Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Snyk] Upgrade firebase-admin from 11.3.0 to 12.2.0 #564

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

[Snyk] Upgrade firebase-admin from 11.3.0 to 12.2.0 #564

wants to merge 1 commit into from
+1,067 −1,422

Conversation

aravindvnair99
Copy link
Owner

This PR was automatically created by Snyk using the credentials of a real user.


![snyk-top-banner](https://github.com/andygongea/OWASP-Benchmark/assets/818805/c518c423-16fe-447e-b67f-ad5a49b5d123)

Snyk has created this PR to upgrade firebase-admin from 11.3.0 to 12.2.0.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

⚠️ Warning: This PR contains major version upgrade(s), and may be a breaking change.

  • The recommended version is 15 versions ahead of your current version.

  • The recommended version was released on a month ago.

Issues fixed by the recommended upgrade:

Issue Score Exploit Maturity
high severity Infinite loop
SNYK-JS-MARKDOWNIT-6483324		 292 Proof of Concept
high severity Internal Property Tampering
SNYK-JS-TAFFYDB-2992450		 292 Proof of Concept
medium severity Uncontrolled Resource Consumption
SNYK-JS-GRPCGRPCJS-7242922		 292 No Known Exploit
medium severity Resource Exhaustion
SNYK-JS-JOSE-6419224		 292 No Known Exploit
medium severity Improper Authentication
SNYK-JS-JSONWEBTOKEN-3180022		 292 No Known Exploit
medium severity Improper Restriction of Security Token Assignment
SNYK-JS-JSONWEBTOKEN-3180024		 292 No Known Exploit
medium severity Use of a Broken or Risky Cryptographic Algorithm
SNYK-JS-JSONWEBTOKEN-3180026		 292 No Known Exploit
low severity Regular Expression Denial of Service (ReDoS)
SNYK-JS-WORDWRAP-3149973		 292 Proof of Concept
Release notes
Package name: firebase-admin
  • 12.2.0 - 2024-06-20

    Breaking Changes

    • change: Deprecate Node.js 16 support (#2574)

    Bug Fixes

    • fix: Replace farmhash with farmhash-modern (#2603)
    • fix: Make ADC + human account work with firebase-admin (#2553)
    • fix: Use optional chaining in FirebaseError (#2581)

    Miscellaneous

    • [chore] Release 12.2.0 (#2605)
    • build(deps): bump uuid from 9.0.1 to 10.0.0 (#2599)
    • build(deps-dev): bump chai-exclude from 2.1.0 to 2.1.1 (#2593)
    • build(deps-dev): bump braces from 3.0.2 to 3.0.3 (#2595)
    • build(deps): bump @ grpc/grpc-js from 1.10.8 to 1.10.9 (#2592)
    • build(deps-dev): bump @ types/lodash from 4.17.4 to 4.17.5 (#2594)
    • build(deps): bump @ google-cloud/firestore from 7.7.0 to 7.8.0 (#2583)
    • build(deps): bump @ types/node from 20.12.12 to 20.14.0 (#2585)
    • build(deps-dev): bump @ firebase/app-compat from 0.2.34 to 0.2.35 (#2575)
    • build(deps-dev): bump chai-as-promised from 7.1.1 to 7.1.2 (#2578)
    • build(deps): bump @ google-cloud/storage from 7.11.0 to 7.11.1 (#2579)
  • 12.1.1 - 2024-05-21

    Bug Fixes

    • fix: Export error classes (#2151)

