You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Eight approved (lgtm) security-audit PRs are merged/ready but inert — they land code only. They do nothing for users until each extension is version-bumped and published. None of them touch extension.yaml or CHANGELOG.md.
Release the security-audit dependency PRs
Eight approved (lgtm) security-audit PRs are merged/ready but inert — they land code only. They do nothing for users until each extension is version-bumped and published. None of them touch
extension.yamlorCHANGELOG.md.Per-extension release steps (each)
version:inextension.yamlCHANGELOG.mdentryPRs to release
node-fetch→ globalfetchnodemailer^9.0.1deep-equal→util.isDeepStrictEqual,uuid→crypto.randomUUID()firebase-functions→firebase-functions/v1)mkdirp/uuid/uuidv4→ Node builtinsnode-fetch→ globalfetchCommon to all:
npm audit fixdependency bumps + remove unmaintainedrimraf(clean script now uses nativefs.rmSync).Remaining (unfixed) transitive CVEs — do NOT claim full clearance in release notes
uuid@<11.1.1— pinned underfirebase-admin > @google-cloud/firestore > google-gax(and@google-cloud/bigquery). Needs upstream bump.ts-deepmerge@<8.0.0— devDep underfirebase-functions-test. Test-only, breaking upstream.Verification done at review
nodejs22across the board (globalfetch+crypto.randomUUID()both stable).deep-equal→isDeepStrictEqualshown to have no behavioral divergence vs base.