Out of date packages failing snyk tests

[Sammaye]

V 11.2.1

I recently added this to one of my projects and instantly snyk notified me or dependency related CVEs, the ones it listed were:

From what I can see taffydb is not even used by the lib directly but instead via the jsdoc plugin so not sure why that's flagging on production level install.

Also not sure about uglify.

Can these be fixed by any chance?

[google-oss-bot]

I found a few problems with this issue:

• I couldn't figure out how to label this issue, so I've labeled it for a human to triage. Hang tight.
• This issue does not seem to follow the issue template. Make sure you provide all the required information.

[robinskumar73]

Facing the same vulnerability issue

[JoeEarly]

Came across this today myself after adding Snyk to the project.....any input from the team?

[lahirumaramba]

Hi @dconeybe, @alexander-fenster, looks like both dependencies are coming from @protobufjs-cli through @google-cloud/firestore. Any thoughts on this? Thanks!

[dconeybe]

Tagging @ehsannas in my stead.

[gvsakki]

Facing same issue... Any way to resolve this? AWS Inspector is showing this as vulnerable

[ehsannas]

A quick update: This seems to be due to one of the indirect dependencies of firestore@, a couple of levels deep. We are looking into the dependency tree, and we'll provide an update soon.

[pratyushKumarKarna]

@ehsannas we are also facing the same issue. Is there any temporary estimate until we can get any fix for this?

[ehsannas]

Hi @pratyushKumarKarna , thanks for your patience. Since the fix is happening in Firestore's dependencies, we're still waiting for them to complete this task. Once that is done, both firestore and firebase-admin-node can update their dependencies. Internally tracked by b/247113547.

[richard-rowdy-jr]

Hi everyone. I wanted to follow up on this as it was a bit hard to see what the current state of the issue is 🙏

according to this chain: firebase-admin@11.4.1 › @google-cloud/firestore@6.4.1 › google-gax@3.5.2 › protobufjs-cli@1.0.2 › jsdoc@3.6.11 › taffydb@2.6.2 Security information, does it mean you (firebase team) have to wait on all the owners of these dependencies to fix their reference to taffydb?

thank you so much for looking into it.

[ehsannas]

yes. IIUC protobufjs-cli has a new release today that should address it. Next, google-gax needs to pick up the newest version of protobufjs-cli and make a new release.

[thanhtutzaw]

#2061 (comment)
Still Happening in 2023
Is it Safe to use ?

[KantiKuijk]

If you really can't wait for the update to get through the dependency chain, you can temporarily add the override to your package.json, which should fix audit messages and dependabot alerts. However, I can't attest to this not breaking stuff:

  "overrides": {
    "jsdoc": "^4.0.0"
  }

[robbie-c]

I'd expect this issue is about to get a lot more traffic as this has started showing up in yarn audit

[lahirumaramba]

Thanks everyone for your patience! This issue is now fixed in google-gax: v3.5.3.

Once nodejs-firestore update google-gax in their dependency chain and release a new version, we will include that in the next firebase-admin release. In the meantime, a fresh install of firebase-admin should pull the latest google-gax version with the fix. If you already have firebase-admin installed then you might have to clean up the node_modules and package-lock.json before running npm install (please keep in mind that this could upgrade other dependencies in your project based on your package.json).

[ehsannas]

nodejs-firestore's latest release now (6.4.3) has updated google-gax (3.5.3). @lahirumaramba can you make a new firebase-admin-node release?

[capc0]

seems to be fixed in 11.6.0

[lahirumaramba]

Should also be addressed in #2147, which we will release this week. Thanks!