Skip to content

Hotfix: Backport host/origin validation to requests and websocket connections#34003

Merged
ghengeveld merged 7 commits into
v9from
origin-validation-v9
Mar 5, 2026
Merged

Hotfix: Backport host/origin validation to requests and websocket connections#34003
ghengeveld merged 7 commits into
v9from
origin-validation-v9

Conversation

@ghengeveld
Copy link
Copy Markdown
Member

@ghengeveld ghengeveld commented Mar 4, 2026
edited by coderabbitai Bot
Loading

What I did

This is a backport of #33835 for Storybook v9.1.

Checklist for Contributors

Testing

The changes in this PR are covered in the following automated tests:

  • stories
  • unit tests
  • integration tests
  • end-to-end tests

Manual testing

  • Run npx ngrok http 6006
  • Verify that the ngrok URL serves an Invalid host error
  • Update .storybook/main.ts to set core.allowedHosts to include the ngrok hostname (no protocol), then restart Storybook
  • Verify that the ngrok URL serves Storybook properly, and it works

Documentation

  • Add or update documentation reflecting your changes
  • If you are deprecating/removing a feature, make sure to update
    MIGRATION.MD

Checklist for Maintainers

  • When this PR is ready for testing, make sure to add ci:normal, ci:merged or ci:daily GH label to it to run a specific set of sandboxes. The particular set of sandboxes can be found in code/lib/cli-storybook/src/sandbox-templates.ts

  • Make sure this PR contains one of the labels below:

    Available labels
    • bug: Internal changes that fixes incorrect behavior.
    • maintenance: User-facing maintenance tasks.
    • dependencies: Upgrading (sometimes downgrading) dependencies.
    • build: Internal-facing build tooling & test updates. Will not show up in release changelog.
    • cleanup: Minor cleanup style change. Will not show up in release changelog.
    • documentation: Documentation only changes. Will not show up in release changelog.
    • feature request: Introducing a new feature.
    • BREAKING CHANGE: Changes that break compatibility in some way with current major version.
    • other: Changes that don't fit in the above categories.

🦋 Canary release

This pull request has been released as version 0.0.0-pr-34003-sha-5f27e882. Try it out in a new sandbox by running npx storybook@0.0.0-pr-34003-sha-5f27e882 sandbox or in an existing project with npx storybook@0.0.0-pr-34003-sha-5f27e882 upgrade.

More information
Published version 0.0.0-pr-34003-sha-5f27e882
Triggered by @ghengeveld
Repository storybookjs/storybook
Branch origin-validation-v9
Commit 5f27e882
Datetime Wed Mar 4 10:23:03 UTC 2026 (1772619783)
Workflow run 22665164930

To request a new release of this pull request, mention the @storybookjs/core team.

core team members can create a new canary release here or locally with gh workflow run --repo storybookjs/storybook publish.yml --field pr=34003

Summary by CodeRabbit

  • New Features

    • Host validation for the dev server with a new allowedHosts configuration and startup display of allowed hosts.

  • Behavior Change

    • Host handling now follows configured allowedHosts behavior; previous permissive warning removed.

  • Tests

    • Extensive tests added for host validation, token/channel access, and related edge cases.

  • Documentation / Chores

    • Updated release workflow and added release entry for 9.1.20.

@ghengeveld ghengeveld requested a review from yannbf March 4, 2026 09:49
@ghengeveld ghengeveld self-assigned this Mar 4, 2026
@ghengeveld ghengeveld added maintenance User-facing maintenance tasks ci:daily Run the CI jobs that normally run in the daily job. labels Mar 4, 2026
@coderabbitai
Copy link
Copy Markdown
Contributor

coderabbitai Bot commented Mar 4, 2026
edited
Loading

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: e8e86312-ed44-447e-bf17-ade7e1d66590

📥 Commits

Reviewing files that changed from the base of the PR and between c00dba6 and 046ce4d.

