@storybook/core — Greenflagged

Storybook framework-agnostic API

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

ndelangenshilmantmeasdayghengeveldwinkervsbecksyannbfkylegachjreinholdkasperpeulenvalentinpalkovicdomyenstorybook-bot

Keywords

storybook

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
phantom-deps	phantom-dep:qs	AI (phantom-deps): Declared in package.json and used in config; phantom-dep is expected for framework configuration packages.	ai	2026/04/22
dependencies	unvetted-dep:babel-loader	AI (dependencies): babel-loader is a standard, widely-used webpack Babel loader. Its use as a dependency of @storybook/core is expected and appropriate for a build tooling package.	ai	2026/04/22
dependencies	unvetted-dep:babel-plugin-add-react-displayname	AI (dependencies): Well-known Babel plugin for adding React display names; standard React/Storybook build tooling dependency.	ai	2026/04/22
dependencies	unvetted-dep:corejs-upgrade-webpack-plugin	AI (dependencies): Legitimate webpack plugin for upgrading core-js polyfill imports; standard build tooling dependency for Storybook's webpack pipeline.	ai	2026/04/22
dependencies	unvetted-peer-dep:babel-loader	AI (dependencies): babel-loader is a standard peer dependency for build tools; legitimate for Storybook's build configuration.	ai	2026/04/22
phantom-deps	phantom-dep:prop-types	AI (phantom-deps): Declared and referenced in config files; normal for framework packages.	ai	2026/04/22
phantom-deps	phantom-dep:object.omit	AI (phantom-deps): Declared and referenced in config files; normal for build-tool packages.	ai	2026/04/22
semgrep	semgrep:env-bulk-read	AI (semgrep): Filters process.env for STORYBOOK_* prefixed variables; legitimate config pattern.	ai	2026/04/22
phantom-deps	phantom-dep:@emotion/provider	AI (phantom-deps): Phantom dependency referenced in config files; common pattern for build/config libraries.	ai	2026/04/22
phantom-deps	phantom-dep:child-process-promise	AI (phantom-deps): Declared and referenced in config files; normal for build-tool packages.	ai	2026/04/22
phantom-deps	phantom-dep:svg-url-loader	AI (phantom-deps): Phantom dependency referenced in config files; common pattern for build/config libraries.	ai	2026/04/22
phantom-deps	phantom-dep:@emotion/core	AI (phantom-deps): Phantom dependency referenced in config files; common pattern for build/config libraries.	ai	2026/04/22
phantom-deps	phantom-dep:spawn-promise	AI (phantom-deps): Declared and referenced in config files; normal for build-tool packages.	ai	2026/04/22
dependencies	unvetted-dep:trash	AI (dependencies): trash is a well-known sindresorhus utility for moving files to OS trash; its use in a build tool like Storybook is expected and benign.	ai	2026/04/22
phantom-deps	phantom-dep:webpack-filter-warnings-plugin	AI (phantom-deps): webpack-filter-warnings-plugin is a webpack plugin referenced in config files rather than via direct import — standard pattern for webpack plugins, no security concern.	ai	2026/04/22
phantom-deps	phantom-dep:@babel/register	AI (phantom-deps): Framework-scoped package loaded by convention in Storybook's build pipeline; phantom dep is expected for this package.	ai	2026/04/22
dependencies	unvetted-dep:dotenv-webpack	AI (dependencies): dotenv-webpack is a legitimate, widely-used webpack plugin for loading .env files; expected dependency for a webpack-based build framework like Storybook.	ai	2026/04/22
phantom-deps	phantom-dep:@storybook/api	AI (phantom-deps): Same-org sibling package co-published in the Storybook monorepo; phantom dep pattern is expected for monorepo packages.	ai	2026/04/22
phantom-deps	phantom-dep:@storybook/channels	AI (phantom-deps): Same-org sibling package co-published in the Storybook monorepo; phantom dep pattern is expected for monorepo packages.	ai	2026/04/22
phantom-deps	phantom-dep:@storybook/components	AI (phantom-deps): Same-org sibling package co-published in the Storybook monorepo; phantom dep pattern is expected for monorepo packages.	ai	2026/04/22
phantom-deps	phantom-dep:@storybook/router	AI (phantom-deps): Same-org scoped package loaded by framework convention; stable for this package.	ai	2026/04/22
phantom-deps	phantom-dep:@types/glob-base	AI (phantom-deps): TypeScript type definition package; phantom dep is benign and expected in a TypeScript build framework.	ai	2026/04/22
phantom-deps	phantom-dep:babel-preset-minify	AI (phantom-deps): Referenced in config files by convention in Storybook's build pipeline; phantom dep is expected for this package.	ai	2026/04/22
phantom-deps	phantom-dep:@types/node-fetch	AI (phantom-deps): TypeScript type definition package; phantom dep is benign and expected in a TypeScript build framework.	ai	2026/04/22
