Storybook versions 7-10 contain a vulnerability where environment variables from .env files could be unexpectedly bundled into published builds, potentially exposing secrets. The issue affects projects that build Storybook with .env files present and publish to the web. Patches are available for versions 7.6.21+, 8.6.15+, 9.1.17+, and 10.1.10+. Users should rotate any exposed secrets and upgrade immediately before publishing again.
Sort: