@storybook/core-common
Storybook framework-agnostic API
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| phantom-deps | phantom-dep:glob | AI (phantom-deps): glob is a legitimate dependency referenced in config files; normal for build tooling packages. | ai | |
| dependencies | unvetted-dep:handlebars | AI (dependencies): Handlebars is a well-known templating library used by Storybook for template rendering; legitimate dependency. | ai | |
| source-diff | obfuscated-file:dist/index.js | AI (source-diff): dist/index.js is standard esbuild-bundled output for this Storybook package; long lines are minified but readable JS, not obfuscation. Stable pattern for this package. | ai | |
| source-diff | obfuscated-file:dist/index.mjs | AI (source-diff): dist/index.mjs is standard esbuild-bundled ESM output; imports and exports are clearly readable Storybook internals. Not obfuscation. | ai | |
| source-diff | source-size-tripled | AI (source-diff): Size increase is due to cross-major-version diff (v7 vs v8) and addition of previously-bundled deps as explicit dependencies. Not a payload injection. | ai | |
| provenance | no-provenance | AI (provenance): Established Storybook core package with strong publisher track record; lack of provenance attestation is not a meaningful risk signal here. | ai | |
| dependencies | unvetted-dep:prettier-fallback | AI (dependencies): prettier-fallback is an npm alias for prettier@^3, a documented Storybook pattern for multi-version prettier support. No risk. | ai | |
| semgrep | semgrep:child-process-import | AI (semgrep): child_process usage is in a build-time bundler pre-script (generate-sb-packages-versions.js), not runtime code. Standard pattern for Storybook's monorepo build tooling. | ai | |
| phantom-deps | phantom-dep:@types/node | AI (phantom-deps): @types/node is a framework-scoped type package legitimately shipped as a dependency for Node.js type resolution; stable false positive. | ai | |
| phantom-deps | phantom-dep:pretty-hrtime | AI (phantom-deps): pretty-hrtime is referenced in config files as documented; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@types/pretty-hrtime | AI (phantom-deps): Type package legitimately shipped for TypeScript consumers; stable false positive. | ai | |
| phantom-deps | phantom-dep:@types/node-fetch | AI (phantom-deps): Type package for node-fetch, legitimately shipped for TypeScript consumers; stable false positive. | ai | |
| phantom-deps | phantom-dep:@types/find-cache-dir | AI (phantom-deps): Type package legitimately shipped for TypeScript consumers; stable false positive. | ai | |
| phantom-deps | phantom-dep:esbuild | AI (phantom-deps): esbuild is a documented runtime/binary dependency for Storybook's build tooling; phantom detection is a stable false positive for this package. | ai |
Versions (showing 79 of 179)
| Version | Deps | Published |
|---|---|---|
| 7.0.22 | 21 / 6 | |
| 7.0.20 | 19 / 6 | |
| 7.0.19 | 19 / 6 | |
| 7.0.18 | 19 / 6 | |
| 7.0.17 | 19 / 6 | |
| 7.0.16 | 19 / 6 | |
| 7.0.14 | 19 / 6 | |
| 7.0.12 | 19 / 6 | |
| 7.0.11 | 19 / 6 | |
| 7.0.10 | 19 / 6 | |
| 7.0.8 | 19 / 6 | |
| 7.0.6 | 19 / 6 | |
| 7.0.5 | 19 / 6 | |
| 7.0.4 | 19 / 6 | |
| 7.0.3 | 19 / 6 | |
| 7.0.2 | 19 / 6 | |
| 7.0.1 | 19 / 6 | |
| 7.0.0 | 19 / 6 | |
| 6.5.16 | 50 / 6 | |
| 6.5.15 | 50 / 6 | |
| 6.5.14 | 50 / 6 | |
| 6.5.13 | 50 / 6 | |
| 6.5.12 | 50 / 6 | |
| 6.5.11 | 50 / 6 | |
| 6.5.10 | 50 / 6 | |
| 6.5.9 | 50 / 6 | |
| 6.5.8 | 50 / 6 | |
| 6.5.7 | 50 / 6 | |
| 6.5.6 | 50 / 6 | |
| 6.5.5 | 50 / 6 | |
| 6.5.4 | 50 / 6 | |
| 6.5.3 | 50 / 6 | |
| 6.5.2 | 50 / 6 | |
| 6.5.0 | 50 / 6 | |
| 6.4.22 | 49 / 6 | |
| 6.4.21 | 49 / 6 | |
| 6.4.20 | 49 / 6 | |
| 6.4.19 | 49 / 6 | |
| 6.4.18 | 49 / 6 | |
| 6.4.17 | 49 / 6 | |
| 6.4.16 | 49 / 6 | |
| 6.4.15 | 49 / 6 | |
| 6.4.14 | 49 / 6 | |
| 6.4.13 | 49 / 6 | |
| 6.4.12 | 49 / 6 | |
| 6.4.10 | 49 / 6 | |
| 6.4.9 | 49 / 6 | |
| 6.4.8 | 49 / 6 | |
| 6.4.7 | 49 / 6 | |
| 6.4.5 | 49 / 6 | |
| 6.4.4 | 49 / 6 | |
| 6.4.3 | 49 / 6 | |
| 6.4.2 | 49 / 6 | |
| 6.4.1 | 49 / 6 | |
| 6.4.0 | 49 / 6 | |
| 6.3.13 | 48 / 4 | |
| 6.3.12 | 48 / 4 | |
| 6.3.11 | 48 / 4 | |
| 6.3.10 | 48 / 4 | |
| 6.3.9 | 48 / 4 | |
| 6.3.8 | 48 / 4 | |
| 6.3.7 | 48 / 4 | |
| 6.3.6 | 48 / 4 | |
| 6.3.5 | 48 / 4 | |
| 6.3.4 | 48 / 4 | |
| 6.3.3 | 48 / 4 | |
| 6.3.2 | 48 / 4 | |
| 6.3.1 | 48 / 4 | |
| 6.3.0 | 48 / 4 | |
| 6.2.9 | 48 / 4 | |
| 6.2.8 | 48 / 4 | |
| 6.2.7 | 48 / 4 | |
| 6.2.6 | 48 / 4 | |
| 6.2.5 | 48 / 4 | |
| 6.2.4 | 48 / 4 | |
| 6.2.3 | 48 / 4 | |
| 6.2.2 | 48 / 4 | |
| 6.2.1 | 48 / 4 | |
| 6.2.0 | 48 / 4 |
v7.0.22
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v7.0.20
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v7.0.19
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v7.0.18
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v7.0.17
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v7.0.16
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v7.0.14
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v7.0.12
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v7.0.11
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v7.0.10
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v7.0.8
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v7.0.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v7.0.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v7.0.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v7.0.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v7.0.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v7.0.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v7.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.