chore(deps): update dependency storybook to v8.6.17 [security]

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence
storybook (source)	8.3.5 → 8.6.17

GitHub Vulnerability Alerts

CVE-2025-68429

On December 11th, the Storybook team received a responsible disclosure alerting them to a potential vulnerability in certain built and published Storybooks.

The vulnerability is a bug in how Storybook handles environment variables defined in a .env file, which could, in specific circumstances, lead to those variables being unexpectedly bundled into the artifacts created by the storybook build command. When a built Storybook is published to the web, the bundle’s source is viewable, thus potentially exposing those variables to anyone with access. If those variables contained secrets, they should be considered compromised.

Who is impacted?

For a project to be vulnerable to this issue, it must:

• Build the Storybook (i.e. run storybook build directly or indirectly) in a directory that contains a .env file (including variants like .env.local)
• The .env file contains sensitive secrets
• Use Storybook version 7.0.0 or above
• Publish the built Storybook to the web

Storybooks built without a .env file at build time are not affected, including common CI-based builds where secrets are provided via platform environment variables rather than .env files.

Users' Storybook runtime environments (i.e. storybook dev) are not affected. Deployed applications that share a repo with a project's Storybook are not affected.

Storybook 6 and below are not affected.

Recommended actions

First, Storybook recommends that everyone audit for any sensitive secrets provided via .env files and rotate those keys.

Second, Storybook has released patched versions of all affected major Storybook versions that no longer have this vulnerability. Projects should upgrade their Storybook—on both local machines and CI environments—to one of these versions before publishing again.

• 10.1.10+
• 9.1.17+
• 8.6.15+
• 7.6.21+

Finally, some projects may have been relying on the undocumented behavior at the heart of this issue and will need to change how they reference environment variables after this update. If a project can no longer read necessary environmental variable values, it can either prefix the variables with STORYBOOK_ or use the env property in Storybook’s configuration to manually specify values. In either case, do not include sensitive secrets as they will be included in the built bundle.

Further information

Details of the vulnerability can be found on the Storybook announcement.

CVE-2026-27148

Summary

The WebSocket functionality in Storybook's dev server, used to create and update stories, is vulnerable to WebSocket hijacking. This vulnerability only affects the Storybook dev server; production builds are not impacted.

Details

Exploitation requires a developer to visit a malicious website while their local Storybook dev server is running. Because the WebSocket connection does not validate the origin of incoming connections, a malicious site can silently send WebSocket messages to the local instance without any further user interaction.

If a Storybook dev server is intentionally exposed publicly (e.g. for design reviews or stakeholder demos) the risk is higher, as no malicious site visit is required. Any unauthenticated attacker can send WebSocket messages to it directly.

The vulnerability affects the WebSocket message handlers for creating and saving stories, which can be exploited via unauthorized WebSocket connections to achieve persistent XSS or Remote Code Execution (RCE).

Note: recent versions of Chrome have some protections against this, but Firefox does not.

Impact

This vulnerability can lead to supply chain compromise. Key risks include:

• Remote Code Execution: The vulnerability can allow attackers to execute malicious code, with the extent of impact depending on the configuration. Server-side RCE is possible in non-default configurations, such as when stories are executed via portable stories in JSDOM, potentially allowing attackers to exfiltrate credentials and environment variables, access source code and the filesystem, establish backdoors, or pivot to internal network resources.
• Persistent XSS: Malicious payloads are written directly into story source files. If the malicious payload is committed to version control, it becomes part of the codebase and can propagate to deployed Storybook documentation sites, affecting developers and stakeholders who view them.
• Supply Chain Propagation: If the modified source files are committed, injected code can spread to other team members via git, execute in CI/CD pipelines, and affect shared component libraries used across multiple projects.

Affected versions

8.1 and above. While the exploitable functionality was introduced in 8.1, the patch has been applied to 7.x as a precautionary measure given the underlying WebSocket behaviour.

Recommended actions

Update to one of the patched versions: 7.6.23, 8.6.17, 9.1.19, 10.2.10.

---

Release Notes

storybookjs/storybook (storybook)

v8.6.17

Compare Source

8.6.17

• Harden websocket connection

v8.6.16

Compare Source

8.6.16

• No-op release. No changes.

v8.6.15

Compare Source

• Core: Fix .env-file parsing, thanks @​jreinhold!

v8.6.14

Compare Source

• CLI: Add skip onboarding, recommended/minimal config - #​30930, thanks @​shilman!
• Core: Fix using dates in expect statements - #​28413, thanks @​yann-combarnous!
• React Native Web: Fix expo router by setting JSX to automatic - #​31484, thanks @​dannyhw!
• Test: Make sure that lit arrays are not cloned - #​31435, thanks @​kasperpeulen!

v8.6.13

Compare Source

• Controls: Fix boxShadow on empty controls - #​27193, thanks @​H0onnn!
• React Native Web: Update react-native-web - #​31324, thanks @​ndelangen!

v8.6.12

Compare Source

• CLI: Only install Visual Test Addon if test feature is selected - #​30966, thanks @​ghengeveld!
• Core: Fix telemetry error on Storybook UI - #​30953, thanks @​yannbf!
• Ember: Fix ember-template-compiler import for ember 6+ - #​30682, thanks @​leoeuclids!
• Next: Update vite-plugin-storybook-nextjs to 2.0.0--canary.33.17a2310.0 - #​30997, thanks @​kasperpeulen!
• Svelte: Exclude node_modules from docgen - #​30981, thanks @​JReinhold!

v8.6.11

Compare Source

• Angular: Fix zone.js support for Angular libraries - #​30941, thanks @​valentinpalkovic!

v8.6.10

Compare Source

• Addon-docs: Fix non-string handling in Stories block - #​30913, thanks @​JamesIves!
• Nextjs: Fix styled-jsx optimize vite warnings - #​30932, thanks @​kasperpeulen!
• React: Fix actImplementation is not a function - #​30929, thanks @​kasperpeulen!

v8.6.9

Compare Source

• Next: Fix react aliases in next vite plugin - #​30914, thanks @​kasperpeulen!

v8.6.8

Compare Source

• Angular: Export all files in Angular package.json - #​30849, thanks @​kasperpeulen!
• CLI: Don't add packageManager entry to package.json automatically - #​30855, thanks @​kasperpeulen!
• React: Allow portable stories to be used in SSR - #​30847, thanks @​kasperpeulen!
• Svelte: Adjust Svelte typings to include Svelte 5 function components - #​30852, thanks @​dummdidumm!
• Telemetry: Make sure that telemetry doesn't fail on init - #​30857, thanks @​kasperpeulen!
• Vite: Update HMR filter to target specific story file types - #​30845, thanks @​kasperpeulen!

v8.6.7

Compare Source

• React-Native-Web: Fix errors in CLI template stories - #​30821, thanks @​dannyhw!

v8.6.6

Compare Source

• Angular: Make sure that polyfills are loaded before the storybook is loaded - #​30811, thanks @​kasperpeulen!
• CSF: Fix CSF subcomponent type - #​30729, thanks @​filipemelo2002!

v8.6.5

Compare Source

• Addon A11y: Promote @​storybook/global to full dependency - #​30723, thanks @​mrginglymus!
• Angular: Add @angular-devkit/build-angular to installed packages - #​30790, thanks @​kasperpeulen!
• CLI: Fix test install in RNW projects - #​30786, thanks @​shilman!
• Core: Replace 'min' instead of 'm' in printDuration - #​30668, thanks @​wlewis-formative!
• Next.js: Use latest version when init in empty directory - #​30659, thanks @​valentinpalkovic!
• Svelte: Fix Vite crashing on virtual module imports - #​26838, thanks @​rChaoz!
• Svelte: Fix automatic argTypes inference coming up empty with svelte2tsx@0.7.35 - #​30784, thanks @​JReinhold!
• Universal Store: Don't use crypto.randomUUID - #​30781, thanks @​JReinhold!

v8.6.4

Compare Source

• Manager: Add Content-Type to fix Cloud IDEs - #​30606, thanks @​GCHQDeveloper548!
• Vite: Include node_modules in stats file - #​30711, thanks @​JReinhold!

