@storybook/core
Storybook framework-agnostic API
51
Versions
MIT
License
No
Install Scripts
Missing
Provenance
Supply chain provenance
Status for the latest visible version.
No SLSA provenance
npm registry signatures
gitHead linked
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
ndelangenshilmantmeasdayghengeveldwinkervsbecksyannbfkylegachjreinholdkasperpeulenvalentinpalkovicdomyenstorybook-bot
Keywords
storybook
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| phantom-deps | phantom-dep:qs | AI (phantom-deps): Declared in package.json and used in config; phantom-dep is expected for framework configuration packages. | ai | |
| dependencies | unvetted-dep:babel-loader | AI (dependencies): babel-loader is a standard, widely-used webpack Babel loader. Its use as a dependency of @storybook/core is expected and appropriate for a build tooling package. | ai | |
| dependencies | unvetted-dep:babel-plugin-add-react-displayname | AI (dependencies): Well-known Babel plugin for adding React display names; standard React/Storybook build tooling dependency. | ai | |
| dependencies | unvetted-dep:corejs-upgrade-webpack-plugin | AI (dependencies): Legitimate webpack plugin for upgrading core-js polyfill imports; standard build tooling dependency for Storybook's webpack pipeline. | ai | |
| dependencies | unvetted-peer-dep:babel-loader | AI (dependencies): babel-loader is a standard peer dependency for build tools; legitimate for Storybook's build configuration. | ai | |
| phantom-deps | phantom-dep:prop-types | AI (phantom-deps): Declared and referenced in config files; normal for framework packages. | ai | |
| phantom-deps | phantom-dep:object.omit | AI (phantom-deps): Declared and referenced in config files; normal for build-tool packages. | ai | |
| semgrep | semgrep:env-bulk-read | AI (semgrep): Filters process.env for STORYBOOK_* prefixed variables; legitimate config pattern. | ai | |
| phantom-deps | phantom-dep:@emotion/provider | AI (phantom-deps): Phantom dependency referenced in config files; common pattern for build/config libraries. | ai | |
| phantom-deps | phantom-dep:child-process-promise | AI (phantom-deps): Declared and referenced in config files; normal for build-tool packages. | ai | |
| phantom-deps | phantom-dep:svg-url-loader | AI (phantom-deps): Phantom dependency referenced in config files; common pattern for build/config libraries. | ai | |
| phantom-deps | phantom-dep:@emotion/core | AI (phantom-deps): Phantom dependency referenced in config files; common pattern for build/config libraries. | ai | |
| phantom-deps | phantom-dep:spawn-promise | AI (phantom-deps): Declared and referenced in config files; normal for build-tool packages. | ai | |
| dependencies | unvetted-dep:trash | AI (dependencies): trash is a well-known sindresorhus utility for moving files to OS trash; its use in a build tool like Storybook is expected and benign. | ai | |
| phantom-deps | phantom-dep:webpack-filter-warnings-plugin | AI (phantom-deps): webpack-filter-warnings-plugin is a webpack plugin referenced in config files rather than via direct import — standard pattern for webpack plugins, no security concern. | ai | |
| phantom-deps | phantom-dep:@babel/register | AI (phantom-deps): Framework-scoped package loaded by convention in Storybook's build pipeline; phantom dep is expected for this package. | ai | |
| dependencies | unvetted-dep:dotenv-webpack | AI (dependencies): dotenv-webpack is a legitimate, widely-used webpack plugin for loading .env files; expected dependency for a webpack-based build framework like Storybook. | ai | |
