chore(deps): upgrade Storybook to v10 and fix security advisories

[sriramveeraghanta]

Description

Dependency maintenance PR with two main goals:

1. Upgrade Storybook to the latest stable (v10.4.6)

The catalog was previously split-brained — storybook was on 9.1.19 while several @storybook/* addons had already been bumped to 10.4.6, which forced packages/propel to hardcode its storybook version and left two copies in the lockfile. This PR fully aligns the upgrade:

• storybook + all core @storybook/* packages are now lockstep on 10.4.6 in the catalog: block.
• Independently-versioned addons bumped to their 10.x-compatible releases: @storybook/addon-designs → 11.1.3, @storybook/addon-styling-webpack → 3.0.2, @storybook/addon-webpack5-compiler-swc → 4.0.3, @chromatic-com/storybook → 5.2.1.
• Removed packages discontinued after Storybook 8 (@storybook/addon-essentials, @storybook/addon-interactions, @storybook/blocks, @storybook/test); their features are now built into core. Added @storybook/addon-docs to packages/ui to preserve the Docs tab that addon-essentials used to provide.
• Fixed both .storybook/main.ts files: Storybook 10 loads them as native ESM, so the require.resolve-based getAbsolutePath helper now uses createRequire(import.meta.url).
• Reverted packages/propel's hardcoded "storybook": "10.4.6" back to "catalog:".

2. Fix open security advisories

• undici 7.24.0 → 7.28.0 (resolves 7 advisories incl. high-severity GHSA-vmh5-mc38-953g, GHSA-hm92-r4w5-c3mj, GHSA-vxpw-j846-p89q). It was pinned to the exact vulnerable version in overrides:.
• @opentelemetry/core / resources / sdk-trace-base → 2.8.0 (GHSA-8988-4f7v-96qf). Bumped as a lockstep trio because the siblings pin core to an exact version.

This PR also carries dependency bumps that were already pending on the branch (vite 8, postcss, babel, markdown-it, ws, form-data, plus the new minimumReleaseAgeExclude block), since the regenerated pnpm-lock.yaml can't be cleanly split.

Type of Change

• Bug fix (non-breaking change which fixes an issue)
• Feature (non-breaking change which adds functionality)
• Improvement (change that would cause existing functionality to not work as expected)
• Code refactoring
• Performance improvements
• Documentation update

Screenshots and Media (if applicable)

Test Scenarios

• pnpm install resolves cleanly; pnpm peers check reports no new storybook/chromatic peer issues.
• pnpm audit → No known vulnerabilities found.
• pnpm --filter @plane/propel build-storybook → builds successfully (react-vite).
• pnpm --filter @plane/ui build-storybook → builds successfully (react-webpack5). Note: requires the generated packages/ui/styles/output.css (run the package's postcss script first).
• Run pnpm --filter @plane/propel storybook / pnpm --filter @plane/ui storybook and confirm stories and the Docs tab render.
• Lockfile verification: single storybook@10.4.6 copy, undici@7.28.0, @opentelemetry/*@2.8.0, and zero discontinued @storybook/* packages remaining.

References

• Security advisories: GHSA-vmh5-mc38-953g, GHSA-hm92-r4w5-c3mj, GHSA-vxpw-j846-p89q, GHSA-pr7r-676h-xcf6, GHSA-p88m-4jfj-68fv, GHSA-35p6-xmwp-9g52, GHSA-g8m3-5g58-fq7m (undici); GHSA-8988-4f7v-96qf (@opentelemetry/core)
• Resolves the Dependabot alerts reported on the default branch.

[coderabbitai]

📝 Walkthrough

Walkthrough

Storybook is upgraded from v9 to v10.4.6 across the workspace catalog. Both Storybook config files gain ESM-compatible require via createRequire(import.meta.url). In the packages/ui package, @storybook/addon-essentials is replaced with @storybook/addon-docs, and several related dev dependencies are removed. Workspace overrides for Babel, security-related packages, and OpenTelemetry are also updated.

Changes

Storybook v10 Upgrade and ESM Compatibility

Layer / File(s)	Summary
Workspace catalog version bumps pnpm-workspace.yaml	Bumps catalog pins: @chromatic-com/storybook to 5.2.1, all @storybook/* packages to 10.4.6 (addon-designs to 11.1.3), storybook to 10.4.6, postcss to 8.5.15, and vite to 8.0.16.
Dependency overrides and release-age exclusions pnpm-workspace.yaml	Updates overrides for Babel (7.29.7), markdown-it, undici, postcss, tmp, ws@7/ws@8, form-data, and three @opentelemetry/* packages; adds minimumReleaseAgeExclude for all Storybook v10 packages.
ESM require fix and addon swap packages/propel/.storybook/main.ts, packages/ui/.storybook/main.ts, packages/ui/package.json	Both Storybook configs add createRequire(import.meta.url) for ESM-safe path resolution; packages/ui config and package.json swap @storybook/addon-essentials for @storybook/addon-docs and drop addon-interactions, @storybook/blocks, and @storybook/test.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• makeplane/plane#9153: Also modifies pnpm-workspace.yaml catalog and overrides to adjust Storybook-related package versions.

Suggested reviewers

• Palanikannan1437
• prateekshourya29

Poem

🐰 Hop, hop! Storybook ten has arrived,
With createRequire the ESM survived.
Addon-docs in, essentials out the door,
Overrides patched — the workspace wants more.
A catalog bump, a version dance,
The rabbit grins and takes a chance! ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main changes: upgrading Storybook to v10 and fixing security advisories, which are the two primary objectives of the PR.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description check	✅ Passed	The pull request description comprehensively addresses all required template sections with detailed explanations of changes, type of change selections, comprehensive test scenarios, and security advisory references.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/storybook-v10-and-security-deps

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}