v8.6.3

Compare Source

• CSF Factories: Align addon-essentials import with other addons - #​30716, thanks @​kasperpeulen!
• Next: Support Next 15.2 - #​30702, thanks @​kasperpeulen!

v8.6.2

Compare Source

• Core: Support TS3.8+ again - #​30700, thanks @​kasperpeulen!
• Revert "CLI: Don't initially select Documentation and Testing features" - #​30694, thanks @​shilman!

v8.6.1

Compare Source

• CLI: Add skip onboarding, recommended/minimal config - #​30930, thanks @​shilman!
• Core: Fix using dates in expect statements - #​28413, thanks @​yann-combarnous!
• React Native Web: Fix expo router by setting JSX to automatic - #​31484, thanks @​dannyhw!
• Test: Make sure that lit arrays are not cloned - #​31435, thanks @​kasperpeulen!

v8.6.0

Compare Source

The 8.6 release focuses on Storybook Test, which brings realtime component, accessibility, and visual UI tests to your favorite component workshop.

Here’s what’s new:

• 🎁 Storybook Test installer for out-of-the-box tests in new projects
• 🦾 Accessibility “todo” workflow to systematically fix a11y violations
• 🗜️ 80% smaller create-storybook package for much faster installs
• 🧪 Dozens of Test fixes based on user feedback
• 📕 Docs fixes for table of contents, code snippets, and more
• 🚨 Key security fixes for Vite and ESbuild
• 💯 Hundreds more improvements

List of all updates

• Addon A11y: Introduce parameters.a11y.test - #​30516, thanks @​valentinpalkovic!
• Addon-A11y: Fix preset loading when loaded via getAbsolutePath - #​30563, thanks @​valentinpalkovic!
• Addon-Docs: Change URL hash when TOC item is clicked, and fix TOC loading bugs - #​30130, thanks @​Sidnioulz!
• Addon-docs: Consider custom code snippet in story code panel and update styles - #​30179, thanks @​larsrickert!
• Addon-Test: Add telemetry data for Focused Tests - #​30568, thanks @​JReinhold!
• Addon-Test: Fix config and watch mode inconsistencies - #​30491, thanks @​JReinhold!
• Addon-Test: Fix console error in build mode - #​30625, thanks @​JReinhold!
• Addon-Test: Make sure that only one global portable story config is ever loaded - #​30582, thanks @​kasperpeulen!
• Angular: Fix accent character issue - #​30276, thanks @​valentinpalkovic!
• Angular: Support experimental zoneless mode - #​28657, thanks @​anedomansky!
• Angular: Support v19.2 when @​angular/animations is not installed - #​30611, thanks @​valentinpalkovic!
• Builder-Vite: Fix resolve id warning - #​30511, thanks @​valentinpalkovic!
• Builder-Vite: Fix runtime and iframe 404 on first load - #​30567, thanks @​valentinpalkovic!
• Bun: Add support for text lock file - #​30160, thanks @​Arctomachine!
• Cleanup: Remove unused constants in viewport addon - #​30479, thanks @​Guria!
• CLI: Don't initially select Documentation and Testing features - #​30599, thanks @​ghengeveld!
• CLI: Fix peer dep issues for npm users during upgrade - #​30616, thanks @​valentinpalkovic!
• CLI: Fix printing of selected features - #​30605, thanks @​ghengeveld!
• CLI: Make telemetry data an object - #​30581, thanks @​ndelangen!
• CLI: Prompt users for RN vs RNW on init - #​30635, thanks @​shilman!
• CLI: Reimplement features prompt logic to handle --yes and fix --features - #​30534, thanks @​ghengeveld!
• CLI: Remove Storybook dependencies before adding re-adding them - #​30600, thanks @​valentinpalkovic!
• CLI: Use correct storybook internals import in automigration - #​30290, thanks @​yannbf!
• Codemod: Always get real path of files - #​30650, thanks @​yannbf!
• Codemod: Handle addon essentials differently in csf factories - #​30649, thanks @​yannbf!
• Codemod: Migrate meta.args to meta.input.args in csf factories - #​30641, thanks @​yannbf!
• Codemod: Use real path from symbolic links - #​30642, thanks @​yannbf!
• Core: Add UniversalStore API to sync state/events between multiple environments - #​30445, thanks @​JReinhold!
• Core: Add connection timeout notification - #​30288, thanks @​valentinpalkovic!
• Core: Allow empty render functions in CSF factories - #​30565, thanks @​kasperpeulen!
• Core: Always place cache dir inside node_modules - #​30643, thanks @​ndelangen!
• Core: Don't set process.env.NODE_ENV and process.env.DEV - #​30651, thanks @​valentinpalkovic!
• Core: Fix addon essentials preview preset - #​30647, thanks @​yannbf!
• Core: Fix extracting import path when it's not a core addon - #​30640, thanks @​yannbf!
• Core: Fix invalid Websocket termination - #​30408, thanks @​valentinpalkovic!
• Core: Fix statically serving single files and multiple dirs on the same endpoint - #​30467, thanks @​JReinhold!
• Core: Fix undeclared internal dependencies - #​30566, thanks @​kasperpeulen!
• Core: Improve type compatibility with React 19 - #​30031, thanks @​mrginglymus!
• Core: Move CSF to monorepo - #​30488, thanks @​kasperpeulen!
• Csf Tools: Allow ConfigFile to create more import syntaxes - #​30204, thanks @​yannbf!
• CSF: Add support for CSF factories - #​30197, thanks @​kasperpeulen!
• Essentials: Fix addon-essentials not working when used with getAbsolutePath - #​30557, thanks @​JReinhold!
• Manager: Escape single quotes in dynamic import paths in wrapManagerEntries function - #​30278, thanks @​valentinpalkovic!
• Manager: Fix escaping of single quotes in dynamic import paths - #​30278, thanks @​valentinpalkovic!
• Manager: Fix panel reactivity - #​30638, thanks @​valentinpalkovic!
• React: Fix incorrect import in preview.ts - #​30542, thanks @​mrginglymus!
• Svelte: Fix conflicting variable names and support for +page.svelte files - #​30369, thanks @​xeho91!
• Test addon: Only update vitest.config.ts with workspaces, otherwise create vitest.workspace.ts - #​30583, thanks @​ghengeveld!

