We release patches for fixing security vulnerabilities, primarily focusing on the latest release only.

In the event of a high-risk vulnerability, we may backport the security fixes to the minor versions of the software, starting from the latest minor version up to the latest major release. The decision to backport security fixes to older versions will be made based on a risk assessment and the feasibility of implementing the patch in those versions.

To report a vulnerability, you can reach out to the maintainers directly on X or Bluesky, or file a security advisory.

When we fix a critical security issue, we will post a security advisory on GitHub and/or npm, describe the change in the release notes, and also notify the community through appropriate means.

GitHub provides the option for you to privately report a vulnerability through a security advisory. These provide a secure and private channel between the reporter and the Storybook core team to discuss and address a security vulnerability.

Please do not open security advisories solely to report vulnerabilities in downstream dependencies unless they pose a realistic security risk to Storybook users.

Storybook depends on many packages, both directly and indirectly. A vulnerability in one of these dependencies does not automatically imply that Storybook is vulnerable, exploitable, or usable for malicious purposes. Security reports should clearly explain how the vulnerability can be exploited through Storybook itself. Reports that only cite a dependency advisory, without demonstrating impact in Storybook, are unlikely to be actionable. For example, a weak random hash generator is not a security issue if Storybook only uses it to generate non sensitive HTML element identifiers.

If a security patch is available for a downstream dependency and upgrading it meaningfully improves Storybook’s security posture, please open a bug report or pull request instead of a security advisory.