📒 Files selected for processing (3)
  • .github/workflows/publish.md
  • code/core/src/core-server/utils/output-startup-information.ts
  • code/core/src/types/modules/core-common.ts
🚧 Files skipped from review as they are similar to previous changes (3)
  • code/core/src/types/modules/core-common.ts
  • .github/workflows/publish.md
  • code/core/src/core-server/utils/output-startup-information.ts
📝 Walkthrough

Walkthrough

Adds host validation utilities and middleware, propagates allowedHosts/localAddress/networkAddress through dev and Vite servers, updates ServerChannel upgrade/token/origin validation to use an options object, extends core types, adds tests, and surfaces allowedHosts in startup output and package metadata.

Changes

Cohort / File(s) Summary
Host validation utils & middleware
code/core/src/core-server/utils/getHostValidationMiddleware.ts		 New module: HostValidationOptions, isValidHost, DEFAULT_ALLOWED_HOSTS, and getHostValidationMiddleware using host-validation-middleware plus local/network address logic.
Dev server & build integration
code/core/src/core-server/dev-server.ts, code/core/src/core-server/build-dev.ts, code/builders/builder-vite/src/vite-server.ts		 Retrieve allowedHosts from presets; inject into Vite config; apply host validation middleware early in server pipeline; adjust 0.0.0.0 handling and related warnings/logging.
ServerChannel & WebSocket upgrade
code/core/src/core-server/utils/get-server-channel.ts		 Change ServerChannelTransport constructor to accept options (token + host/allowedHosts/localAddress/networkAddress); perform origin/host validation during WebSocket upgrade; write 403 and close socket on failure.
Types & public interfaces
code/core/src/types/modules/core-common.ts		 Add `allowedHosts?: string[]
Startup output & server init
code/core/src/core-server/utils/output-startup-information.ts, code/core/src/core-server/utils/server-init.ts		 outputStartupInformation now accepts allowedHosts and prints readable allowed-hosts info; getServer annotated to return `Promise<http.Server
Token validation
code/core/src/core-server/utils/validate-token.ts		 Rename parameter to requestToken and use Uint8Array(Buffer.from(...)) for timing-safe comparisons.
Tests
code/core/src/core-server/utils/__tests__/getHostValidationMiddleware.test.ts, code/core/src/core-server/utils/__tests__/server-channel.test.ts, code/core/src/core-server/utils/__tests__/validate-token.test.ts		 Add/extend tests covering host validation permutations, ServerChannelTransport origin/token/upgrade behavior, and token validation edge cases.
Dependencies & manifests
code/core/package.json, code/package.json, CHANGELOG.md		 Add host-validation-middleware dependency; bump deferredNextVersion to 9.1.20; add CHANGELOG entry for 9.1.20.
Docs / workflows
.github/workflows/publish.md		 Revise publish workflow to a more version-driven hotfix/patch process with explicit canary steps.
Misc / gitignore
.gitignore		 Removed exception re-including /node_modules, so node_modules remains ignored by default.

Sequence Diagram(s)

sequenceDiagram
    participant Client
    participant HostValidation as Host Validation<br/>Middleware
    participant DevServer as Dev Server
    participant ViteServer as Vite Server

    Client->>HostValidation: HTTP request (Host header)
    alt allowedHosts === true
        HostValidation->>DevServer: next()
        DevServer->>ViteServer: forward request
        ViteServer->>Client: 200 OK
    else isValidHost(host, options) == true
        HostValidation->>DevServer: next()
        DevServer->>ViteServer: forward request
        ViteServer->>Client: 200 OK
    else Invalid Host
        HostValidation->>Client: 403 Forbidden ("Invalid host")
    end
Loading 
sequenceDiagram
    participant Client
    participant DevServer as Dev Server
    participant ServerChannel as ServerChannelTransport
    participant HostValidation as Host Validation

