Update dependency storybook to v10.2.10 [SECURITY]

[balena-renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
storybook (source)	10.1.10 → 10.2.10

---

Storybook Dev Server is Vulnerable to WebSocket Hijacking

CVE-2026-27148 / GHSA-mjf5-7g4m-gx5w

More information

Details

Summary

The WebSocket functionality in Storybook's dev server, used to create and update stories, is vulnerable to WebSocket hijacking. This vulnerability only affects the Storybook dev server; production builds are not impacted.

Details

Exploitation requires a developer to visit a malicious website while their local Storybook dev server is running. Because the WebSocket connection does not validate the origin of incoming connections, a malicious site can silently send WebSocket messages to the local instance without any further user interaction.

If a Storybook dev server is intentionally exposed publicly (e.g. for design reviews or stakeholder demos) the risk is higher, as no malicious site visit is required. Any unauthenticated attacker can send WebSocket messages to it directly.

The vulnerability affects the WebSocket message handlers for creating and saving stories, which can be exploited via unauthorized WebSocket connections to achieve persistent XSS or Remote Code Execution (RCE).

Note: recent versions of Chrome have some protections against this, but Firefox does not.

Impact

This vulnerability can lead to supply chain compromise. Key risks include:

• Remote Code Execution: The vulnerability can allow attackers to execute malicious code, with the extent of impact depending on the configuration. Server-side RCE is possible in non-default configurations, such as when stories are executed via portable stories in JSDOM, potentially allowing attackers to exfiltrate credentials and environment variables, access source code and the filesystem, establish backdoors, or pivot to internal network resources.
• Persistent XSS: Malicious payloads are written directly into story source files. If the malicious payload is committed to version control, it becomes part of the codebase and can propagate to deployed Storybook documentation sites, affecting developers and stakeholders who view them.
• Supply Chain Propagation: If the modified source files are committed, injected code can spread to other team members via git, execute in CI/CD pipelines, and affect shared component libraries used across multiple projects.

Affected versions

8.1 and above. While the exploitable functionality was introduced in 8.1, the patch has been applied to 7.x as a precautionary measure given the underlying WebSocket behaviour.

Recommended actions

Update to one of the patched versions: 7.6.23, 8.6.17, 9.1.19, 10.2.10.

Severity

• CVSS Score: 8.9 / 10 (High)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

References

• https://github.com/storybookjs/storybook/security/advisories/GHSA-mjf5-7g4m-gx5w
• https://nvd.nist.gov/vuln/detail/CVE-2026-27148
• https://github.com/storybookjs/storybook/commit/0affdf928bd6fafbadfb1dfe22ce6104805e10e8
• https://github.com/storybookjs/storybook/commit/54689a8add18ea75d628c540f4bc677592a1e685
• https://github.com/storybookjs/storybook/commit/b8cfa77c73940c140acdcd8a06ab1ea913c44761
• https://github.com/storybookjs/storybook/commit/d34085f39c647f5c23c3a3b2d197c18602fcf876
• https://github.com/storybookjs/storybook/releases/tag/v10.2.10
• https://github.com/storybookjs/storybook/releases/tag/v7.6.23
• https://github.com/storybookjs/storybook/releases/tag/v8.6.17
• https://github.com/storybookjs/storybook/releases/tag/v9.1.19
• https://github.com/advisories/GHSA-mjf5-7g4m-gx5w

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

storybookjs/storybook (storybook)

v10.2.10

Compare Source

• Core: Require token for websocket connections - #​33820, thanks @​ghengeveld!

v10.2.9

Compare Source

• Addon-Vitest: Improve config file detection in monorepos - #​33814, thanks @​valentinpalkovic!
• Builder-Vite: Update dependencies react-vite framework - #​33810, thanks @​valentinpalkovic!
• Builder-Vite: Use relative path for mocker entry in production builds - #​33792, thanks @​DukeDeSouth!
• Next.js: Fix Link component override in appDirectory configuration - #​31251, thanks @​yatishgoel!

v10.2.8

Compare Source

• Telemetry: Add Expo metaframework - #​33783, thanks @​copilot-swe-agent!
• Telemetry: Add init exit event - #​33773, thanks @​valentinpalkovic!
• Telemetry: Add share events - #​33766, thanks @​ndelangen!
• Test: Update event creation logic in user-event package - #​33787, thanks @​valentinpalkovic!

