a precautionary measure given the underlying WebSocket behaviour.

Recommended actions

Update to one of the patched versions: 7.6.23, 8.6.17, 9.1.19, 10.2.10.

---

Release Notes

storybookjs/storybook (storybook)

v8.6.17

Compare Source

8.6.17

• Harden websocket connection

v8.6.16

Compare Source

8.6.16

• No-op release. No changes.

v8.6.15

Compare Source

• Core: Fix .env-file parsing, thanks @​jreinhold!

v8.6.14

Compare Source

• CLI: Add skip onboarding, recommended/minimal config - #​30930, thanks @​shilman!
• Core: Fix using dates in expect statements - #​28413, thanks @​yann-combarnous!
• React Native Web: Fix expo router by setting JSX to automatic - #​31484, thanks @​dannyhw!
• Test: Make sure that lit arrays are not cloned - #​31435, thanks @​kasperpeulen!

v8.6.13

Compare Source

• Controls: Fix boxShadow on empty controls - #​27193, thanks @​H0onnn!
• React Native Web: Update react-native-web - #​31324, thanks @​ndelangen!

v8.6.12

Compare Source

• CLI: Only install Visual Test Addon if test feature is selected - #​30966, thanks @​ghengeveld!
• Core: Fix telemetry error on Storybook UI - #​30953, thanks @​yannbf!
• Ember: Fix ember-template-compiler import for ember 6+ - #​30682, thanks @​leoeuclids!
• Next: Update vite-plugin-storybook-nextjs to 2.0.0--canary.33.17a2310.0 - #​30997, thanks @​kasperpeulen!
• Svelte: Exclude node_modules from docgen - #​30981, thanks @​JReinhold!

v8.6.11

Compare Source

• Angular: Fix zone.js support for Angular libraries - #​30941, thanks @​valentinpalkovic!

v8.6.10

Compare Source

• Addon-docs: Fix non-string handling in Stories block - #​30913, thanks @​JamesIves!
• Nextjs: Fix styled-jsx optimize vite warnings - #​30932, thanks @​kasperpeulen!
• React: Fix actImplementation is not a function - #​30929, thanks @​kasperpeulen!

v8.6.9

Compare Source

• Next: Fix react aliases in next vite plugin - #​30914, thanks @​kasperpeulen!

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.