fix(deps): update dependency firebase-tools to v13.6.0 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
firebase-tools	13.0.3 -> 13.6.0

GitHub Vulnerability Alerts

CVE-2024-4128

This vulnerability was a potential CSRF attack. When running the Firebase emulator suite, there is an export endpoint that is used normally to export data from running emulators. If a user was running the emulator and navigated to a malicious website with the exploit on a browser that allowed calls to localhost (ie Chrome before v94), the website could exfiltrate emulator data. We recommend upgrading past version 13.6.0 or commit 068a2b08dc308c7ab4b569617f5fc8821237e3a0.

---

Firebase vulnerable to CRSF attack

CVE-2024-4128 / GHSA-rcm2-22f3-pqv3 / GO-2024-2808

More information

Details

This vulnerability was a potential CSRF attack. When running the Firebase emulator suite, there is an export endpoint that is used normally to export data from running emulators. If a user was running the emulator and navigated to a malicious website with the exploit on a browser that allowed calls to localhost (ie Chrome before v94), the website could exfiltrate emulator data. We recommend upgrading past version 13.6.0 or commit 068a2b08dc308c7ab4b569617f5fc8821237e3a0.

Severity

• CVSS Score: 2.6 / 10 (Low)
• Vector String: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N

References

• https://nvd.nist.gov/vuln/detail/CVE-2024-4128
• https://github.com/firebase/firebase-tools/pull/6944
• https://github.com/firebase/firebase-tools/commit/068a2b08dc308c7ab4b569617f5fc8821237e3a0
• https://github.com/firebase/firebase-tools

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

firebase/firebase-tools (firebase-tools)

v13.6.0

Compare Source

• Released Firestore Emulator 1.19.4. This version fixes a minor bug with reserve ids and adds a reset endpoint for Datastore Mode.
• Released PubSub Emulator 0.8.2. This version includes support for no_wrapper options.
• Fixes issue where GitHub actions service account cannot add preview URLs to Auth authorized domains. (#​6895)
• Fixes issue where GOOGLE_CLOUD_QUOTA_PROJECT breaks functions source uploads (#​6917)

v13.5.2

Compare Source

• Fix hosting rewrite deployment bug for skipped functions (#​6658).

v13.5.1

Compare Source

• Release Emulator Suite UI v1.11.8 which adds support for Multiple DBs in the Emulator UI Firestore page via editing the URL. (#​6874)

v13.5.0

Compare Source

• Enable dynamic debugger port for functions + support for inspecting multiple codebases (#​6854)
• Inject an environment variable in the node functions emulator to tell the google-gax SDK not to look for the metadata service. (#​6860)
• Release Firestore Emulator 1.19.3 which fixes ancestor and namespace scope queries for Datastore Mode. This release also fixes internal errors seen across REST API and firebase-js-sdk.
• v2 scheduled functions with explicit service accounts trigger eventarc to use that service account (#​6858)
• v2 event functions with explicit service accounts trigger eventarc to use that service account (#​6859)

v13.4.1

Compare Source

• Released Firestore emulator v1.19.2, which fixes some bugs affecting client SDKs when in Datastore Mode.
• Fix demo projects + web frameworks with emulators (#​6737)
• Fix Next.js static routes with server actions (#​6664)
• Fixed an issue where GOOGLE_CLOUD_QUOTA_PROJECT was not correctly respected. (#​6801)
• Make VPC egress settings in functions parameterizeable (#​6843)

v13.4.0

Compare Source

• Added new commands for managing Firestore backups and restoring databases. (#​6778)
• Fixed quota attribution for Firebase Auth API calls. (#​6819)

v13.3.1

Compare Source

• Release Cloud Firestore emulator v1.19.1:
  • Adds support for Datastore Mode to the Firstore Emulator. Adds
    --database-mode flag to gcloud emulator firestore start command. Note
    that this is a preview feature and if you find any bugs, please file them
    here: https://github.com/firebase/firebase-tools/issues.
• Improve FAH onboarding flow to connect backends with SCMs (#​6764).
• Fixed issue where GitHub actions would fail due to lack of permission. (#​6791)

v13.3.0

Compare Source

• Improved detection for when login has expired due to Google Cloud Session Control. (#​1846)
• Added support for Python 3.12. (#​6679)
• Fixed issues with internal utilities. (#​6754)
• Fixed an issue where firestore:delete wouldn't target the emulator when expected. (#​6537)

v13.2.1

Compare Source

• Fixed an issue where appdistribution:distribute would always attempt to run tests. (#​6749)

v13.2.0

Compare Source

• Added rudimentary email enumeration protection for auth emulator. (#​6702)

v13.1.0

Compare Source

• Point v2 function target to entrypoint. (#​6698)
• Fixed issue where Auth emulator sign in with Google only shows default tenant. (#​6683)
• Prevent the use of pinTags + minInstances on the same function, as the features are not mutually compatible (#​6684)
• Added force flag to delete backend (#​6635).
• Use framework build target in Vite builds (#​6643).
• Use framework build target in NODE_ENV for production Vite builds (#​6644)
• Let framework handle public directory with emulator. (#​6674)
• Dynamically import Vite to fix deprecated CJS build warning. (#​6660)
• Fixed unsafe array spreads on Hosting deploys. (#​6712)

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.