    Client->>DevServer: WebSocket Upgrade (Host, Origin, path, token)
    DevServer->>ServerChannel: trigger upgrade handler
    ServerChannel->>HostValidation: validate origin/host via isValidHost()
    alt token valid & origin allowed
        HostValidation->>ServerChannel: valid
        ServerChannel->>Client: 101 Switching Protocols (upgrade)
    else token invalid or origin invalid
        HostValidation->>ServerChannel: invalid
        ServerChannel->>Client: 403 Forbidden (write & destroy)
    end
Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~50 minutes

Possibly related PRs

✨ Finishing Touches
  • 📝 Generate docstrings (stacked PR)
  • 📝 Generate docstrings (commit on current branch)

Comment @coderabbitai help to get the list of available commands and usage tips.

coderabbitai[bot]
coderabbitai Bot reviewed Mar 4, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🧹 Nitpick comments (3)
code/core/src/core-server/utils/__tests__/validate-token.test.ts (1)

20-33: Replace as any casts with @ts-expect-error comments to improve type clarity.

The test cases on lines 21, 29, and 33 use as any to bypass strict type checking for invalid-argument runtime-guard tests. Use @ts-expect-error comments instead to document the intentional type violations while maintaining TypeScript strict mode compliance. This pattern is already used in other test files in the codebase (e.g., server-channel.test.ts).

♻️ Suggested change 
   it('returns false for undefined token', () => {
-    expect(isValidToken(undefined as any, validToken)).toBe(false);
+    // `@ts-expect-error` testing runtime guard for invalid input
+    expect(isValidToken(undefined, validToken)).toBe(false);
   });

   it('returns false when expected token is null', () => {
-    expect(isValidToken(validToken, null as any)).toBe(false);
+    // `@ts-expect-error` testing runtime guard for invalid input
+    expect(isValidToken(validToken, null)).toBe(false);
   });

   it('returns false when expected token is undefined', () => {
-    expect(isValidToken(validToken, undefined as any)).toBe(false);
+    // `@ts-expect-error` testing runtime guard for invalid input
+    expect(isValidToken(validToken, undefined)).toBe(false);
   });
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@code/core/src/core-server/utils/__tests__/validate-token.test.ts` around
lines 20 - 33, Tests calling isValidToken currently use "as any" casts to bypass
TypeScript checks; replace those casts with explicit "// `@ts-expect-error`"
comments immediately above the offending argument expressions in the three test
cases ("returns false for undefined token", "returns false when expected token
is null", "returns false when expected token is undefined") so the tests still
pass but the intentional type violations are documented; do not change the
assertions or test names, just remove the "as any" casts and add the
`@ts-expect-error` comments before the lines that pass invalid values to
isValidToken.
code/core/src/core-server/utils/__tests__/server-channel.test.ts (1)

151-154: Consolidate repeated socket and handleUpgrade mocking into beforeEach block.

socket.write, socket.destroy, and transport.socket.handleUpgrade assignments are repeated across multiple tests. Move this setup into the existing beforeEach block to reduce duplication, improve maintainability, and align with the coding guideline: "Implement mock behaviors in beforeEach blocks in Vitest tests."

Affected tests: "accepts connections with valid token" (151-154), "accepts connections with network address origin" (228-230), "accepts connections with 127.0.0.1 origin" (257-259), "rejects connections to wrong path" (286-288), and other test cases with inline socket mocking.

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@code/core/src/core-server/utils/__tests__/server-channel.test.ts` around
lines 151 - 154, Move the per-test inline mocks for the socket into the test
suite's existing beforeEach: create and assign a shared mock socket object (with
jest/vitest spies for write and destroy) and set transport.socket to that mock,
and set transport.socket.handleUpgrade = handleUpgradeSpy there; update tests to
remove the repeated assignments so they rely on the prepared mock. Specifically,
centralize creation of the mock socket, the handleUpgradeSpy, and assignments to
transport.socket.handleUpgrade, socket.write, and socket.destroy in the
beforeEach that runs before tests referencing transport.socket (so tests like
"accepts connections with valid token", "accepts connections with network
address origin", "accepts connections with 127.0.0.1 origin", "rejects
connections to wrong path" use the shared mocks), ensuring each test can still
override behavior when needed.
code/core/src/core-server/utils/get-server-channel.ts (1)

16-18: Make localAddress required in ServerChannelTransportOptions for safer URL parsing.

new URL(request.url, options.localAddress) on line 36 will throw if localAddress is undefined and a relative URL is provided. Since localAddress is currently optional via HostValidationOptions, requiring it prevents runtime errors.

