Could you help remove the vulnerability introduced in your package?

[paimon0715]

Hi ,@schmidt-sebastian @Feiyang1 , there is a vulnerability in your package:

Issue Description

A vulnerabilities CVE-2020-7765 in package @firebase/util<0.3.4 is transitively referenced by firebase@7.24.0. We noticed that such vulnerability has been removed since firebase@8.0.1.

However, firebase's popular previous version firebase@7.24.0 (120,426 downloads per week) is still transitively referenced by a large amount of latest versions of active and popular downstream projects (about 554 downstream projects, e.g., @ubnt/unifi-access-ui 1.3.32-987, @nuskin/ns-aem 3.34.201, @sentrei/common 1.131.0, @sentrei/web 1.131.0, @sentrei/ui 1.131.0, @kevinldonnelly/storage-view-controllers@0.4.0 and @liquality/bundle@0.7.0, etc.). As such, issues CVE-2020-7765 can be propagated into these downstream projects and expose security threats to them.

These projects cannot easily degrade firebase from version 7.24.0 to 8.*.* . For instance, firebase@7.24.0 is introduced into the above projects via the following package dependency paths:
(1)@kevinldonnelly/storage-view-controllers@0.4.0 ➔ firebase-auth-database-storage-typescript@0.1.7 ➔ firebase@7.24.0 ➔ @firebase/analytics@0.6.0 ➔ @firebase/component@0.1.19 ➔ @firebase/util@0.3.2
(2) @liquality/bundle@0.7.0 ➔ @liquality/bitcoin-kiba-provider@0.7.0 ➔ @liquality/kiba-provider@0.7.0 ➔ core-connection@0.0.12 ➔ firebase@7.24.0 ➔ @firebase/analytics@0.6.0 ➔ @firebase/component@0.1.19 ➔ @firebase/util@0.3.2
........

The projects such as firebase-auth-database-storage-typescript and core-connection which introduced firebase@7.24.0 are not maintained anymore. These unmaintained packages can neither upgrade firebase nor be easily migrated by the large amount of affected downstream projects.
On behalf the downstream users, could you help us remove the vulnerabilities from package firebase@7.24.0?

Suggested Solution

Since these unactive projects set a version constaint ~7.24.* for firebase on the above vulnerable dependency paths, if firebase removes the vulnerability from 7.24.0 and releases a new patched version firebase@7.24.1,
such a vulnerability patch can be automatically propagated into the 554 affected downstream projects.

In firebase@7.24.1, you can kindly try to perform the following upgrade:
@firebase/analytics 0.6.0 ➔ 0.6.2;
Note:
@firebase/analytics@0.6.2 transitively depends on @firebase/util@0.3.4 (a vulnerability CVE-2020-7765 patched version)

Thanks again for your contributions.

Sincerely yours,
Paimon

[google-oss-bot]

I couldn't figure out how to label this issue, so I've labeled it for a human to triage. Hang tight.

[paimon0715]

@looptheloop88 Thanks for your help.

[Feiyang1]

Sorry to hear that you are stuck with older Firebase versions with unmaintained packages, but we don't publish patches for older versions, so I'm afraid you will need to find some way to upgrade if you care about this vulnerability.

In practice, I'm not sure how much the vulnerability really matters, if anyone can inject malicious code into your codebase, they could just do the unsafe deep copy themselves.

[paimon0715]

@Feiyang1 Thanks for your answers. I understand your explanations. The vulnerability reports "may" be a false positive.
But 12,232 downstream projects （active latest versions of projects） recieved such reports every build.
As a popular library version (120,426 downloads per week), if firebase-js-sdk can release a patch versoin firebase@7.24.1, it can definitively remove the security threats from ten thousands of dependency paths.

Thanks again.

Best regards.

[hsubox76]

Unfortunately, we're not able to do security updates to versions as old as 7. Maybe for these cases patch-package can be of help: https://www.npmjs.com/package/patch-package