v8.5.8

Compare Source

• Core: Support esbuild@^0.25 - #​30574, thanks @​JReinhold!

v8.5.7

Compare Source

• Tags: Add story/meta usage telemetry - #​30555, thanks @​shilman!
• Telemetry: Don't count example stories towards CSF feature stats - #​30561, thanks @​shilman!
• Vite: Fix not stripping all HMR boundaries - #​30562, thanks @​JReinhold!

v8.5.6

Compare Source

• Builder-Vite: Fix defaulting to allowing all hosts - #​30523, thanks @​JReinhold!
• UI: Fix tags sort for browser back-compat - #​30547, thanks @​shilman!

v8.5.5

Compare Source

• Builder-Vite: Fix Turbosnap - #​30522, thanks @​valentinpalkovic!

v8.5.4

Compare Source

• Addon A11y: Make Vitest Axe optional - #​30442, thanks @​valentinpalkovic!
• Builder-Vite: Fix allowedHosts handling for custom hosts - #​30432, thanks @​JSMike!
• Builder-Vite: Fix resolve id warning - #​30511, thanks @​valentinpalkovic!
• React: Update react-docgen-typescript to fix CI hanging issues - #​30422, thanks @​yannbf!

v8.5.3

Compare Source

• Preview: Add globals to extract() - #​30415, thanks @​ndelangen!
• Vite: Fix add component UI invalidation - #​30438, thanks @​shilman!

v8.5.2

Compare Source

• Addon Test: Support Vitest 3 browser.test.instances field - #​30309, thanks @​valentinpalkovic!
• CLI: Corrected Next.js createScript for pnpm. - #​30304, thanks @​zhyd1997!

v8.5.1

Compare Source

• Addon Test: Replace interaction test -> component test - #​30333, thanks @​kylegach!
• Addon Test: Support Vitest 3 browser.test.instances field - #​30309, thanks @​valentinpalkovic!
• Manager: Fix escaping of single quotes in dynamic import paths - #​30278, thanks @​valentinpalkovic!
• RNW-Vite: Support requires for images/fonts - #​30305, thanks @​dannyhw!

