@storybook/cli — Greenflagged

Storybook CLI: Develop, document, and test UI components in isolation

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

ndelangenshilmantmeasdayghengeveldwinkervsbecksyannbfkylegachjreinholdkasperpeulenvalentinpalkovicdomyenstorybook-bot

Keywords

storybookclidevbuildupgradeinit

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
source-diff	net-exec-file:dist/_node-chunks/run-YXTQBW3D.js	AI (source-diff): CLI tool legitimately uses network + child_process; bundled output, not malicious.	ai	2026/05/29
source-diff	obfuscated-file:dist/_node-chunks/run-YXTQBW3D.js	AI (source-diff): esbuild-bundled output with CJS compat banner; standard Storybook build artifact.	ai	2026/05/29
source-diff	obfuscated-file:dist/_node-chunks/run-CMSUW4EI.js	AI (source-diff): esbuild-bundled output for Storybook CLI; minified chunks are expected.	ai	2026/05/14
source-diff	large-new-source-files	AI (source-diff): Normal churn for a large CLI tool rebundled with esbuild across versions.	ai	2026/05/14
source-diff	net-exec-file:dist/_node-chunks/run-CMSUW4EI.js	AI (source-diff): CLI tool legitimately uses network + exec (e.g. init, upgrade); bundled output.	ai	2026/05/14
source-diff	net-exec-file:dist/_node-chunks/run-7LEO2IWT.js	AI (source-diff): CLI tool legitimately uses network + exec; bundled output, not a dropper.	ai	2026/04/30
source-diff	obfuscated-file:dist/_node-chunks/run-7LEO2IWT.js	AI (source-diff): esbuild-bundled output with CJS compat banner; standard for Storybook's build pipeline.	ai	2026/04/30
publish-pattern	rapid-publish	AI (publish-pattern): Monorepo automated release; expected for @storybook packages.	ai	2026/04/30
phantom-deps	phantom-dep:@babel/preset-env	AI (phantom-deps): @babel/preset-env is a framework-scoped package loaded by convention in Storybook's build pipeline; stable false positive.	ai	2026/04/24
phantom-deps	phantom-dep:@types/semver	AI (phantom-deps): @types/semver is a type declaration package loaded by convention; stable false positive for this package.	ai	2026/04/24
phantom-deps	phantom-dep:jscodeshift	AI (phantom-deps): jscodeshift is a legitimate declared dependency used by convention in the CLI's codemod tooling, not a phantom dep.	ai	2026/04/24
typosquat	typosquat.levenshtein:joi	AI (typosquat): @storybook/cli is a well-established scoped package with 3000+ days of history; Levenshtein match against 'joi' is a false positive with no plausible typosquat relationship.	ai	2026/04/24
source-diff	net-exec-file:dist/_node-chunks/run-UE2YPBJ7.js	AI (source-diff): Network + code execution is expected for a CLI tool that upgrades Storybook dependencies, fetches npm package data, and runs codemods. The sample shows legitimate Storybook CLI functionality.	ai	2026/04/23
source-diff	obfuscated-file:dist/_node-chunks/run-UE2YPBJ7.js	AI (source-diff): Storybook CLI ships esbuild-bundled dist chunks with long lines; this is standard build output, not obfuscation. The CJS compat banner and named Storybook function imports confirm legitimate bundled code.	ai	2026/04/23

Versions (showing 100 of 919)

