@storybook/core
Storybook framework-agnostic API
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| phantom-deps | phantom-dep:qs | AI (phantom-deps): Declared in package.json and used in config; phantom-dep is expected for framework configuration packages. | ai | |
| dependencies | unvetted-dep:babel-loader | AI (dependencies): babel-loader is a standard, widely-used webpack Babel loader. Its use as a dependency of @storybook/core is expected and appropriate for a build tooling package. | ai | |
| dependencies | unvetted-dep:babel-plugin-add-react-displayname | AI (dependencies): Well-known Babel plugin for adding React display names; standard React/Storybook build tooling dependency. | ai | |
| dependencies | unvetted-dep:corejs-upgrade-webpack-plugin | AI (dependencies): Legitimate webpack plugin for upgrading core-js polyfill imports; standard build tooling dependency for Storybook's webpack pipeline. | ai | |
| dependencies | unvetted-peer-dep:babel-loader | AI (dependencies): babel-loader is a standard peer dependency for build tools; legitimate for Storybook's build configuration. | ai | |
| phantom-deps | phantom-dep:prop-types | AI (phantom-deps): Declared and referenced in config files; normal for framework packages. | ai | |
| phantom-deps | phantom-dep:object.omit | AI (phantom-deps): Declared and referenced in config files; normal for build-tool packages. | ai | |
| semgrep | semgrep:env-bulk-read | AI (semgrep): Filters process.env for STORYBOOK_* prefixed variables; legitimate config pattern. | ai | |
| phantom-deps | phantom-dep:@emotion/provider | AI (phantom-deps): Phantom dependency referenced in config files; common pattern for build/config libraries. | ai | |
| phantom-deps | phantom-dep:child-process-promise | AI (phantom-deps): Declared and referenced in config files; normal for build-tool packages. | ai | |
| phantom-deps | phantom-dep:svg-url-loader | AI (phantom-deps): Phantom dependency referenced in config files; common pattern for build/config libraries. | ai | |
| phantom-deps | phantom-dep:@emotion/core | AI (phantom-deps): Phantom dependency referenced in config files; common pattern for build/config libraries. | ai | |
| phantom-deps | phantom-dep:spawn-promise | AI (phantom-deps): Declared and referenced in config files; normal for build-tool packages. | ai | |
| dependencies | unvetted-dep:trash | AI (dependencies): trash is a well-known sindresorhus utility for moving files to OS trash; its use in a build tool like Storybook is expected and benign. | ai | |
| phantom-deps | phantom-dep:webpack-filter-warnings-plugin | AI (phantom-deps): webpack-filter-warnings-plugin is a webpack plugin referenced in config files rather than via direct import — standard pattern for webpack plugins, no security concern. | ai | |
| phantom-deps | phantom-dep:@babel/register | AI (phantom-deps): Framework-scoped package loaded by convention in Storybook's build pipeline; phantom dep is expected for this package. | ai | |
| dependencies | unvetted-dep:dotenv-webpack | AI (dependencies): dotenv-webpack is a legitimate, widely-used webpack plugin for loading .env files; expected dependency for a webpack-based build framework like Storybook. | ai | |
| phantom-deps | phantom-dep:@storybook/api | AI (phantom-deps): Same-org sibling package co-published in the Storybook monorepo; phantom dep pattern is expected for monorepo packages. | ai | |
| phantom-deps | phantom-dep:@storybook/channels | AI (phantom-deps): Same-org sibling package co-published in the Storybook monorepo; phantom dep pattern is expected for monorepo packages. | ai | |
| phantom-deps | phantom-dep:@storybook/components | AI (phantom-deps): Same-org sibling package co-published in the Storybook monorepo; phantom dep pattern is expected for monorepo packages. | ai | |
| phantom-deps | phantom-dep:@storybook/router | AI (phantom-deps): Same-org scoped package loaded by framework convention; stable for this package. | ai | |
| phantom-deps | phantom-dep:@types/glob-base | AI (phantom-deps): TypeScript type definition package; phantom dep is benign and expected in a TypeScript build framework. | ai | |
| phantom-deps | phantom-dep:babel-preset-minify | AI (phantom-deps): Referenced in config files by convention in Storybook's build pipeline; phantom dep is expected for this package. | ai | |
| phantom-deps | phantom-dep:@types/node-fetch | AI (phantom-deps): TypeScript type definition package; phantom dep is benign and expected in a TypeScript build framework. | ai | |
| phantom-deps | phantom-dep:@types/micromatch | AI (phantom-deps): TypeScript type definition package; phantom dep is benign and expected in a TypeScript build framework. | ai | |