v8.5.0

Compare Source

Storybook 8.5 is packed with powerful features to enhance your development workflow. This release makes it easier than ever to build accessible, well-tested UIs. Here’s what’s new:

• 🦾 Realtime accessibility tests to help build UIs for everybody
• 🛡️ Project code coverage to measure the completeness of your tests
• 🎯 Focused tests for faster test feedback
• ⚛️ React Native Web Vite framework (experimental) for testing mobile UI⚛️
• 🎁 Storybook test early access program to level up your testing game
• 💯 Hundreds more improvements

List of all updates

• Addon A11y: Add conditional rendering for a11y violation number in Testing Module - #​30073, thanks @​valentinpalkovic!
• Addon A11y: Add typesVersions support for TypeScript definitions in a11y package - #​30005, thanks @​valentinpalkovic!
• Addon A11y: Adjust default behaviour when using with experimental-addon-test - #​30162, thanks @​valentinpalkovic!
• Addon A11y: Change default element selector - #​30253, thanks @​valentinpalkovic!
• Addon A11y: Create a11y test provider and revamp a11y addon - #​29643, thanks @​valentinpalkovic!
• Addon A11y: Don't set a11y tag as comment in automigrations - #​30257, thanks @​valentinpalkovic!
• Addon A11y: Fix skipped status handling in Testing Module - #​30077, thanks @​valentinpalkovic!
• Addon A11y: Refactor environment variable handling for Vitest integration - #​30022, thanks @​valentinpalkovic!
• Addon A11y: Remove warnings API - #​30049, thanks @​kasperpeulen!
• Addon A11y: Run the a11y automigration on postInstall - #​30004, thanks @​kasperpeulen!
• Addon A11y: Show errors of axe properly - #​30050, thanks @​kasperpeulen!
• Addon A11y: Update accessibility status handling in TestProviderRender - #​30027, thanks @​valentinpalkovic!
• Addon Docs: Dynamically import rehype - #​29544, thanks @​valentinpalkovic!
• Addon Docs: Make new code panel opt in - #​30248, thanks @​shilman!
• Addon Onboarding: Prebundle react-confetti - #​29996, thanks @​yannbf!
• Addon Test: Add @vitest/coverage-v8 during postinstall if no coverage reporter is installed - #​29993, thanks @​ghengeveld!
• Addon Test: Add prerequisite check for MSW - #​30193, thanks @​yannbf!
• Addon Test: Add support for previewHead - #​29808, thanks @​ndelangen!
• Addon Test: Add Vitest 3 support - #​30181, thanks @​valentinpalkovic!
• Addon Test: Always run Vitest in watch mode internally - #​29749, thanks @​JReinhold!
• Addon Test: Always use installed version of vitest - #​30134, thanks @​kasperpeulen!
• Addon Test: Clarify message when vitest detects missing deps - #​29763, thanks @​ndelangen!
• Addon Test: Clear coverage data when starting or watching - #​30072, thanks @​ghengeveld!
• Addon Test: Context menu UI - #​29727, thanks @​ghengeveld!
• Addon Test: Context menu updates - #​30107, thanks @​ghengeveld!
• Addon Test: Correctly stop Storybook when Vitest closes - #​30012, thanks @​JReinhold!
• Addon Test: Filter out falsy test results in TestProviderRender - #​30001, thanks @​valentinpalkovic!
• Addon Test: Fix documentation links - #​30128, thanks @​yannbf!
• Addon Test: Fix duplicate test.include patterns - #​30029, thanks @​JReinhold!
• Addon Test: Fix environment variable for Vitest Storybook integration - #​30054, thanks @​valentinpalkovic!
• Addon Test: Fix error reporting for vitest crashes - #​29751, thanks @​ndelangen!
• Addon Test: Fix generated path to vitest.setup.js - #​30233, thanks @​JReinhold!
• Addon Test: Fix indexing behavior - #​29836, thanks @​yannbf!
• Addon Test: Fix printing null% for coverage - #​30061, thanks @​ghengeveld!
• Addon Test: Fix run request while booting or restarting Vitest - #​29829, thanks @​ghengeveld!