v10.2.7

Compare Source

• CSF: Fix cross-file story imports in csf-factories codemod - #​33723, thanks @​yatishgoel!
• Core: Fix rendering of View Transitions in Firefox - #​33651, thanks @​ghengeveld!
• Globals: Repair dynamicTitle: false for user-defined tools - #​33284, thanks @​ia319!
• Logger: Honor --loglevel for npmlog output - #​33776, thanks @​LouisLau-art!

v10.2.6

Compare Source

• Addon-Vitest: Skip postinstall setup when configured - #​33712, thanks @​valentinpalkovic!
• Addon-Vitest: Support vite/vitest config with deferred export - #​33755, thanks @​valentinpalkovic!
• CLI: Support addon-vitest setup when --skip-install is passed - #​33718, thanks @​valentinpalkovic!
• Manager: Update logic to use base path instead of full pathname - #​33686, thanks @​JSMike!

v10.2.5

Compare Source

• Angular: fix --loglevel options in docs and descriptions - #​33726, thanks @​theRuslan!
• Builder-Vite: Add plugin to enforce Storybook's output directory in Vite build configuration - #​33740, thanks @​valentinpalkovic!
• Core: Invalidate cache on Storybook version upgrade - #​33717, thanks @​copilot-swe-agent!

v10.2.4

Compare Source

• CSF-Factories: Fix codemod for preview files without exports - #​33673, thanks @​kasperpeulen!
• CSF: Fix false positive detection of Zod v4 .meta() as CSF Factory - #​33666, thanks @​kasperpeulen!
• CSFFactories: Add non-interactive mode and --glob flag - #​33648, thanks @​kasperpeulen!
• CSFFactories: Preserve leading comments when adding imports - #​33645, thanks @​kasperpeulen!
• Codemod: Fix csf-2-to-3 failing due to quoted filenames - #​33646, thanks @​kasperpeulen!
• Codemod: Fix glob pattern handling on Windows - #​33714, thanks @​kasperpeulen!
• Manager: Remove deprecated active prop warning in ZoomButton - #​33697, thanks @​yatishgoel!
• Next.js: Alias AppRouterContext to shared runtime to fix Link navigation - #​33419, thanks @​pallaprolus!

v10.2.3

Compare Source

• Addon-Vitest: Normalize Windows paths in addon-vitest automigration - #​33340, thanks @​tanujbhaud!
• Core: Fix previewHref when current path does not end with a slash - #​33647, thanks @​ghengeveld!

v10.2.2

Compare Source

• Addon Vitest: Support simple vite.config without defineConfig helper - #​33694, thanks @​valentinpalkovic!
• Addon-Vitest: Append Storybook project to existing test.projects array without double nesting - #​33708, thanks @​valentinpalkovic!
• Addon-Vitest: Update Vitest plugin configuration to disable requireAssertions for expect - #​33693, thanks @​valentinpalkovic!
• Composition: Handle 401 responses with loginUrl from Chromatic - #​33705, thanks @​kasperpeulen!
• Telemetry: Add agent detection - #​33675, thanks @​valentinpalkovic!

v10.2.1

Compare Source

• Maintenance: Support vite-plugin-svelte@​7 which supports Vite 8 - #​34115, thanks @​valentinpalkovic!
• Vite: Support Vite 8 - #​33788, thanks @​valentinpalkovic!

v10.2.0

Compare Source

Improved UI and story authoring ergonomics

Storybook 10.2 contains hundreds of fixes and improvement including:

• 💅 New Viewports and Zoom UI
• 🏭 Typesafe CSF factories for Vue, Angular, Web Components (preview)
• 📄 MDX support for Storybook MCP (experimental)