Proposed type hardening 
-type ServerChannelTransportOptions = HostValidationOptions & {
+type ServerChannelTransportOptions = Omit<HostValidationOptions, 'localAddress'> & {
   token: string;
+  localAddress: string;
 };
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@code/core/src/core-server/utils/get-server-channel.ts` around lines 16 - 18,
ServerChannelTransportOptions currently inherits an optional localAddress from
HostValidationOptions which can cause new URL(request.url, options.localAddress)
to throw when request.url is relative; change ServerChannelTransportOptions to
require localAddress (e.g. override HostValidationOptions by declaring
localAddress: string) so callers must supply it, update the type alias
ServerChannelTransportOptions and any call-sites that construct options to pass
a valid localAddress before calling new URL(request.url, options.localAddress).
🤖 Prompt for all review comments with AI agents 
Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@code/core/src/core-server/build-dev.ts`:
- Around line 143-156: The warning uses allowedHosts captured from the initial
presets.apply('core', {}) call which can differ from the final runtime presets
used by storybookDevServer; update the logic in build-dev.ts to re-fetch or read
core.allowedHosts from the final preset pass (the same presets used by
storybookDevServer) immediately before the host === '0.0.0.0' check so the
message reflects runtime enforcement, i.e., replace or refresh the earlier
allowedHosts value obtained from presets.apply('core', {}) with the final preset
result before emitting the logger.warn that references allowedHosts.

In `@code/core/src/types/modules/core-common.ts`:
- Around line 47-50: The comment for the allowedHosts option is stale: update
the documentation for the allowedHosts property (in core-common.ts) to state
that hostname validation applies to both WebSocket connections and HTTP
Host-header validation middleware, and clarify semantics for values (e.g., `[]`
to disallow all non-local hosts, `true` to allow all hosts, or a list of allowed
hostnames) so the doc matches the implemented behavior.

---

Nitpick comments:
In `@code/core/src/core-server/utils/__tests__/server-channel.test.ts`:
- Around line 151-154: Move the per-test inline mocks for the socket into the
test suite's existing beforeEach: create and assign a shared mock socket object
(with jest/vitest spies for write and destroy) and set transport.socket to that
mock, and set transport.socket.handleUpgrade = handleUpgradeSpy there; update
tests to remove the repeated assignments so they rely on the prepared mock.
Specifically, centralize creation of the mock socket, the handleUpgradeSpy, and
assignments to transport.socket.handleUpgrade, socket.write, and socket.destroy
in the beforeEach that runs before tests referencing transport.socket (so tests
like "accepts connections with valid token", "accepts connections with network
address origin", "accepts connections with 127.0.0.1 origin", "rejects
connections to wrong path" use the shared mocks), ensuring each test can still
override behavior when needed.

In `@code/core/src/core-server/utils/__tests__/validate-token.test.ts`:
- Around line 20-33: Tests calling isValidToken currently use "as any" casts to
bypass TypeScript checks; replace those casts with explicit "//
`@ts-expect-error`" comments immediately above the offending argument expressions
in the three test cases ("returns false for undefined token", "returns false
when expected token is null", "returns false when expected token is undefined")
so the tests still pass but the intentional type violations are documented; do
not change the assertions or test names, just remove the "as any" casts and add
the `@ts-expect-error` comments before the lines that pass invalid values to
isValidToken.