| dependencies | unvetted-dep:pnp-webpack-plugin | AI (dependencies): pnp-webpack-plugin is a legitimate Yarn PnP support plugin for webpack; expected in a build framework supporting multiple package managers. | ai | |
| dependencies | unvetted-dep:html-webpack-plugin | AI (dependencies): html-webpack-plugin is a standard webpack build dependency; appropriate for a framework core package. | ai | |
| dependencies | unvetted-dep:@types/micromatch | AI (dependencies): @types/micromatch is a TypeScript type definition package; no security risk, expected in a TypeScript-based build tool. | ai | |
| dependencies | unvetted-dep:@types/glob-base | AI (dependencies): @types/glob-base is a TypeScript type definition package; no security risk, expected in a TypeScript-based build tool. | ai | |
| phantom-deps | phantom-dep:ejs | AI (phantom-deps): Phantom dependency referenced in config files; common pattern for build/config libraries. | ai | |
| phantom-deps | phantom-dep:pnp-webpack-plugin | AI (phantom-deps): pnp-webpack-plugin is properly declared and referenced in webpack config; phantom status is expected. | ai | |
| phantom-deps | phantom-dep:babel-plugin-add-react-displayname | AI (phantom-deps): Declared in package.json and loaded by convention; phantom-dep is expected for Babel plugin configuration. | ai | |
| phantom-deps | phantom-dep:@babel/plugin-transform-react-constant-elements | AI (phantom-deps): Declared in package.json and loaded by convention; phantom-dep is expected for Babel plugin configuration. | ai | |
| bogus-package | bogus-package | AI (bogus-package): Monorepo package; README links and missing keywords are false positives for a framework core library. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): Dynamic require used to load babel-loader configuration; appropriate for build tools inspecting peer dependencies. | ai | |
| dependencies | unvetted-dep:webpack-hot-middleware | AI (dependencies): webpack-hot-middleware is a standard webpack dev tool; appropriate for Storybook's build infrastructure. | ai | |
| phantom-deps | phantom-dep:ws | AI (phantom-deps): ws is a legitimate runtime dependency referenced in config; phantom-dep finding is expected for this package. | ai | |
| phantom-deps | phantom-dep:@types/node | AI (phantom-deps): Type package loaded by convention; standard TypeScript practice in framework packages. | ai | |
| phantom-deps | phantom-dep:@types/express | AI (phantom-deps): Type package loaded by convention; standard TypeScript practice in framework packages. | ai | |
| phantom-deps | phantom-dep:esbuild-register | AI (phantom-deps): Build-time dependency referenced in config; phantom-dep finding is expected for this package. | ai | |
| dependencies | unvetted-dep:esbuild | AI (dependencies): esbuild is a canonical build tool; wide version range reflects compatibility across versions. | ai | |
| dependencies | unvetted-dep:jsdoc-type-pratt-parser | AI (dependencies): jsdoc-type-pratt-parser is a standard JSDoc type parser; appropriate for documentation tooling. | ai | |
| dependencies | unvetted-dep:@storybook/theming | AI (dependencies): Internal @storybook org dependency; same-org scoped packages are expected. | ai | |
| dependencies | unvetted-dep:esbuild-register | AI (dependencies): esbuild-register is a standard loader for TypeScript/ESM; appropriate for build infrastructure. | ai | |
| dependencies | unvetted-dep:browser-assert | AI (dependencies): browser-assert is a standard assertion library for browser environments. | ai | |
| dependencies | unvetted-dep:recast | AI (dependencies): recast is a standard AST manipulation library used in build tooling; appropriate for core package. | ai | |
| dependencies | unvetted-dep:better-opn | AI (dependencies): better-opn is a utility for opening URLs; standard for development tools. | ai | |
| provenance | publisher-changed | AI (provenance): Publisher changed from storybook-bot to GitHub Actions, consistent with a CI/CD migration for automated publishing. Official repo URL matches storybookjs org; no malicious indicators. | ai | |
| provenance | no-provenance | AI (provenance): Established Storybook package with 1465 versions; lack of Sigstore provenance is a minor gap, not a security risk for this well-known package. | ai | |
| phantom-deps | phantom-dep:@storybook/theming | AI (phantom-deps): Same-org scoped package; normal for monorepo structure. | ai | |
| typosquat | typosquat.levenshtein:cors | AI (typosquat): Scoped package @storybook/core in different namespace; no brand confusion or malicious intent. | ai |
Versions (showing 100 of 261)
| Version | Deps | Published |
|---|---|---|
| 8.6.18 | 11 / 125 | |
| 8.6.17 | 11 / 124 | |
| 8.6.16 | 11 / 124 | |
| 8.6.15 | 11 / 124 | |
| 8.6.14 | 11 / 124 | |