    Miscellaneous

    • [chore] Release 12.1.1 (#2561)
    • build(deps): updgrade jwks-rsa (#2570)
    • --- (#2568)
    • --- (#2566)
    • --- (#2567)
    • --- (#2569)
    • build(deps-dev): bump @ firebase/auth-types from 0.12.1 to 0.12.2 (#2556)
    • build(deps-dev): bump @ microsoft/api-extractor from 7.43.2 to 7.43.7 (#2559)
    • chore: upgrade firestore to 7.7.0 (#2560)
    • build(deps-dev): bump @ firebase/app-compat from 0.2.32 to 0.2.33 (#2555)
    • build(deps): bump @ google-cloud/firestore from 7.6.0 to 7.7.0 (#2558)
    • Fix api extractor issues to expose error types (#2549)
    • build(deps-dev): bump @ types/lodash from 4.17.0 to 4.17.1 (#2546)
    • build(deps): bump @ google-cloud/storage from 7.10.2 to 7.11.0 (#2547)
    • build(deps-dev): bump @ microsoft/api-extractor from 7.43.1 to 7.43.2 (#2545)
    • build(deps): bump @ types/node from 20.12.7 to 20.12.10 (#2544)
    • build(deps-dev): bump @ firebase/app-compat from 0.2.31 to 0.2.32 (#2540)
    • build(deps): bump @ google-cloud/storage from 7.10.1 to 7.10.2 (#2541)
    • build(deps): bump @ google-cloud/storage from 7.10.0 to 7.10.1 (#2536)
    • Update package.json to use farmhash 3.3.1 (#2534)
  • 12.1.0 - 2024-04-16

    New Features

    • feat(rc): Add server side Remote Config support (#2529)

    Miscellaneous

    • [chore] Release 12.1.0 (#2532)
    • Fix minor typo (#2533)
    • chore: Excluding certain event_types from processing uid (#2370)
    • build(deps-dev): bump gulp from 4.0.2 to 5.0.0 (#2526)
    • build(deps-dev): bump @ firebase/app-compat from 0.2.29 to 0.2.30 (#2527)
    • build(deps): bump @ google-cloud/firestore from 7.5.0 to 7.6.0 (#2528)
    • build(deps): bump undici in /.github/actions/send-email (#2521)
    • build(deps-dev): bump @ firebase/auth-types from 0.12.0 to 0.12.1 (#2514)
    • build(deps-dev): bump mocha from 10.3.0 to 10.4.0 (#2513)
    • build(deps): bump @ types/node from 20.11.30 to 20.12.2 (#2516)
    • build(deps): bump @ google-cloud/firestore from 7.4.0 to 7.5.0 (#2517)
    • build(deps-dev): bump @ firebase/app-compat from 0.2.28 to 0.2.29 (#2510)
    • build(deps): bump @ google-cloud/storage from 7.7.0 to 7.9.0 (#2509)
    • build(deps-dev): bump @ microsoft/api-extractor from 7.42.3 to 7.43.0 (#2511)
    • build(deps): bump @ types/node from 20.11.24 to 20.11.30 (#2508)
    • [chore] Fixed links to rtdb api docs (#2501)
    • issue 2467: add async to send each loop to prevent local validation from throwing in an unknown state (#2469)
    • build(deps): bump @ fastify/busboy from 2.1.0 to 2.1.1 (#2491)
    • build(deps): bump follow-redirects in /.github/actions/send-email (#2497)
    • build(deps): bump @ google-cloud/firestore from 7.3.0 to 7.4.0 (#2499)
    • build(deps): bump jose from 4.15.4 to 4.15.5 (#2489)
    • build(deps-dev): bump @ microsoft/api-extractor from 7.42.0 to 7.42.3 (#2485)
    • build(deps): bump @ types/node from 20.11.19 to 20.11.24 (#2484)
    • build(deps-dev): bump @ firebase/app-compat from 0.2.27 to 0.2.28 (#2483)
    • build(deps-dev): bump @ microsoft/api-extractor from 7.40.3 to 7.42.0 (#2480)
    • build(deps-dev): bump eslint from 8.56.0 to 8.57.0 (#2473)
    • build(deps-dev): bump nock from 13.5.3 to 13.5.4 (#2475)
    • build(deps-dev): bump @ microsoft/api-extractor from 7.40.1 to 7.40.3 (#2465)
    • build(deps-dev): bump nock from 13.5.1 to 13.5.3 (#2463)
    • build(deps): bump @ types/node from 20.11.17 to 20.11.19 (#2464)
    • build(deps): bump undici in /.github/actions/send-email (#2459)
    • build(deps): bump @ types/node from 20.11.5 to 20.11.17 (#2455)
    • build(deps-dev): bump mocha from 10.2.0 to 10.3.0 (#2454)
    • build(deps-dev): bump @ microsoft/api-extractor from 7.39.4 to 7.40.1 (#2452)
    • [chore] Update Github action workflows to fix node version and set-output deprecation warnings (#2431)
    • [chore] Bump mailgun.js to v10.1.0 (#2451)
    • build(deps): bump @ google-cloud/firestore from 7.1.0 to 7.3.0 (#2446)
    • build(deps-dev): bump @ types/uuid from 9.0.7 to 9.0.8 (#2445)
    • build(deps-dev): bump @ firebase/app-compat from 0.2.25 to 0.2.27 (#2443)
    • build(deps-dev): bump @ types/sinon from 17.0.2 to 17.0.3 (#2442)
    • [chore] Bump @ actions/core to ^1.10.1 to remove set-output warning and set action to use Node 20 (#2432)
    • build(deps-dev): bump ts-node from 10.9.1 to 10.9.2 (#2435)
    • build(deps-dev): bump @ firebase/api-documenter from 0.3.0 to 0.4.0 (#2433)
    • build(deps-dev): bump nock from 13.4.0 to 13.5.1 (#2434)
    • build(deps-dev): bump @ microsoft/api-extractor from 7.39.0 to 7.39.4 (#2436)
    • build(deps-dev): bump eslint from 8.55.0 to 8.56.0 (#2422)
    • build(deps-dev): bump chai from 4.3.10 to 4.4.1 (#2424)
    • build(deps): bump @ types/node from 20.10.6 to 20.11.5 (#2428)
    • build(deps-dev): bump @ microsoft/api-extractor from 7.38.4 to 7.39.0 (#2416)
    • build(deps): bump @ fastify/busboy from 1.2.1 to 2.1.0 (#2406)
    • build(deps): bump @ types/node from 20.10.3 to 20.10.6 (#2417)
    • chore: Update Firebase integration test project setup instructions. (#2395)
  • 12.0.0 - 2023-12-07