Hide prereleases

Version	Deps	Published
8.6.7	21 / 7	2025-03-17
8.6.6	21 / 7	2025-03-15
8.6.5	21 / 7	2025-03-14
8.6.4	21 / 7	2025-03-05
8.6.3	21 / 7	2025-03-01
8.6.2	21 / 7	2025-02-27
8.6.1	21 / 7	2025-02-27
8.6.0	21 / 7	2025-02-25
8.5.8	20 / 7	2025-02-19
8.5.7	20 / 7	2025-02-18
8.5.6	20 / 7	2025-02-14
8.5.5	20 / 7	2025-02-12
8.5.4	20 / 7	2025-02-11
8.5.3	20 / 7	2025-02-01
8.5.2	20 / 7	2025-01-27
8.5.1	20 / 7	2025-01-23
8.5.0	20 / 7	2025-01-15
8.4.7	20 / 7	2024-12-05
8.4.6	20 / 7	2024-11-29
8.4.5	20 / 7	2024-11-20
8.4.4	20 / 7	2024-11-14
8.4.3	20 / 7	2024-11-13
8.4.2	20 / 7	2024-11-05
8.4.1	20 / 7	2024-11-01
8.4.0	20 / 7	2024-10-31
8.3.7	22 / 6	2024-11-04
8.3.6	22 / 6	2024-10-18
8.3.5	22 / 6	2024-10-04
8.3.4	22 / 6	2024-09-28
8.3.3	22 / 6	2024-09-24
8.3.2	22 / 6	2024-09-19
8.3.1	22 / 6	2024-09-16
8.3.0	22 / 6	2024-09-11
8.2.10	1 / 0	2024-11-04
8.2.9	1 / 0	2024-08-13
8.2.8	1 / 0	2024-08-07
8.2.7	1 / 0	2024-08-01
8.2.6	1 / 0	2024-07-24
8.2.5	1 / 0	2024-07-19
8.2.4	1 / 0	2024-07-16
8.2.3	1 / 0	2024-07-15
8.2.2	1 / 0	2024-07-11
8.2.1	1 / 0	2024-07-10
8.2.0	1 / 0	2024-07-10
8.1.11	36 / 8	2024-06-27
8.1.10	36 / 8	2024-06-17
8.1.9	36 / 8	2024-06-13
8.1.8	36 / 8	2024-06-13
8.1.7	36 / 8	2024-06-12
8.1.6	36 / 8	2024-06-05
8.1.5	36 / 8	2024-05-30
8.1.4	36 / 8	2024-05-27
8.1.3	36 / 8	2024-05-23
8.1.2	36 / 8	2024-05-21
8.1.1	36 / 8	2024-05-15
8.1.0	36 / 8	2024-05-14
8.0.10	36 / 8	2024-05-05
8.0.9	36 / 8	2024-04-22
8.0.8	36 / 8	2024-04-11
8.0.7	36 / 8	2024-04-11
8.0.6	36 / 8	2024-04-05
8.0.5	36 / 8	2024-03-27
8.0.4	36 / 8	2024-03-21
8.0.3	36 / 8	2024-03-21
8.0.2	36 / 8	2024-03-19
8.0.1	36 / 8	2024-03-18
8.0.0	36 / 8	2024-03-11
7.6.24	40 / 9	2026-03-06
7.6.23	40 / 9	2026-02-18
7.6.22	40 / 9	2026-02-17
7.6.21	40 / 9	2025-12-17
7.6.20	40 / 9	2024-06-24
7.6.19	40 / 9	2024-05-01
7.6.18	40 / 9	2024-04-23
7.6.17	40 / 9	2024-02-20
7.6.16	40 / 9	2024-02-15
7.6.15	40 / 9	2024-02-13
7.6.14	40 / 9	2024-02-10
7.6.13	40 / 9	2024-02-06
7.6.12	40 / 9	2024-01-31
7.6.11	40 / 9	2024-01-30
7.6.10	40 / 9	2024-01-18
7.6.9	40 / 9	2024-01-17
7.6.8	41 / 9	2024-01-12
7.6.7	41 / 9	2024-01-01
7.6.6	41 / 10	2023-12-19
7.6.5	41 / 10	2023-12-15
7.6.4	41 / 10	2023-12-07
7.6.3	41 / 10	2023-12-01
7.6.2	41 / 10	2023-11-30
7.6.1	41 / 10	2023-11-29
7.6.0	41 / 10	2023-11-28
7.5.3	41 / 10	2023-11-06
7.5.2	41 / 10	2023-10-30
7.5.1	41 / 10	2023-10-19
7.5.0	41 / 10	2023-10-17
7.4.6	41 / 10	2023-10-03
7.4.5	41 / 10	2023-09-24
7.4.4	41 / 10	2023-09-22
7.4.3	41 / 10	2023-09-20

Showing 100 of 919 Next page →