| 8.6.13 | 11 / 123 | |
| 8.6.12 | 11 / 123 | |
| 8.6.11 | 11 / 123 | |
| 8.6.10 | 11 / 123 | |
| 8.6.9 | 11 / 123 | |
| 8.6.8 | 11 / 123 | |
| 8.6.7 | 11 / 123 | |
| 8.6.6 | 11 / 123 | |
| 8.6.5 | 11 / 123 | |
| 8.6.4 | 11 / 123 | |
| 8.6.3 | 11 / 123 | |
| 8.6.2 | 11 / 123 | |
| 8.6.1 | 11 / 123 | |
| 8.6.0 | 11 / 123 | |
| 8.5.8 | 11 / 122 | |
| 8.5.7 | 11 / 122 | |
| 8.5.6 | 11 / 122 | |
| 8.5.5 | 11 / 122 | |
| 8.5.4 | 11 / 122 | |
| 8.5.3 | 11 / 122 | |
| 8.5.2 | 11 / 122 | |
| 8.5.1 | 11 / 122 | |
| 8.5.0 | 11 / 122 | |
| 8.4.7 | 11 / 122 | |
| 8.4.6 | 11 / 122 | |
| 8.4.5 | 11 / 122 | |
| 8.4.4 | 11 / 122 | |
| 8.4.3 | 11 / 122 | |
| 8.4.2 | 11 / 122 | |
| 8.4.1 | 11 / 122 | |
| 8.4.0 | 11 / 122 | |
| 8.3.7 | 13 / 128 | |
| 8.3.6 | 13 / 128 | |
| 8.3.5 | 13 / 128 | |
| 8.3.4 | 13 / 128 | |
| 8.3.3 | 13 / 128 | |
| 8.3.2 | 13 / 128 | |
| 8.3.1 | 13 / 128 | |
| 8.3.0 | 11 / 130 | |
| 8.2.10 | 11 / 126 | |
| 8.2.9 | 11 / 126 | |
| 8.2.8 | 11 / 126 | |
| 8.2.7 | 11 / 126 | |
| 8.2.6 | 11 / 126 | |
| 8.2.5 | 11 / 126 | |
| 8.2.4 | 11 / 126 | |
| 8.2.3 | 11 / 126 | |
| 8.2.2 | 11 / 126 | |
| 8.2.1 | 11 / 126 | |
| 8.2.0 | 11 / 126 | |
| 6.5.16 | 2 / 0 | |
| 6.5.15 | 2 / 0 | |
| 6.5.14 | 2 / 0 | |
| 6.5.13 | 2 / 0 | |
| 6.5.12 | 2 / 0 | |
| 6.5.11 | 2 / 0 | |
| 6.5.10 | 2 / 0 | |
| 6.5.9 | 2 / 0 | |
| 6.5.8 | 2 / 0 | |
| 6.5.7 | 2 / 0 | |
| 6.5.6 | 2 / 0 | |
| 6.5.5 | 2 / 0 | |
| 6.5.4 | 2 / 0 | |
| 6.5.3 | 2 / 0 | |
| 6.5.2 | 2 / 0 | |
| 6.5.0 | 2 / 0 | |
| 6.4.22 | 2 / 0 | |
| 6.4.21 | 2 / 0 | |
| 6.4.20 | 2 / 0 | |
| 6.4.19 | 2 / 0 | |
| 6.4.18 | 2 / 0 | |
| 6.4.17 | 2 / 0 | |
| 6.4.16 | 2 / 0 | |
| 6.4.15 | 2 / 0 | |
| 6.4.14 | 2 / 0 | |
| 6.4.13 | 2 / 0 | |
| 6.4.12 | 2 / 0 | |
| 6.4.10 | 2 / 0 | |
| 6.4.9 | 2 / 0 | |
| 6.4.8 | 2 / 0 | |
| 6.4.7 | 2 / 0 | |
| 6.4.5 | 2 / 0 | |
| 6.4.4 | 2 / 0 | |
| 6.4.3 | 2 / 0 | |
| 6.4.2 | 2 / 0 | |
| 6.4.1 | 2 / 0 | |
| 6.4.0 | 2 / 0 | |
| 6.3.13 | 2 / 0 | |
| 6.3.12 | 2 / 0 | |
| 6.3.11 | 2 / 0 | |
| 6.3.10 | 2 / 0 | |
| 6.3.9 | 2 / 0 | |
| 6.3.8 | 2 / 0 | |
| 6.3.7 | 2 / 0 | |
| 6.3.6 | 2 / 0 |
v8.6.14
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.5.16
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.5.15
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.5.14
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.5.13
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.5.12
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.5.11
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.5.10
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.5.9
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.5.8
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.5.7
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.5.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.5.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.5.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.5.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.5.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.5.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.4.22
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.4.21
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.4.20
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.4.19
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.4.18
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.4.17
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.4.16
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.4.15
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.4.14
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.4.13
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.4.12
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.4.10
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.4.9
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.4.8
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.4.7
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.4.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.4.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.4.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.4.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.4.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.4.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.3.13
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.3.12
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.3.11
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.3.10
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.3.9
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.3.8
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.3.7
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.3.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.