In `@code/core/src/core-server/utils/get-server-channel.ts`:
- Around line 16-18: ServerChannelTransportOptions currently inherits an
optional localAddress from HostValidationOptions which can cause new
URL(request.url, options.localAddress) to throw when request.url is relative;
change ServerChannelTransportOptions to require localAddress (e.g. override
HostValidationOptions by declaring localAddress: string) so callers must supply
it, update the type alias ServerChannelTransportOptions and any call-sites that
construct options to pass a valid localAddress before calling new
URL(request.url, options.localAddress).
ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: bbe0e5e6-cc35-440b-8b54-4fda05880489

📥 Commits

Reviewing files that changed from the base of the PR and between 20887f1 and 5f27e88.

⛔ Files ignored due to path filters (1)
  • code/yarn.lock is excluded by !**/yarn.lock, !**/*.lock
📒 Files selected for processing (14)
  • .gitignore
  • code/builders/builder-vite/src/vite-server.ts
  • code/core/package.json
  • code/core/src/core-server/build-dev.ts
  • code/core/src/core-server/dev-server.ts
  • code/core/src/core-server/utils/__tests__/getHostValidationMiddleware.test.ts
  • code/core/src/core-server/utils/__tests__/server-channel.test.ts
  • code/core/src/core-server/utils/__tests__/validate-token.test.ts
  • code/core/src/core-server/utils/get-server-channel.ts
  • code/core/src/core-server/utils/getHostValidationMiddleware.ts
  • code/core/src/core-server/utils/output-startup-information.ts
  • code/core/src/core-server/utils/server-init.ts
  • code/core/src/core-server/utils/validate-token.ts
  • code/core/src/types/modules/core-common.ts
💤 Files with no reviewable changes (1)
  • .gitignore

Comment thread code/core/src/core-server/build-dev.ts
Comment thread code/core/src/types/modules/core-common.ts
@storybook-app-bot
Copy link
Copy Markdown

storybook-app-bot Bot commented Mar 4, 2026
edited
Loading

Package Benchmarks

Commit: 046ce4d, ran on 5 March 2026 at 14:17:23 UTC

The following packages have significant changes to their size or dependencies:

@storybook/addon-a11y

Before After Difference
Dependency count 0 2 🚨 +2 🚨
Self size 0 B 515 KB 🚨 +515 KB 🚨
Dependency size 0 B 2.98 MB 🚨 +2.98 MB 🚨
Bundle Size Analyzer Link Link

@storybook/addon-docs

Before After Difference
Dependency count 0 12 🚨 +12 🚨
Self size 0 B 2.43 MB 🚨 +2.43 MB 🚨
Dependency size 0 B 9.74 MB 🚨 +9.74 MB 🚨
Bundle Size Analyzer Link Link

@storybook/addon-links

Before After Difference
Dependency count 0 1 🚨 +1 🚨
Self size 0 B 20 KB 🚨 +20 KB 🚨
Dependency size 0 B 5 KB 🚨 +5 KB 🚨
Bundle Size Analyzer Link Link

@storybook/addon-onboarding

Before After Difference
Dependency count 0 0 0
Self size 0 B 228 KB 🚨 +228 KB 🚨
Dependency size 0 B 646 B 🚨 +646 B 🚨
Bundle Size Analyzer Link Link

storybook-addon-pseudo-states

Before After Difference
Dependency count 0 0 0
Self size 0 B 47 KB 🚨 +47 KB 🚨
Dependency size 0 B 665 B 🚨 +665 B 🚨
Bundle Size Analyzer Link Link

@storybook/addon-themes

Before After Difference
Dependency count 0 1 🚨 +1 🚨
Self size 0 B 21 KB 🚨 +21 KB 🚨
Dependency size 0 B 28 KB 🚨 +28 KB 🚨
Bundle Size Analyzer Link Link

@storybook/addon-vitest

Before After Difference
Dependency count 0 6 🚨 +6 🚨
Self size 0 B 556 KB 🚨 +556 KB 🚨
Dependency size 0 B 1.53 MB 🚨 +1.53 MB 🚨
Bundle Size Analyzer Link Link