    • Breaking change: Upgraded the @ google-cloud/firestore package to v7. This is a breaking change. Refer to the Cloud Firestore release notes for more details.

    • Breaking change: Upgraded the @ google-cloud/storage package to v7. This is a breaking change. Refer to the Cloud Storage release notes for more details.

    • Breaking change: Upgraded TypeScript to v5.1.6.

    • Deprecated support for Node.js 14. Instead use Node.js 16 or higher when deploying the Admin SDK. Node.js 14 support will be dropped in the next major version.

    • Upgraded the google-cloud/firestore dependency to v7.1.0 to support sum() and `average() aggregation functions.

    • Upgraded the @ firebase/database-compat package to v1.

    • Dropped AutoML model support (#1974)

    Bug Fixes

    • fix(firestore): Export new aggregate types (#2396)

    Miscellaneous

    • [chore] Release 12.0.0 (#2404)
    • chore: Deprecate Node.js 14 (#2397)
    • build(deps): Bump typescript, database-compat (#2403)
    • build(deps-dev): bump @ types/firebase-token-generator (#2399)
    • build(deps-dev): bump sinon and @ types/sinon (#2398)
    • build(deps-dev): bump @ types/mocha from 10.0.1 to 10.0.6 (#2400)
    • build(deps-dev): bump @ types/minimist from 1.2.2 to 1.2.5 (#2389)
    • build(deps-dev): bump @ types/request from 2.48.8 to 2.48.12 (#2390)
    • chore(deps): bump google-cloud/firestore and google-cloud/storage
  • 11.11.1 - 2023-11-23

    Miscellaneous

    • [chore] Release 11.11.1 (#2387)
    • build(deps): bump jwks-rsa from 3.0.1 to 3.1.0 (#2381)
    • chore(deps): bump google-cloud/firestore to 6.8.0 (#2385)
    • build(deps-dev): bump @ microsoft/api-extractor from 7.36.3 to 7.38.3 (#2380)
    • build(deps-dev): bump @ types/sinon-chai from 3.2.9 to 3.2.12 (#2366)
    • build(deps-dev): bump @ babel/traverse from 7.21.4 to 7.23.2 (#2343)
    • build(deps-dev): bump eslint from 8.50.0 to 8.51.0 (#2330)
    • build(deps-dev): bump @ types/firebase-token-generator (#2322)
    • Bug Fix for issue #2320 (#2321)
  • 11.11.0 - 2023-09-28

