registry  /  @storybook/react-vite  /  10.5.0

@storybook/react-vite@10.5.0

Storybook for React and Vite: Develop, document, and test UI components in isolation

AI Security Review

scanned 3h ago · by lpm-firewall-ai

No confirmed malicious attack surface was found. Runtime behavior is package-aligned Storybook/Vite preset configuration and React docgen transformation.

Static reason
One or more suspicious static signals were detected.
Trigger
User imports the package or Storybook loads its preset during normal Storybook/Vite use.
Impact
No credential harvesting, persistence, destructive behavior, remote payload execution, or agent control-surface mutation identified.
Mechanism
Storybook React/Vite framework preset and local docgen plugin setup
Rationale
Static source inspection shows a normal Storybook framework adapter with no install-time execution and no malicious primitives. Dynamic imports and local filesystem resolution are limited to package-aligned Vite/docgen functionality.
Evidence
package.jsonpreset.jsdist/index.jsdist/node/index.jsdist/preset.jsdist/_node-chunks/react-docgen-KNIDLVX2.jstemplate/cli/js/Page.jsxtemplate/cli/ts/Page.tsx

Decision evidence

public snapshot
AI called this Clean at 94.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json has no preinstall/install/postinstall lifecycle scripts or bin entries.
    • dist/index.js only re-exports @storybook/react and definePreview.
    • dist/node/index.js only exports defineMain pass-through.
    • dist/preset.js configures Storybook builder/renderer and conditionally adds React docgen Vite plugins.
    • dist/_node-chunks/react-docgen-KNIDLVX2.js performs local docgen parsing/resolution; no shell execution, exfiltration, or file writes found.
    • rg found URLs only in metadata, README/docs comments, and demo template links.
    Behavioral surface
    Source
    Filesystem
    Supply chain
    UrlStrings
    ManifestNo manifest risk signals triggered.
    scanned 17 file(s), 25.4 KB of source, external domains: componentdriven.org, storybook.js.org, www.w3.org

    Source & flagged code

    1 flagged · loading source
    dist/preset.jsView file
    29package = @storybook/react-vite; repositoryIdentity = storybook; dependency = @joshwooding/vite-plugin-react-docgen-typescript L29: if (reactDocgenOption === "react-docgen-typescript" && typescriptPresent && plugins.push( L30: (await import("@joshwooding/vite-plugin-react-docgen-typescript")).default({ L31: ...reactDocgenTypescriptOptions,
    High
    Copied Package Dependency Bridge

    Package metadata claims a different repository identity while copied source loads a runtime dependency bridge.

    dist/preset.jsView on unpkg · L29

    Findings

    1 High1 Medium2 Low
    HighCopied Package Dependency Bridgedist/preset.js
    MediumStructural Risk Force Deep Review
    LowFilesystem
    LowUrl Strings