[vercel]

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name	Status	Preview	Comments	Updated (UTC)
faucet	✅ Ready (Inspect)	Visit Preview	💬 Add feedback	Jun 4, 2024 0:44am

[socket-security]

New and removed dependencies detected. Learn more about Socket for GitHub ↗︎

Package	New capabilities	Transitives	Size	Publisher
npm/@google-cloud/cloud-sql-connector@1.3.0	None	0	200 kB	google-wombot
npm/@google-cloud/precise-date@4.0.0	None	0	55.1 kB	google-wombot
npm/@google-cloud/pubsub@4.4.1	environment	0	4.18 MB	google-wombot
npm/@googleapis/sqladmin@16.1.0	None	0	1.3 MB	google-wombot
npm/@opentelemetry/semantic-conventions@1.21.0	None	0	595 kB	pichlermarc
npm/deep-equal-in-any-order@2.0.6	None	0	6.32 kB	oprogramador
npm/discontinuous-range@1.0.0	None	0	11 kB	dtudury
npm/firebase-tools@13.10.2	Transitive: environment, filesystem, network, shell	+13	523 kB
npm/fuzzy@0.1.3	None	0	13.8 kB	mattyork
npm/get-stdin@=8.0.0	None	0	4.71 kB	sindresorhus
npm/googleapis-common@7.2.0	environment, filesystem, network	0	95.3 kB	google-wombot
npm/inquirer-autocomplete-prompt@2.0.1	None	0	15.9 kB	mokkabonna
npm/lodash.mapvalues@4.6.0	None	0	64.8 kB	jdalton
npm/moo@0.5.2	None	0	32.7 kB	tjvr
npm/nearley@2.20.1	Transitive: filesystem, shell	+1	138 kB	hardmath123
npm/p-throttle@5.1.0	None	0	8.7 kB	sindresorhus
npm/pg-cloudflare@1.1.1	None	0	19.3 kB	brianc
npm/pg-connection-string@2.6.4	filesystem	0	9.1 kB	brianc
npm/pg-int8@1.0.1	None	0	3.19 kB	charmander
npm/pg-pool@3.6.2	None	0	69.8 kB	brianc
npm/pg-protocol@1.6.1	None	0	188 kB	brianc
npm/pg-types@2.2.0	None	0	35.3 kB	bendrucker
npm/pg@8.11.5	environment, network	0	77.4 kB	brianc
npm/pgpass@1.0.5	environment, filesystem	0	10.3 kB	hoegaarden
npm/postgres-array@2.0.0	None	0	4.9 kB	bendrucker
npm/postgres-bytea@1.0.0	None	0	3.06 kB	bendrucker
npm/postgres-date@1.0.7	None	0	5.92 kB	bendrucker
npm/postgres-interval@1.2.0	None	0	6.73 kB	bendrucker
npm/railroad-diagrams@1.0.0	None	0	52 kB	dundalek
npm/randexp@0.4.6	None	0	12.3 kB	fent
npm/ret@0.1.15	None	0	17.9 kB	fent
npm/sort-any@2.0.0	None	0	9.77 kB	oprogramador
npm/split2@4.2.0	None	0	17.4 kB	matteo.collina
npm/sql-formatter@15.3.1	None	0	3.05 MB	nene
npm/url-template@2.0.8	None	0	65.5 kB	bramstein

🚮 Removed packages: npm/@babel/helper-string-parser@7.23.4, npm/@babel/parser@7.23.6, npm/@babel/types@7.23.6, npm/@google-cloud/precise-date@3.0.1, npm/@google-cloud/pubsub@3.7.5, npm/@jsdoc/salty@0.2.8, npm/@opentelemetry/semantic-conventions@1.3.1, npm/@types/duplexify@3.6.4, npm/@types/glob@8.1.0, npm/@types/linkify-it@5.0.0, npm/@types/markdown-it@14.1.1, npm/@types/mdurl@2.0.0, npm/@types/minimatch@5.1.2, npm/@types/rimraf@3.0.2, npm/catharsis@0.9.0, npm/entities@4.5.0, npm/escodegen@1.14.3, npm/fast-text-encoding@1.0.6, npm/firebase-tools@13.0.3, npm/google-p12-pem@4.0.1, npm/js2xmlparser@4.0.2, npm/jsdoc@4.0.3, npm/klaw@3.0.0, npm/linkify-it@5.0.0, npm/markdown-it-anchor@8.6.7, npm/markdown-it@14.1.0, npm/mdurl@2.0.0, npm/protobufjs-cli@1.1.1, npm/requizzle@0.2.4, npm/to-fast-properties@2.0.0, npm/uc.micro@2.1.0, npm/uglify-js@3.17.4, npm/underscore@1.13.6, npm/xmlcreate@2.0.4

View full report↗︎