phantom-deps	phantom-dep:@types/micromatch	AI (phantom-deps): TypeScript type definition package; phantom dep is benign and expected in a TypeScript build framework.	ai	2026/04/22
dependencies	unvetted-dep:pnp-webpack-plugin	AI (dependencies): pnp-webpack-plugin is a legitimate Yarn PnP support plugin for webpack; expected in a build framework supporting multiple package managers.	ai	2026/04/22
dependencies	unvetted-dep:html-webpack-plugin	AI (dependencies): html-webpack-plugin is a standard webpack build dependency; appropriate for a framework core package.	ai	2026/04/22
dependencies	unvetted-dep:@types/micromatch	AI (dependencies): @types/micromatch is a TypeScript type definition package; no security risk, expected in a TypeScript-based build tool.	ai	2026/04/22
dependencies	unvetted-dep:@types/glob-base	AI (dependencies): @types/glob-base is a TypeScript type definition package; no security risk, expected in a TypeScript-based build tool.	ai	2026/04/22
phantom-deps	phantom-dep:ejs	AI (phantom-deps): Phantom dependency referenced in config files; common pattern for build/config libraries.	ai	2026/04/22
phantom-deps	phantom-dep:pnp-webpack-plugin	AI (phantom-deps): pnp-webpack-plugin is properly declared and referenced in webpack config; phantom status is expected.	ai	2026/04/22
phantom-deps	phantom-dep:babel-plugin-add-react-displayname	AI (phantom-deps): Declared in package.json and loaded by convention; phantom-dep is expected for Babel plugin configuration.	ai	2026/04/22
phantom-deps	phantom-dep:@babel/plugin-transform-react-constant-elements	AI (phantom-deps): Declared in package.json and loaded by convention; phantom-dep is expected for Babel plugin configuration.	ai	2026/04/22
bogus-package	bogus-package	AI (bogus-package): Monorepo package; README links and missing keywords are false positives for a framework core library.	ai	2026/04/22
semgrep	semgrep:dynamic-require	AI (semgrep): Dynamic require used to load babel-loader configuration; appropriate for build tools inspecting peer dependencies.	ai	2026/04/22
dependencies	unvetted-dep:webpack-hot-middleware	AI (dependencies): webpack-hot-middleware is a standard webpack dev tool; appropriate for Storybook's build infrastructure.	ai	2026/04/22
phantom-deps	phantom-dep:ws	AI (phantom-deps): ws is a legitimate runtime dependency referenced in config; phantom-dep finding is expected for this package.	ai	2026/04/22
phantom-deps	phantom-dep:@types/node	AI (phantom-deps): Type package loaded by convention; standard TypeScript practice in framework packages.	ai	2026/04/22
phantom-deps	phantom-dep:@types/express	AI (phantom-deps): Type package loaded by convention; standard TypeScript practice in framework packages.	ai	2026/04/22
phantom-deps	phantom-dep:esbuild-register	AI (phantom-deps): Build-time dependency referenced in config; phantom-dep finding is expected for this package.	ai	2026/04/22
dependencies	unvetted-dep:esbuild	AI (dependencies): esbuild is a canonical build tool; wide version range reflects compatibility across versions.	ai	2026/04/22
dependencies	unvetted-dep:jsdoc-type-pratt-parser	AI (dependencies): jsdoc-type-pratt-parser is a standard JSDoc type parser; appropriate for documentation tooling.	ai	2026/04/22
dependencies	unvetted-dep:@storybook/theming	AI (dependencies): Internal @storybook org dependency; same-org scoped packages are expected.	ai	2026/04/22
dependencies	unvetted-dep:esbuild-register	AI (dependencies): esbuild-register is a standard loader for TypeScript/ESM; appropriate for build infrastructure.	ai	2026/04/22
dependencies	unvetted-dep:browser-assert	AI (dependencies): browser-assert is a standard assertion library for browser environments.	ai	2026/04/22
dependencies	unvetted-dep:recast	AI (dependencies): recast is a standard AST manipulation library used in build tooling; appropriate for core package.	ai	2026/04/22
dependencies	unvetted-dep:better-opn	AI (dependencies): better-opn is a utility for opening URLs; standard for development tools.	ai	2026/04/22
provenance	publisher-changed	AI (provenance): Publisher changed from storybook-bot to GitHub Actions, consistent with a CI/CD migration for automated publishing. Official repo URL matches storybookjs org; no malicious indicators.	ai	2026/04/22
provenance	no-provenance	AI (provenance): Established Storybook package with 1465 versions; lack of Sigstore provenance is a minor gap, not a security risk for this well-known package.	ai	2026/04/22
phantom-deps	phantom-dep:@storybook/theming	AI (phantom-deps): Same-org scoped package; normal for monorepo structure.	ai	2026/04/21
typosquat	typosquat.levenshtein:cors	AI (typosquat): Scoped package @storybook/core in different namespace; no brand confusion or malicious intent.	ai	2026/04/21