| phantom-deps | phantom-dep:@storybook/api | AI (phantom-deps): Same-org sibling package co-published in the Storybook monorepo; phantom dep pattern is expected for monorepo packages. | ai | |
| phantom-deps | phantom-dep:@storybook/channels | AI (phantom-deps): Same-org sibling package co-published in the Storybook monorepo; phantom dep pattern is expected for monorepo packages. | ai | |
| phantom-deps | phantom-dep:@storybook/components | AI (phantom-deps): Same-org sibling package co-published in the Storybook monorepo; phantom dep pattern is expected for monorepo packages. | ai | |
| phantom-deps | phantom-dep:@storybook/router | AI (phantom-deps): Same-org scoped package loaded by framework convention; stable for this package. | ai | |
| phantom-deps | phantom-dep:@types/glob-base | AI (phantom-deps): TypeScript type definition package; phantom dep is benign and expected in a TypeScript build framework. | ai | |
| phantom-deps | phantom-dep:babel-preset-minify | AI (phantom-deps): Referenced in config files by convention in Storybook's build pipeline; phantom dep is expected for this package. | ai | |
| phantom-deps | phantom-dep:@types/node-fetch | AI (phantom-deps): TypeScript type definition package; phantom dep is benign and expected in a TypeScript build framework. | ai | |
| phantom-deps | phantom-dep:@types/micromatch | AI (phantom-deps): TypeScript type definition package; phantom dep is benign and expected in a TypeScript build framework. | ai | |
| dependencies | unvetted-dep:pnp-webpack-plugin | AI (dependencies): pnp-webpack-plugin is a legitimate Yarn PnP support plugin for webpack; expected in a build framework supporting multiple package managers. | ai | |
| dependencies | unvetted-dep:html-webpack-plugin | AI (dependencies): html-webpack-plugin is a standard webpack build dependency; appropriate for a framework core package. | ai | |
| dependencies | unvetted-dep:@types/micromatch | AI (dependencies): @types/micromatch is a TypeScript type definition package; no security risk, expected in a TypeScript-based build tool. | ai | |
| dependencies | unvetted-dep:@types/glob-base | AI (dependencies): @types/glob-base is a TypeScript type definition package; no security risk, expected in a TypeScript-based build tool. | ai | |
| phantom-deps | phantom-dep:ejs | AI (phantom-deps): Phantom dependency referenced in config files; common pattern for build/config libraries. | ai | |
| phantom-deps | phantom-dep:pnp-webpack-plugin | AI (phantom-deps): pnp-webpack-plugin is properly declared and referenced in webpack config; phantom status is expected. | ai | |
| phantom-deps | phantom-dep:babel-plugin-add-react-displayname | AI (phantom-deps): Declared in package.json and loaded by convention; phantom-dep is expected for Babel plugin configuration. | ai | |
| phantom-deps | phantom-dep:@babel/plugin-transform-react-constant-elements | AI (phantom-deps): Declared in package.json and loaded by convention; phantom-dep is expected for Babel plugin configuration. | ai | |
| bogus-package | bogus-package | AI (bogus-package): Monorepo package; README links and missing keywords are false positives for a framework core library. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): Dynamic require used to load babel-loader configuration; appropriate for build tools inspecting peer dependencies. | ai | |
| dependencies | unvetted-dep:webpack-hot-middleware | AI (dependencies): webpack-hot-middleware is a standard webpack dev tool; appropriate for Storybook's build infrastructure. | ai | |
| phantom-deps | phantom-dep:ws | AI (phantom-deps): ws is a legitimate runtime dependency referenced in config; phantom-dep finding is expected for this package. | ai | |
