7 high severity vulnerabilities with depending on protobufjs <7.2.4

[Arsnj]

Operating System

WIndows

Browser Version

Chrome/114.0

Firebase SDK Version

10.0.0

Firebase SDK Product:

Firestore

Describe your project's tooling

npm

Describe the problem

node_modules/protobufjs
@grpc/proto-loader 0.6.0-pre1 - 0.6.13
Depends on vulnerable versions of protobufjs
node_modules/@grpc/proto-loader
@firebase/firestore <=0.0.900-exp.f43d0c698 || 2.3.7-202151602035 - 2.3.7-canary.f6e1645ef || >=2.3.8-20216122160
Depends on vulnerable versions of @grpc/proto-loader
node_modules/@angular/fire/node_modules/@firebase/firestore
node_modules/@firebase/firestore
@firebase/firestore-compat *
Depends on vulnerable versions of @firebase/firestore
node_modules/@angular/fire/node_modules/@firebase/firestore-compat
node_modules/@firebase/firestore-compat
firebase 0.900.22 || 7.9.1-0 - 7.9.1-canary.0396117e || 8.6.8-202151602035 - 8.6.8-canary.f6e1645ef || >=8.7.0-20216122160
Depends on vulnerable versions of @firebase/firestore
Depends on vulnerable versions of @firebase/firestore-compat
node_modules/@angular/fire/node_modules/firebase
node_modules/firebase
@angular/fire >=7.0.0-alpha.0
Depends on vulnerable versions of firebase
Depends on vulnerable versions of rxfire
node_modules/@angular/fire
rxfire >=5.0.0-canary.4370987
Depends on vulnerable versions of firebase
node_modules/@angular/fire/node_modules/rxfire

Steps and code to reproduce issue

npm audit

[gunnarmein-ts]

We have had the same problem since last week, can now only pass our own CI by setting the npm audit level to "critical". On macOS and Windows.

[jbalidiong]

Hi @Arsnj, thanks for bringing this to our attention. This looks like a duplicate of #7431. According to our engineers, the fix should go out whenever the next Firestore release goes out.