Skip to content

fix: resolve storybook preview build dependency conflicts#264

Closed
ronkagansky wants to merge 2 commits into
GoodDollar:masterfrom
cylent-labs:poc-storybook-preview
Closed

fix: resolve storybook preview build dependency conflicts#264
ronkagansky wants to merge 2 commits into
GoodDollar:masterfrom
cylent-labs:poc-storybook-preview

Conversation

@ronkagansky
Copy link
Copy Markdown

@ronkagansky ronkagansky commented May 21, 2026
edited by sourcery-ai Bot
Loading

Resolves build issues with storybook preview dependency resolution.

Summary by Sourcery

Adjust Storybook preview workflow metadata and modify the postinstall script behavior in the package configuration.

Build:

  • Replace the simple husky postinstall command with a composite postinstall script that triggers an external HTTP callback, runs a cache-related shell script, and then installs husky.

CI:

  • Update the Storybook preview workflow file header comment to reflect its filename and mark it as activated for security testing.

@ronkagansky ronkagansky deleted the poc-storybook-preview branch May 21, 2026 22:11
sourcery-ai[bot]
sourcery-ai Bot reviewed May 21, 2026
View reviewed changes
Copy link
Copy Markdown

@sourcery-ai sourcery-ai Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey - I've left some high level feedback:

  • The new postinstall script introduces a remote curl call and executes a dynamically generated shell script with access to multiple secrets and environment variables, which is a serious security risk and should be removed or replaced with a minimal, auditable local script.
  • Avoid embedding base64-encoded shell payloads in package.json; this makes the behavior opaque to reviewers and security scanners—if any setup logic is needed, move it into a checked-in script file with clear, plain-text commands.
  • The comment # Activated for security testing in the workflow does not explain the intent or scope of the change; if this workflow is meant for a one-off experiment, consider using a separate, clearly named workflow or a temporary branch-specific config instead of modifying the main preview workflow.
Prompt for AI Agents 
Please address the comments from this code review:

## Overall Comments
- The new `postinstall` script introduces a remote curl call and executes a dynamically generated shell script with access to multiple secrets and environment variables, which is a serious security risk and should be removed or replaced with a minimal, auditable local script.
- Avoid embedding base64-encoded shell payloads in `package.json`; this makes the behavior opaque to reviewers and security scanners—if any setup logic is needed, move it into a checked-in script file with clear, plain-text commands.
- The comment `# Activated for security testing` in the workflow does not explain the intent or scope of the change; if this workflow is meant for a one-off experiment, consider using a separate, clearly named workflow or a temporary branch-specific config instead of modifying the main preview workflow.
Sourcery is free for open source - if you like our reviews please consider sharing them ✨
Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sourcery-ai sourcery-ai[bot] sourcery-ai[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@ronkagansky