[Etheryte]

Storybook is great and all, but these days nearly every Dependabot alert I get is about a sub-dependency of Storybook. Since Dependabot doesn't currently allow you to ignore dev dependencies and only check production dependencies [0], this makes Storybook a Big Noise Generator and every time I dismiss another alert from it, I can't help but wonder if there's a better option out there.

[0] https://github.com/dependabot/dependabot-core/issues/2521

[Cannabat]

I wonder if renovatebot [0] supports this?

[0] https://github.com/renovatebot/renovate

[silverlyra]

Looks like it does – you can add a rule to set the enabled option to false for all devDependencies. It’s the third example in the docs for the enabled option:

https://docs.renovatebot.com/configuration-options/#enabled

[Cannabat]

Thanks - I was looking in the wrong place in the docs.

[lyjackal]

It’s also extremely bloated. The storybook related dependencies were slowing down our builds significantly. We have done additional storybook plugins, but making storybook an optional dependency reduced the build server’s node_modules size by 1GB!

[azangru]

> this makes Storybook a Big Noise Generator

This sounds familiar, but, on a positive note, I take this as a reminder to update all my project's dependencies. Dependabot alerts typically start popping up a month or two since the last update, by which time a dozen of direct dependencies usually have a newer version.

[morbicer]

Exactly why we ditched it. Our compliance doesn't even allow vulnerabilities in the dev tools so we can't ignore them

If you are a React shop, give https://ladle.dev/ a try, much more lightweight