• Addon Test: Handle undefined storyId - #​29998, thanks @​ghengeveld!
• Addon Test: Improve error message on missing coverage package - #​30088, thanks @​JReinhold!
• Addon Test: Improve support for mono-repos - #​30216, thanks @​valentinpalkovic!
• Addon Test: Make component tests status row link to the story's tests panel - #​29992, thanks @​ghengeveld!
• Addon Test: Merge viteFinal config into vitest config - #​29806, thanks @​ndelangen!
• Addon Test: Only optimize react deps if applicable in vitest-plugin - #​29617, thanks @​yannbf!
• Addon Test: Only reset story count on file change when watch mode is enabled - #​30121, thanks @​ghengeveld!
• Addon Test: Optimize internal dependencies - #​29595, thanks @​yannbf!
• Addon Test: Prompt switch to experimental-nextjs-vite - #​29814, thanks @​ndelangen!
• Addon Test: Refactor test addon to include stories automatically - #​29367, thanks @​yannbf!
• Addon Test: Remove a11y placeholder - #​29769, thanks @​JReinhold!
• Addon Test: Replace glob with tinyglobby - #​29817, thanks @​ghengeveld!
• Addon Test: Serve staticDirs with Vitest - #​29811, thanks @​ghengeveld!
• Addon Test: Show sub test provider toggle state in main testing module - #​30019, thanks @​ghengeveld!
• Addon Test: Support Storybook environment variables in Vitest - #​29792, thanks @​ghengeveld!
• Addon Test: Use correct vitest config file path - #​30135, thanks @​kasperpeulen!
• Addon Test: Use local storybook binary instead - #​30021, thanks @​kasperpeulen!
• Addon Test: Use ProgressSpinner for stop button in Testing Module - #​29997, thanks @​ghengeveld!
• Addon Test: Wait for 2 seconds before showing result mismatch warning - #​30002, thanks @​ghengeveld!
• Addon Test: Wrap sub-paths exported with require.resolve - #​30026, thanks @​ndelangen!
• Addon Themes: Deprecate useThemeParameters - #​30111, thanks @​yannbf!
• Angular: Support statsJson in angular schemas - #​29233, thanks @​yannbf!
• Automigration: Improve addon-a11y-addon-test - #​30127, thanks @​valentinpalkovic!
• Automigration: Improve setup file transformation and version range handling for a11y migration - #​30060, thanks @​valentinpalkovic!
• Automigrations: Skip vite config file migration for react native web - #​30190, thanks @​dannyhw!
• Build: Downgrade to esbuild 0.24.0 - #​30116, thanks @​yannbf!
• Build: Revert Downgrade to esbuild 0.24.0 - #​30120, thanks @​yannbf!
• CLI: Fix init help for storybook command - #​29480, thanks @​toothlessdev!
• CLI: Fix new-frameworks automigration - #​29804, thanks @​yannbf!
• CLI: Re-Add Nuxt support - #​28607, thanks @​valentinpalkovic!
• CLI: Update a11y-test comment with experimental caveat - #​30258, thanks @​shilman!
• Composition: Fix composed story search - #​29453, thanks @​jsingh0026!
• Composition: Hide contextMenu on composed storybooks - #​29803, thanks @​ndelangen!
• Core / Addon Test: Add config UI to Testing Module - #​29708, thanks @​ghengeveld!
• Core / Addon Test: Support intercepting and modifying internal test provider state updates - #​29680, thanks @​ghengeveld!
• Core + Addon Test: Refactor test API and fix total test count - #​29656, thanks @​ghengeveld!
• Core: Add bun support with npm fallback - #​29267, thanks @​stephenjason89!
• Core: Avoid getting stuck in locked state - #​29768, thanks @​ghengeveld!
• Core: Disable SidebarContextMenu in static builds - #​29743, thanks @​ndelangen!
• Core: Emit deprecated TESTING_MODULE_RUN_ALL_REQUEST for backward compatibility - #​29711, thanks @​ghengeveld!
• Core: Evaluate main config when checking 'whats new' notifications - #​29622, thanks @​yannbf!