    New Features

    • feat(auth): Add Email Privacy support in Project and Tenant config (#2198)

    Miscellaneous

    • [chore] Release 11.11.0 (#2315)
    • build(deps-dev): bump @ types/lodash from 4.14.197 to 4.14.199 (#2309)
    • build(deps-dev): bump eslint from 8.47.0 to 8.50.0 (#2311)
    • Update github.ref value in release.yml (#2313)
    • build(deps-dev): bump nock from 13.3.2 to 13.3.3 (#2288)
    • build(deps-dev): bump bcrypt from 5.1.0 to 5.1.1 (#2289)
    • build(deps-dev): bump eslint from 8.43.0 to 8.47.0 (#2279)
    • build(deps-dev): bump @ types/lodash from 4.14.195 to 4.14.197 (#2280)
    • build(deps-dev): bump @ typescript-eslint/eslint-plugin (#2282)
    • build(deps-dev): bump nock from 13.3.1 to 13.3.2 (#2270)
    • build(deps-dev): bump @ firebase/auth-compat from 0.4.3 to 0.4.4 (#2273)
    • build(deps-dev): bump @ typescript-eslint/parser from 5.59.9 to 5.62.0 (#2264)
    • build(deps): bump @ google-cloud/firestore from 6.6.1 to 6.7.0 (#2265)
    • build(deps-dev): bump @ types/uuid from 9.0.1 to 9.0.2 (#2267)
    • build(deps-dev): bump @ firebase/app-compat from 0.2.13 to 0.2.15 (#2263)
    • build(deps): bump @ google-cloud/storage from 6.11.0 to 6.12.0 (#2253)
    • build(deps-dev): bump @ microsoft/api-extractor from 7.36.1 to 7.36.3 (#2261)
    • build(deps): bump word-wrap from 1.2.3 to 1.2.4 (#2256)
    • build(deps): bump @ types/node from 20.3.2 to 20.4.2 (#2255)
    • build(deps-dev): bump @ firebase/auth-compat from 0.4.2 to 0.4.3 (#2252)
  • 11.10.1 - 2023-07-13

    Miscellaneous

    • [chore] Release 11.10.1 (#2248)
    • Revert "chore: upgrade databse-compat (

@snyk-bot
feat: upgrade firebase-admin from 11.3.0 to 12.2.0
0aa6e71 
Snyk has created this PR to upgrade firebase-admin from 11.3.0 to 12.2.0.

See this package in npm:
firebase-admin

See this project in Snyk:
https://app.snyk.io/org/aravindvnair99-github-marketplace/project/3e229b24-b2de-4c21-9d58-eebf425f44fc?utm_source=github&utm_medium=referral&page=upgrade-pr
@guardrails GuardRails
Copy link

guardrails bot commented Jul 21, 2024

⚠️ We detected 7 security issues in this pull request:

Insecure File Management (1)
Severity Details Docs
High Title: Path Traversal from user input

Spot-the-Hole/functions/index.js

Line 562 in 0aa6e71

path.join(os.tmpdir(), path.basename(req.files.file[0].fieldname)),
📚

More info on how to fix Insecure File Management in JavaScript.

Insecure Use of Crypto (1)
Severity Details Docs
Medium Title: Insecure use of random generator

Spot-the-Hole/functions/index.js

Line 204 in 0aa6e71

result += characters.charAt(Math.floor(Math.random() * charactersLength));
📚

More info on how to fix Insecure Use of Crypto in JavaScript.

Vulnerable Libraries (5)
Severity Details
Critical pkg:npm/@tensorflow/tfjs-node@3.14.0 upgrade to: > 3.14.0
N/A pkg:npm/ejs@3.1.7 upgrade to: 3.1.10
Medium pkg:npm/axios@0.25.0 upgrade to: 1.6.0
High pkg:npm/busboy@0.3.1 upgrade to: > 0.3.1
High pkg:npm/firebase-functions@4.2.1 upgrade to: > 4.2.1

More info on how to fix Vulnerable Libraries in JavaScript.

👉 Go to the dashboard for detailed results.

📥 Happy? Share your feedback with us.

@sonarcloud SonarCloud
Copy link

sonarcloud bot commented Jul 21, 2024

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
size/XS
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@aravindvnair99 @snyk-bot