| phantom-deps | phantom-dep:@types/node | AI (phantom-deps): Type package loaded by convention; standard TypeScript practice in framework packages. | ai | |
| phantom-deps | phantom-dep:@types/express | AI (phantom-deps): Type package loaded by convention; standard TypeScript practice in framework packages. | ai | |
| phantom-deps | phantom-dep:esbuild-register | AI (phantom-deps): Build-time dependency referenced in config; phantom-dep finding is expected for this package. | ai | |
| dependencies | unvetted-dep:esbuild | AI (dependencies): esbuild is a canonical build tool; wide version range reflects compatibility across versions. | ai | |
| dependencies | unvetted-dep:jsdoc-type-pratt-parser | AI (dependencies): jsdoc-type-pratt-parser is a standard JSDoc type parser; appropriate for documentation tooling. | ai | |
| dependencies | unvetted-dep:@storybook/theming | AI (dependencies): Internal @storybook org dependency; same-org scoped packages are expected. | ai | |
| dependencies | unvetted-dep:esbuild-register | AI (dependencies): esbuild-register is a standard loader for TypeScript/ESM; appropriate for build infrastructure. | ai | |
| dependencies | unvetted-dep:browser-assert | AI (dependencies): browser-assert is a standard assertion library for browser environments. | ai | |
| dependencies | unvetted-dep:recast | AI (dependencies): recast is a standard AST manipulation library used in build tooling; appropriate for core package. | ai | |
| dependencies | unvetted-dep:better-opn | AI (dependencies): better-opn is a utility for opening URLs; standard for development tools. | ai | |
| provenance | publisher-changed | AI (provenance): Publisher changed from storybook-bot to GitHub Actions, consistent with a CI/CD migration for automated publishing. Official repo URL matches storybookjs org; no malicious indicators. | ai | |
| provenance | no-provenance | AI (provenance): Established Storybook package with 1465 versions; lack of Sigstore provenance is a minor gap, not a security risk for this well-known package. | ai | |
| phantom-deps | phantom-dep:@storybook/theming | AI (phantom-deps): Same-org scoped package; normal for monorepo structure. | ai | |
| typosquat | typosquat.levenshtein:cors | AI (typosquat): Scoped package @storybook/core in different namespace; no brand confusion or malicious intent. | ai |
Versions (showing 51 of 261)
| Version | Deps | Published |
|---|---|---|
| 8.6.18 | 11 / 125 | |
| 8.6.17 | 11 / 124 | |
| 8.6.16 | 11 / 124 | |
| 8.6.15 | 11 / 124 | |
| 8.6.14 | 11 / 124 | |
| 8.6.13 | 11 / 123 | |
| 8.6.12 | 11 / 123 | |
| 8.6.11 | 11 / 123 | |
| 8.6.10 | 11 / 123 | |
| 8.6.9 | 11 / 123 | |
| 8.6.8 | 11 / 123 | |
| 8.6.7 | 11 / 123 | |
| 8.6.6 | 11 / 123 | |
| 8.6.5 | 11 / 123 | |
| 8.6.4 | 11 / 123 | |
| 8.6.3 | 11 / 123 | |
| 8.6.2 | 11 / 123 | |
| 8.6.1 | 11 / 123 | |
| 8.6.0 | 11 / 123 | |
| 8.5.8 | 11 / 122 | |
| 8.5.7 | 11 / 122 | |
| 8.5.6 | 11 / 122 | |
| 8.5.5 | 11 / 122 | |
| 8.5.4 | 11 / 122 | |
| 8.5.3 | 11 / 122 | |
| 8.5.2 | 11 / 122 | |
| 8.5.1 | 11 / 122 | |
| 8.5.0 | 11 / 122 | |
| 8.4.7 | 11 / 122 | |
| 8.4.6 | 11 / 122 | |
| 8.4.5 | 11 / 122 | |
| 8.4.4 | 11 / 122 | |
| 8.4.3 | 11 / 122 | |
| 8.4.2 | 11 / 122 | |
| 8.4.1 | 11 / 122 | |
| 8.4.0 | 11 / 122 | |
| 8.3.7 | 13 / 128 | |
| 8.3.6 | 13 / 128 | |
| 8.3.5 | 13 / 128 | |
| 8.3.4 | 13 / 128 | |
| 8.3.3 | 13 / 128 | |
| 8.3.2 | 13 / 128 | |
| 8.3.1 | 13 / 128 | |
| 8.3.0 | 11 / 130 | |
| 8.2.10 | 11 / 126 | |
| 8.2.9 | 11 / 126 | |
| 8.2.8 | 11 / 126 | |
| 8.2.7 | 11 / 126 | |
| 8.2.6 | 11 / 126 | |
| 8.2.5 | 11 / 126 | |
| 8.2.4 | 11 / 126 |
v8.6.14
1 finding
INFO
No provenance attestation
provenance
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.