Versions (showing 100 of 255)

Show 6 prereleases

Version	Deps	Published
6.3.5	2 / 0	2021-07-22
6.3.4	2 / 0	2021-07-08
6.3.3	2 / 0	2021-07-07
6.3.2	2 / 0	2021-06-30
6.3.1	2 / 0	2021-06-28
6.3.0	2 / 0	2021-06-23
6.2.9	2 / 0	2021-04-23
6.2.8	2 / 0	2021-04-14
6.2.7	2 / 0	2021-04-09
6.2.6	2 / 0	2021-04-09
6.2.5	2 / 0	2021-04-07
6.2.4	2 / 0	2021-04-07
6.2.3	2 / 0	2021-04-05
6.2.2	2 / 0	2021-04-02
6.2.1	2 / 0	2021-03-31
6.2.0	2 / 0	2021-03-30
6.1.21	101 / 14	2021-03-03
6.1.20	101 / 14	2021-02-24
6.1.19	101 / 14	2021-02-23
6.1.18	101 / 14	2021-02-14
6.1.17	101 / 14	2021-02-04
6.1.16	101 / 14	2021-02-02
6.1.15	101 / 14	2021-01-22
6.1.14	101 / 14	2021-01-12
6.1.12	101 / 14	2021-01-11
6.1.11	101 / 14	2020-12-12
6.1.10	101 / 14	2020-12-04
6.1.9	101 / 14	2020-11-29
6.1.8	101 / 14	2020-11-27
6.1.7	101 / 14	2020-11-26
6.1.6	101 / 14	2020-11-25
6.1.5	101 / 14	2020-11-24
6.1.4	101 / 14	2020-11-23
6.1.3	101 / 14	2020-11-23
6.1.2	102 / 14	2020-11-21
6.1.1	102 / 14	2020-11-19
6.1.0	102 / 14	2020-11-19
6.0.28	97 / 1	2020-10-30
6.0.27	97 / 1	2020-10-23
6.0.26	97 / 1	2020-10-05
6.0.25	97 / 1	2020-10-03
6.0.24	97 / 1	2020-10-03
6.0.23	97 / 1	2020-10-03
6.0.22	97 / 1	2020-09-26
6.0.21	97 / 1	2020-08-31
6.0.20	97 / 1	2020-08-28
6.0.19	97 / 1	2020-08-26
6.0.18	97 / 1	2020-08-25
6.0.17	97 / 1	2020-08-25
6.0.16	97 / 1	2020-08-20
6.0.15	97 / 1	2020-08-20
6.0.14	97 / 1	2020-08-20
6.0.13	97 / 1	2020-08-19
6.0.12	97 / 1	2020-08-17
6.0.11	97 / 1	2020-08-17
6.0.10	97 / 1	2020-08-15
6.0.9	97 / 1	2020-08-15
6.0.7	97 / 1	2020-08-14
6.0.6	97 / 1	2020-08-13
6.0.5	97 / 1	2020-08-12
6.0.4	97 / 1	2020-08-12
6.0.3	97 / 1	2020-08-12
6.0.2	97 / 1	2020-08-11
6.0.1	97 / 1	2020-08-11
6.0.0	96 / 1	2020-08-11
5.3.21	73 / 1	2020-08-28
5.3.20	73 / 1	2020-08-26
5.3.19	73 / 1	2020-05-24
5.3.18	73 / 1	2020-03-31
5.3.17	73 / 1	2020-03-14
5.3.15	73 / 1	2020-03-14
5.3.14	73 / 1	2020-02-25
5.3.13	73 / 1	2020-02-12
5.3.12	73 / 1	2020-02-04
5.3.11	73 / 1	2020-02-04
5.3.10	73 / 1	2020-02-02
5.3.9	73 / 1	2020-01-24
5.3.8	73 / 1	2020-01-21
5.3.7	73 / 1	2020-01-20
5.3.6	73 / 1	2020-01-17
5.3.5	73 / 1	2020-01-16
5.3.4	73 / 1	2020-01-16
5.3.3	73 / 1	2020-01-14
5.3.2	73 / 1	2020-01-13
5.3.1	73 / 1	2020-01-12
5.3.0	73 / 1	2020-01-11
5.2.8	68 / 1	2019-12-02
5.2.7	68 / 1	2019-11-30
5.2.6	68 / 1	2019-11-09
5.2.5	68 / 1	2019-10-22
5.2.4	68 / 1	2019-10-14
5.2.3	68 / 1	2019-10-07
5.2.2	68 / 1	2019-10-07
5.2.1	68 / 1	2019-09-17
5.2.0	68 / 1	2019-09-14
5.1.11	67 / 1	2019-08-13
5.1.10	66 / 1	2019-07-31
5.1.9	66 / 1	2019-06-20
5.1.8	65 / 1	2019-06-14
5.1.7	65 / 1	2019-06-13

Showing 100 of 255 Next page →