• Core: Fix ERR_PACKAGE_PATH_NOT_EXPORTED in @storybook/node-logger - #​30093, thanks @​JReinhold!
• Core: Fix scrollIntoView behavior and reimplement testing module time rendering - #​30044, thanks @​ghengeveld!
• Core: Fix bundling of React - #​30003, thanks @​yannbf!
• Core: Float context menu button on top of story titles in sidebar - #​30080, thanks @​ghengeveld!
• Core: Prevent clipping box shadow on file search modal - #​29523, thanks @​ghengeveld!
• Core: Prevent infinite rerendering caused by comparison by reference - #​30081, thanks @​ghengeveld!
• Docs: Add code snippet to addons panel - #​29253, thanks @​larsrickert!
• Interactions: Correctly load preset when absolute paths are used - #​30264, thanks @​JReinhold!
• Maintenance: Move @types/node to devDeps consistently - #​30163, thanks @​ndelangen!
• Manager API: Fix infinite render-loop caused by useSharedState - #​30259, thanks @​JReinhold!
• Manager: Add tags property to GroupEntry objects - #​29672, thanks @​Sidnioulz!
• Manager: Fix size regression - #​29660, thanks @​JReinhold!
• Manager: Optimize getPanels function with memoization - #​30192, thanks @​valentinpalkovic!
• Next.js: Fix webpack fsCache not working - #​29654, thanks @​sentience!
• Next.js: Support v15.1.1 - #​30068, thanks @​valentinpalkovic!
• Next.js: Upgrade sass-loader from ^13.2.0 to ^14.2.1 - #​29264, thanks @​HoncharenkoZhenya!
• Nextjs-Vite: Add TS docgen support - #​29824, thanks @​yannbf!
• Nextjs-Vite: Fix docgen types in main config - #​30042, thanks @​yannbf!
• Onboarding: Replace react-confetti with @neoconfetti/react - #​30098, thanks @​ndelangen!
• React Native Web: Add framework, CLI integration, sandboxes - #​29520, thanks @​shilman!
• React: Fix RSC compatibility with addon-themes and hooks - #​26243, thanks @​shilman!
• React: Force act running always in sequence - #​30191, thanks @​valentinpalkovic!
• React: Use Act wrapper in Storybook for component rendering - #​30037, thanks @​valentinpalkovic!
• ReactVite: Add @storybook/test as optional peer dependency - #​29754, thanks @​yannbf!
• RNW-Vite: Add built-in Flow support - #​29756, thanks @​dannyhw!
• RNW-Vite: Add tsconfig path aliases support - #​29953, thanks @​shilman!
• RNW-Vite: Fix flow plugin including too many things - #​29952, thanks @​dannyhw!
• RNW-Vite: Fix reanimated support with babel plugin for node_modules - #​30188, thanks @​dannyhw!
• RNW-Vite: Integrate with experimental-addon-test - #​29645, thanks @​shilman!
• Storysource Addon: Fix source-loader prettier impo

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{Bugbot Autofix is OFF. To automatically fix reported issues with Cloud Agents, enable Autofix in the Cursor dashboard.}

This PR is being reviewed by Cursor Bugbot

Details

Your team is on the Bugbot Free tier. On this plan, Bugbot will review limited PRs each billing cycle for each member of your team.

To receive Bugbot reviews on all of your PRs, visit the Cursor dashboard to activate Pro and start your 14-day free trial.

[cursor]

Storybook packages version mismatch after partial upgrade

Medium Severity

The storybook package is updated to 8.6.15 (bringing @storybook/core@8.6.15) while all other @storybook/* packages remain at 8.3.5 — including @storybook/addon-essentials, @storybook/react, @storybook/react-webpack5, @storybook/blocks, @storybook/test, and @storybook/types. The new @storybook/core@8.6.15 has significant dependency changes (removed express, removed @storybook/csf, added @storybook/theming@8.6.15) that can cause runtime incompatibilities with the 8.3.5 addons, potentially breaking storybook dev and storybook build commands.

Additional Locations (1)

• package.json#L77-L86