List of all updates

• Addon-A11y: Lock vision filter dropdown for stories with vision global - #​33599, thanks @​ghengeveld!
• Addon-Docs: Add MDX manifest generation - #​33408, thanks @​copilot-swe-agent!
• Addon-Docs: Skip !autodocs stories when computing primary story - #​32712, thanks @​ia319!
• Addon-Pseudo States: Fix stylesheet rewrite for :not() with parenthesis in inner selector - #​33491, thanks @​ghengeveld!
• Addon-Vitest: Added timeout for fetching localhost 6006 during global setup. - #​33232, thanks @​snippy4!
• Addon-Vitest: Fallback detecting vitest version in postinstall - #​33415, thanks @​ndelangen!
• Addon-Vitest: Improve error message in testing widget modal - #​33481, thanks @​yannbf!
• Addon-Vitest: Improve perf & fix loading incorrect .env file - #​33469, thanks @​ndelangen!
• CLI: Detect free port when running dev during initiate - #​33532, thanks @​ndelangen!
• CLI: Remove any return type of getAbsolutePath - #​32977, thanks @​nzws!
• CLI: Skip vitest transform for CSF Factories in a11y-addon-test automigration - #​31941, thanks @​mrginglymus!
• Codemod: Fix glob string to only match stories files - #​33592, thanks @​JReinhold!
• Controls: Allow resetting the Select control - #​33289, thanks @​Sidnioulz!
• Controls: Fix displaying as object instead of select for optional union types - #​33200, thanks @​tanujbhaud!
• Controls: Force object control JSON mode to reset - #​33330, thanks @​Sidnioulz!
• Core and Vite: Use story index as source of truth for Vite paths - #​30612, thanks @​JReinhold!
• Core: Add getStoryHrefs manager API and add hotkey for "open in isolation" - #​33416, thanks @​ghengeveld!
• Core: Add global error boundary for Manager UI - #​33211, thanks @​copilot-swe-agent!
• Core: Add support for wrapped components in component transformer - #​33578, thanks @​yannbf!
• Core: Add try-catch for cross-origin access in Storybook hooks - #​33448, thanks @​ndelangen!
• Core: Add zoom level 8 and limit manual input to 800% - #​33561, thanks @​ghengeveld!
• Core: Avoid late layout shift and improve ChecklistWidget perceived performance - #​33184, thanks @​ghengeveld!
• Core: Ensure /project.json route is up before builders serve local FS - #​33303, thanks @​Sidnioulz!
• Core: Fix react-docgen-typescript support in story creation - #​33586, thanks @​yannbf!
• Core: Fix Checklist behavior with hidden sidebar - #​33556, thanks @​ghengeveld!
• Core: Fix cwd handling for negated globs - #​33241, thanks @​ia319!
• Core: Fix Date input layout - #​33595, thanks @​ghengeveld!
• Core: Fix import statement for react-docgen-typescript - #​33589, thanks @​yannbf!
• Core: Fix input width - #​33591, thanks @​ghengeveld!
• Core: Fix manual zoom input field UX - #​33581, thanks @​ghengeveld!
• Core: Fix onboarding visual bugs, survey telemetry and modal dismissal - #​33326, thanks @​ghengeveld!
• Core: Fix play function mount detection when destructuring in the function body - #​33367, thanks @​ghengeveld!
• Core: Fix viewport args handling and reset option - #​33560, thanks @​ghengeveld!
• Core: Honor BROWSER shell scripts before xdg-open - #​33292, thanks @​robbchar!
• Core: Improve addon sanitization - #​33554, thanks @​yannbf!
• Core: Improve path handling in arg types data extraction - #​33536, thanks @​yannbf!
• Core: Improve the story generation experience - #​33259, thanks @​yannbf!
• Core: Redesign and refactor Viewports tool - #​33290, thanks @​ghengeveld!
• Core: Refactor channel initialization - #​33520, thanks @​yannbf!
• Core: Render sidebar toggle on settings pages - #​33501, thanks @​ghengeveld!
• Core: Retry writeFile cache when EBUSY error occurs - #​32981, thanks @​reduckted!
• Core: Support defineConfig when setting up ESLint plugin - #​32878, thanks @​copilot-swe-agent!
• Core: Support disabling Checklist widget through feature config - #​33430, thanks @​ghengeveld!
• Core: Track vision simulator state through globals and apply styles in preview - #​33418, thanks @​ghengeveld!
• Core: Use canonical links in sidebar and menu - #​33400, thanks @​Sidnioulz!
• Core: Viewport UX fixes - #​33557, thanks @​ghengeveld!
• Core: Zoom tool reimplementation - #​33375, thanks @​ghengeveld!
• CSF-Factories: Add CSF Factories for Vue3, Web Components, and Angular - #​33365, thanks @​kasperpeulen!
• CSF-Factories: Allow kebab-case HTML attribute names in web components args - #​33526, thanks @​kasperpeulen!