@storybook/builder-vite

Before After Difference
Dependency count 0 5 🚨 +5 🚨
Self size 0 B 449 KB 🚨 +449 KB 🚨
Dependency size 0 B 838 KB 🚨 +838 KB 🚨
Bundle Size Analyzer Link Link

@storybook/builder-webpack5

Before After Difference
Dependency count 0 197 🚨 +197 🚨
Self size 0 B 81 KB 🚨 +81 KB 🚨
Dependency size 0 B 32.28 MB 🚨 +32.28 MB 🚨
Bundle Size Analyzer Link Link

storybook

Before After Difference
Dependency count 0 50 🚨 +50 🚨
Self size 0 B 36.67 MB 🚨 +36.67 MB 🚨
Dependency size 0 B 16.65 MB 🚨 +16.65 MB 🚨
Bundle Size Analyzer Link Link

@storybook/angular

Before After Difference
Dependency count 0 198 🚨 +198 🚨
Self size 0 B 192 KB 🚨 +192 KB 🚨
Dependency size 0 B 30.56 MB 🚨 +30.56 MB 🚨
Bundle Size Analyzer Link Link

@storybook/ember

Before After Difference
Dependency count 0 202 🚨 +202 🚨
Self size 0 B 28 KB 🚨 +28 KB 🚨
Dependency size 0 B 29.00 MB 🚨 +29.00 MB 🚨
Bundle Size Analyzer Link Link

@storybook/html-vite

Before After Difference
Dependency count 0 8 🚨 +8 🚨
Self size 0 B 24 KB 🚨 +24 KB 🚨
Dependency size 0 B 1.33 MB 🚨 +1.33 MB 🚨
Bundle Size Analyzer Link Link

@storybook/nextjs

Before After Difference
Dependency count 0 542 🚨 +542 🚨
Self size 0 B 881 KB 🚨 +881 KB 🚨
Dependency size 0 B 60.37 MB 🚨 +60.37 MB 🚨
Bundle Size Analyzer Link Link

@storybook/nextjs-vite

Before After Difference
Dependency count 0 130 🚨 +130 🚨
Self size 0 B 3.12 MB 🚨 +3.12 MB 🚨
Dependency size 0 B 23.08 MB 🚨 +23.08 MB 🚨
Bundle Size Analyzer Link Link

@storybook/preact-vite

Before After Difference
Dependency count 0 8 🚨 +8 🚨
Self size 0 B 14 KB 🚨 +14 KB 🚨
Dependency size 0 B 1.32 MB 🚨 +1.32 MB 🚨
Bundle Size Analyzer Link Link

@storybook/react-native-web-vite

Before After Difference
Dependency count 0 163 🚨 +163 🚨
Self size 0 B 32 KB 🚨 +32 KB 🚨
Dependency size 0 B 24.42 MB 🚨 +24.42 MB 🚨
Bundle Size Analyzer Link Link

@storybook/react-vite

Before After Difference
Dependency count 0 120 🚨 +120 🚨
Self size 0 B 32 KB 🚨 +32 KB 🚨
Dependency size 0 B 20.86 MB 🚨 +20.86 MB 🚨
Bundle Size Analyzer Link Link

@storybook/react-webpack5

Before After Difference
Dependency count 0 284 🚨 +284 🚨
Self size 0 B 25 KB 🚨 +25 KB 🚨
Dependency size 0 B 44.74 MB 🚨 +44.74 MB 🚨
Bundle Size Analyzer Link Link

@storybook/server-webpack5

Before After Difference
Dependency count 0 209 🚨 +209 🚨
Self size 0 B 17 KB 🚨 +17 KB 🚨
Dependency size 0 B 33.55 MB 🚨 +33.55 MB 🚨
Bundle Size Analyzer Link Link

@storybook/svelte-vite

Before After Difference
Dependency count 0 14 🚨 +14 🚨
Self size 0 B 54 KB 🚨 +54 KB 🚨
Dependency size 0 B 26.60 MB 🚨 +26.60 MB 🚨
Bundle Size Analyzer Link Link

