@firebase/firestore has a transitive vulnerable dependency to protobufjs

[bilby91]

Operating System

macOS

Browser Version

Chrome

Firebase SDK Version

10

Firebase SDK Product:

Firestore

Describe your project's tooling

@firebase/firestore currently depends on a vulnerable version of protobufjs via through @grpc/proto-loader@0.6.13.

There has been work done to fix this version in the past but it seems that this one got missed #7431

https://github.com/firebase/firebase-js-sdk/blob/master/packages/firestore/package.json#L100

Describe the problem

Firebase currently has insecure dependencies

Steps and code to reproduce issue

Install firebase package.

[ehsannas]

Thanks for flagging this @bilby91 .

[tom-andersen]

I'll look into updating this.

[bilby91]

@ehsannas @tom-andersen Appreciated!

[guneemwelloeux]

Issue is also present with Firebase SDK version 9 (currently 9.23.0)

FYI, this is the Github Dependabot alert I'm getting:

Dependabot cannot update protobufjs to a non-vulnerable version
The latest possible version that can be installed is 6.11.3 because of the following conflicting dependency:

firebase@9.18.0 requires protobufjs@^6.11.3 via a transitive dependency on @grpc/proto-loader@0.6.13
The earliest fixed version is 7.2.4

Also if it can help, it seems that updating the direct dependency @grpc/proto-loader to version @^0.7.0
The following is taken from my yarn.lock

  "@grpc/proto-loader@^0.7.0":
~   version "0.7.8"
~   resolved "https://registry.yarnpkg.com/@grpc/proto-loader/-/proto-loader-0.7.8.tgz#c050bbeae5f000a1919507f195a1b094e218036e"
~   integrity sha512-GU12e2c8dmdXb7XUlOgYWZ2o2i+z9/VeACkxTA/zzAe2IjclC5PnVL0lpgjhrqfpDYHzM8B1TF6pqWegMYAzlA==
    dependencies:
      "@types/long" "^4.0.1"
      lodash.camelcase "^4.3.0"
      long "^4.0.0"
~     protobufjs "^7.2.4"
~     yargs "^17.7.2"

Thanks!

[sceee]

This is also present in Firebase SDK version 8, see #7431 (comment) .
Considering the amount of weekly downloads v8.10.1 still has on npm, it would be great if a fix could be backported.

[levpachmanov]

Hey @guneemwelloeux ,
We're part of a startup called Seal Security that mitigates software vulnerabilities in older open source versions by backporting/creating standalone security patches - enabling more straightforward remediation in cases like this. We created an protobufjs 6.11.3-sp1 that's vulnerability-free. As with all of our patches, it's open-source and available for free.

If relevant, check out our GitHub repo if you wish to learn more, or start using our app.

Please feel free to reach us at info@seal.security if you have any requests/questions.

[tom-andersen]

The proto-loader version has been updated.

I have asked a coworker to look into updating part versions.

[doctor-entropy]

Referencing #7551 , When can we expect a new version which has the fix? npm, due to Firebase's security vulnerability is downgrading it to v8.6.8 and causing export errors. I'm unable to move forward because of this.

[levpachmanov]

Hi @doctor-entropy please see my comment above, we offer a patched version of protobufjs 6.11.3 so you can move forward securely.

[marcel-idana]

Hi @doctor-entropy please see my comment above, we offer a patched version of protobufjs 6.11.3 so you can move forward securely.

Please stop nudging people to your parallel world. It might be good but this is not the place for advertisement.

Thanks for #7520. I hope that we soon see a release with a patch increment.

[MarkDuckworth]

Protobufjs also fixed the issue in v6.11.4. Updating your dependencies with npm update or yarn upgrade will now resolve this issue if you're using the latest v8, v9, or v10 Firebase JS SDK.

[tom-andersen]

Already resolved.