• CSF-Factories: Export WebComponentsTypes and VueTypes - #​33521, thanks @​kasperpeulen!
• CSF-Factories: Skip non-factory exports instead of throwing error - #​33550, thanks @​kasperpeulen!
• CSF: Export type to prevent type cannot be named-errors - #​33216, thanks @​unional!
• Dependencies: Bump various packages - #​33412, thanks @​ndelangen!
• Dependencies: Update baseline-browser-mapping - #​33576, thanks @​ndelangen!
• Docgen: Update extraction of React docgen - #​33598, thanks @​ndelangen!
• Docs-Blocks: Fix broken tooltip in ArgValue details - #​33264, thanks @​Sidnioulz!
• Docs: Ensure CodePanel hooks are called within component - #​33162, thanks @​mrginglymus!
• Interactions: Add disable parameter for interactions panel - #​33368, thanks @​jeevikar14!
• Interactions: Fix state reset bug when switching stories with date mocks - #​33388, thanks @​Sidnioulz!
• Manager: Ensure reset item only appears in globals toolbar when specified - #​33276, thanks @​mrginglymus!
• Manager: Fix system query parameters being overridable - #​33535, thanks @​JReinhold!
• Manifests: Add support for summaries in MDX files - #​33475, thanks @​JReinhold!
• Manifests: Refactor from componentManifestGenerator to extensible manifests preset property - #​33392, thanks @​JReinhold!
• Manifests: Support !manifest tag in preview files - #​33406, thanks @​JReinhold!
• NextJS: Import next/dist with .js-extension for ESM compat - #​33380, thanks @​yue4u!
• NextJS: Support top-level weight/style in next/font/local with string src - #​32998, thanks @​Chiman2937!
• NextJSVite: Add @opentelemetry/api to optimizeDeps - #​33577, thanks @​ndelangen!
• NextJSVite: Update vite-plugin-storybook-nextjs to v3.1.7 - #​33351, thanks @​valentinpalkovic!
• NextJSVite: Upgrade plugin - #​33538, thanks @​ndelangen!
• Onboarding: Fix navigation to first story when configure-your-project entry missing - #​33559, thanks @​copilot-swe-agent!
• Onboarding: Hide TourGuide as soon as tests start - #​33587, thanks @​ghengeveld!
• Preview: Prevent error in RN due to navigator?.clipboard - #​33219, thanks @​ndelangen!
• Preview: Treat canceled animations as finished - #​32401, thanks @​bawjensen!
• React: Use self-closing tag for code snippets - #​33342, thanks @​valentinpalkovic!
• SvelteKit: Align JS template with TS template - #​31451, thanks @​brettearle!
• Telemetry: Add packageJson.type - #​33525, thanks @​ndelangen!
• TypeScript: Fix summary undefined type issue - #​32585, thanks @​afsalshamsudeen!
• TypeScript: Improve globalTypes type-strictness - #​33313, thanks @​mrginglymus!
• TypeScript: Reduce cannot be named errors - #​33344, thanks @​icopp!
• TypeScript: Support exactOptionalPropertyTypes for public API types - #​33149, thanks @​copilot-swe-agent!
• UI: Ensure consistent right padding in TreeNode - #​33322, thanks @​Sidnioulz!
• UI: Ensure preview error displays use a readable text color - #​33580, thanks @​Sidnioulz!
• UI: Fix border color for Select picker - #​33585, thanks @​ghengeveld!
• UI: Fix empty sidebar after navigating from search - #​33590, thanks @​Sidnioulz!
• UI: Fix regression in select close handler focus - #​33470, thanks @​Sidnioulz!
• UI: Fix search highlight visibility in High Contrast Mode - #​33427, thanks @​Maelryn!
• UI: Improve landmark navigation - #​33457, thanks @​Sidnioulz!
• UI: Keep preview frame stable in overall layout - #​33447, thanks @​Sidnioulz!
• UI: Make vertical alignment of TestStatusIcon more robust - #​33305, thanks @​Sidnioulz!
• UI: Prevent primary story from duplicating anchor ID - #​33384, thanks @​Sidnioulz!
• UI: Prevent updating non-existent stories in sidebar - #​33037, thanks @​ia319!
• Upgrade: Preserve package.json indentation when upgrading - #​32280, thanks @​y-hsgw!
• Vue3: Update renderer's setup function to allow passing generic HostElement type - #​32029, thanks @​DamianGlowala!
• Webpack: Revert "disable bugfixes property in swc and babel - #​33498, thanks @​ndelangen!
• Zoom: Keyboard-shortcut for the plus key - #​33565, thanks @​ndelangen!

v10.1.11

Compare Source

• React: Fix several CSF factory bugs - #​33354, thanks @​kasperpeulen!
• UI: Fix React error 300 on some addons - #​33381, thanks @​Sidnioulz!

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate.

[flowzone-app]

Website deployed to CF Pages, 👀 preview link https://ff19b39b.balena-design-system.pages.dev