@storybook/sveltekit

Before After Difference
Dependency count 0 15 🚨 +15 🚨
Self size 0 B 51 KB 🚨 +51 KB 🚨
Dependency size 0 B 26.65 MB 🚨 +26.65 MB 🚨
Bundle Size Analyzer Link Link

@storybook/vue3-vite

Before After Difference
Dependency count 0 105 🚨 +105 🚨
Self size 0 B 34 KB 🚨 +34 KB 🚨
Dependency size 0 B 43.75 MB 🚨 +43.75 MB 🚨
Bundle Size Analyzer Link Link

@storybook/web-components-vite

Before After Difference
Dependency count 0 9 🚨 +9 🚨
Self size 0 B 20 KB 🚨 +20 KB 🚨
Dependency size 0 B 1.36 MB 🚨 +1.36 MB 🚨
Bundle Size Analyzer Link Link

sb

Before After Difference
Dependency count 0 51 🚨 +51 🚨
Self size 0 B 1 KB 🚨 +1 KB 🚨
Dependency size 0 B 53.32 MB 🚨 +53.32 MB 🚨
Bundle Size Analyzer Link Link

@storybook/cli

Before After Difference
Dependency count 0 220 🚨 +220 🚨
Self size 0 B 598 KB 🚨 +598 KB 🚨
Dependency size 0 B 98.77 MB 🚨 +98.77 MB 🚨
Bundle Size Analyzer Link Link

@storybook/codemod

Before After Difference
Dependency count 0 189 🚨 +189 🚨
Self size 0 B 31 KB 🚨 +31 KB 🚨
Dependency size 0 B 82.59 MB 🚨 +82.59 MB 🚨
Bundle Size Analyzer Link Link

@storybook/core-webpack

Before After Difference
Dependency count 0 1 🚨 +1 🚨
Self size 0 B 16 KB 🚨 +16 KB 🚨
Dependency size 0 B 28 KB 🚨 +28 KB 🚨
Bundle Size Analyzer Link Link

create-storybook

Before After Difference
Dependency count 0 1 🚨 +1 🚨
Self size 0 B 12.76 MB 🚨 +12.76 MB 🚨
Dependency size 0 B 99 KB 🚨 +99 KB 🚨
Bundle Size Analyzer Link Link

@storybook/csf-plugin

Before After Difference
Dependency count 0 3 🚨 +3 🚨
Self size 0 B 11 KB 🚨 +11 KB 🚨
Dependency size 0 B 800 KB 🚨 +800 KB 🚨
Bundle Size Analyzer Link Link

eslint-plugin-storybook

Before After Difference
Dependency count 0 20 🚨 +20 🚨
Self size 0 B 333 KB 🚨 +333 KB 🚨
Dependency size 0 B 3.50 MB 🚨 +3.50 MB 🚨
Bundle Size Analyzer Link Link

@storybook/react-dom-shim

Before After Difference
Dependency count 0 0 0
Self size 0 B 10 KB 🚨 +10 KB 🚨
Dependency size 0 B 774 B 🚨 +774 B 🚨
Bundle Size Analyzer Link Link

@storybook/preset-create-react-app

Before After Difference
Dependency count 0 68 🚨 +68 🚨
Self size 0 B 18 KB 🚨 +18 KB 🚨
Dependency size 0 B 6.00 MB 🚨 +6.00 MB 🚨
Bundle Size Analyzer Link Link

@storybook/preset-react-webpack

Before After Difference
Dependency count 0 174 🚨 +174 🚨
Self size 0 B 24 KB 🚨 +24 KB 🚨
Dependency size 0 B 31.46 MB 🚨 +31.46 MB 🚨
Bundle Size Analyzer Link Link

@storybook/preset-server-webpack

Before After Difference
Dependency count 0 10 🚨 +10 🚨
Self size 0 B 10 KB 🚨 +10 KB 🚨
Dependency size 0 B 1.20 MB 🚨 +1.20 MB 🚨
Bundle Size Analyzer Link Link

@storybook/html

Before After Difference
Dependency count 0 2 🚨 +2 🚨
Self size 0 B 38 KB 🚨 +38 KB 🚨
Dependency size 0 B 32 KB 🚨 +32 KB 🚨
Bundle Size Analyzer Link Link

@storybook/preact

Before After Difference
Dependency count 0 2 🚨 +2 🚨
Self size 0 B 23 KB 🚨 +23 KB 🚨
Dependency size 0 B 32 KB 🚨 +32 KB 🚨
Bundle Size Analyzer Link Link

@storybook/react

Before After Difference
Dependency count 0 2 🚨 +2 🚨
Self size 0 B 1.66 MB 🚨 +1.66 MB 🚨
Dependency size 0 B 16 KB 🚨 +16 KB 🚨
Bundle Size Analyzer Link Link

@storybook/server

Before After Difference
Dependency count 0 3 🚨 +3 🚨
Self size 0 B 13 KB 🚨 +13 KB 🚨
Dependency size 0 B 716 KB 🚨 +716 KB 🚨
Bundle Size Analyzer Link Link

@storybook/svelte

Before After Difference
Dependency count 0 2 🚨 +2 🚨
Self size 0 B 64 KB 🚨 +64 KB 🚨
Dependency size 0 B 230 KB 🚨 +230 KB 🚨
Bundle Size Analyzer Link Link

@storybook/vue3

Before After Difference
Dependency count 0 3 🚨 +3 🚨
Self size 0 B 83 KB 🚨 +83 KB 🚨
Dependency size 0 B 213 KB 🚨 +213 KB 🚨
Bundle Size Analyzer Link Link

@storybook/web-components

Before After Difference
Dependency count 0 3 🚨 +3 🚨
Self size 0 B 57 KB 🚨 +57 KB 🚨
Dependency size 0 B 47 KB 🚨 +47 KB 🚨
Bundle Size Analyzer Link Link

@ghengeveld
Update publish workflow documentation to clarify hotfix release proce…
c00dba6 
…ss and add detailed steps for canary release testing
coderabbitai[bot]
coderabbitai Bot reviewed Mar 4, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents 
Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/publish.md:
- Line 20: Replace the typo "GitHuB" with the correct "GitHub" in the release
instruction text (the string "Observe the generated release in GitHuB releases
page..."); update the displayed string so it reads "Observe the generated
release in GitHub releases page..." to fix the documentation spelling error.

In `@CHANGELOG.md`:
- Line 3: Update the CHANGELOG entry that currently reads "Add request
validation" to explicitly state that the release adds both HTTP host validation
and WebSocket origin validation (e.g., replace that single-line note with a
brief sentence like "Add request validation: enforce HTTP Host header validation
and WebSocket Origin validation to fix security issue"), so the update clearly
communicates the full behavior change; locate the line containing the exact text
"Add request validation" and replace it with the clarified wording.
ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: e28d71be-040e-4515-8210-213aa34e755c

📥 Commits

Reviewing files that changed from the base of the PR and between 5f27e88 and c00dba6.

📒 Files selected for processing (3)
  • .github/workflows/publish.md
  • CHANGELOG.md
  • code/package.json

Comment thread .github/workflows/publish.md Outdated
Comment thread CHANGELOG.md
@ghengeveld ghengeveld merged commit 9f4bd71 into v9 Mar 5, 2026
85 of 92 checks passed
@ghengeveld ghengeveld deleted the origin-validation-v9 branch March 5, 2026 21:13
This was referenced Mar 5, 2026
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

@yannbf yannbf Awaiting requested review from yannbf

Assignees

@ghengeveld ghengeveld

Labels

ci:daily Run the CI jobs that normally run in the daily job. maintenance User-facing maintenance tasks

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@ghengeveld