registry  /  @storybook/react  /  10.5.0

@storybook/react@10.5.0

Storybook React renderer

AI Security Review

scanned 3h ago · by lpm-firewall-ai

No confirmed malicious attack surface. Runtime behavior is aligned with Storybook React rendering and docgen: resolving modules and reading user project source/config files to extract component metadata.

Static reason
One or more suspicious static signals were detected.
Trigger
User imports @storybook/react or Storybook loads its preset/docgen provider.
Impact
Project source files may be read locally for documented Storybook functionality; no exfiltration or install-time mutation found.
Mechanism
React renderer and documentation metadata extraction
Rationale
The suspicious primitives are package-aligned docgen/module-resolution behavior and metadata URLs, with no lifecycle hook, network exfiltration, credential access, persistence, or AI-agent control mutation. Static source inspection supports a clean verdict.
Evidence
package.jsonpreset.jspreview.jsdist/index.jsdist/preset.jsdist/docgen/docgen-worker.jsdist/_node-chunks/chunk-4XOAZREN.js

Decision evidence

public snapshot
AI called this Clean at 94.0% confidence as Benign with low false-positive risk.
Evidence for block
  • dist/preset.js reads project component/story files and tsconfig for docgen when Storybook presets run.
  • dist/preset.js dynamically imports typescript and react-docgen-typescript for optional docgen paths.
Evidence against
  • package.json has no preinstall/install/postinstall scripts or bin entry.
  • preset.js and preview.js only re-export dist entrypoints.
  • dist/index.js sets STORYBOOK_ENV and exports React Storybook composition/render helpers.
  • dist/docgen/docgen-worker.js builds docgen payloads from Storybook story entries; no exfiltration or persistence found.
  • rg found no package-owned fetch/XMLHttpRequest/child_process execution; network URLs are metadata/docs links.
  • No AI-agent control-surface writes, destructive actions, credential harvesting, or broad filesystem mutation found.
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystem
Supply chain
HighEntropyStringsUrlStrings
Manifest
GitDependency
scanned 34 file(s), 1.37 MB of source, external domains: bugzilla.mozilla.org, componentdriven.org, github.com, react-docgen.dev, storybook.js.org, www.w3.org

Source & flagged code

1 flagged · loading source
dist/preset.jsView file
259package = @storybook/react; repositoryIdentity = storybook; dependency = react-docgen-typescript L259: try { L260: let { withCompilerOptions } = (await import("react-docgen-typescript")).default, defaultOptions = { L261: [redacted]: !0,
High
Copied Package Dependency Bridge

Package metadata claims a different repository identity while copied source loads a runtime dependency bridge.

dist/preset.jsView on unpkg · L259

Findings

1 High3 Medium3 Low
HighCopied Package Dependency Bridgedist/preset.js
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
MediumGit Dependency
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings