protobufjs Prototype Pollution vulnerability

[doctor-entropy]

Operating System

macOS Monterey v12.6.5

Browser Version

Chrome / Firefox

Firebase SDK Version

10.1.0

Firebase SDK Product:

Firestore

Describe your project's tooling

Vite + Vue 3

{
  "name": "web-app",
  "private": true,
  "version": "0.0.0",
  "type": "module",
  "scripts": {
    "dev": "vite",
    "build": "vue-tsc && vite build",
    "preview": "vite preview"
  },
  "dependencies": {
    "firebase": "^10.1.0",
    "vite-tsconfig-paths": "^4.2.0",
    "vue": "^3.2.47",
    "vue-router": "^4.2.2",
    "vuex": "^4.0.2"
  },
  "devDependencies": {
    "@types/node": "^20.3.0",
    "@types/vue-router": "^2.0.0",
    "@vitejs/plugin-vue": "^4.1.0",
    "typescript": "^5.0.2",
    "vite": "^4.3.9",
    "vue-tsc": "^1.4.2"
  }
}

Describe the problem

Trying to install firebase with the latest version. But I get 5 high security vulnerability issues (Check audit report below). npm audit fix --force causes it downgrade firebase to v8.6.8 of firebase which then causes issues on the browser - Uncaught SyntaxError: ambiguous indirect export: initializeApp

# npm audit report

protobufjs  6.10.0 - 7.2.3
Severity: high
protobufjs Prototype Pollution vulnerability - https://github.com/advisories/GHSA-h755-8qp9-cq85
fix available via `npm audit fix --force`
Will install firebase@8.6.8, which is a breaking change
node_modules/protobufjs
  @grpc/proto-loader  0.6.0-pre1 - 0.6.13
  Depends on vulnerable versions of protobufjs
  node_modules/@grpc/proto-loader
    @firebase/firestore  <=0.0.900-exp.f43d0c698 || 2.3.7-202151602035 - 2.3.7-canary.f6e1645ef || >=2.3.8-20216122160
    Depends on vulnerable versions of @grpc/proto-loader
    node_modules/@firebase/firestore
      @firebase/firestore-compat  *
      Depends on vulnerable versions of @firebase/firestore
      node_modules/@firebase/firestore-compat
        firebase  0.900.22 || 7.9.1-0 - 7.9.1-canary.0396117e || 8.6.8-202151602035 - 8.6.8-canary.f6e1645ef || >=8.7.0-20216122160
        Depends on vulnerable versions of @firebase/firestore
        Depends on vulnerable versions of @firebase/firestore-compat
        node_modules/firebase

5 high severity vulnerabilities

To address all issues (including breaking changes), run:
  npm audit fix --force

My firebase config file

import { initializeApp } from "firebase/app";
import { getFirestore } from "firebase/database";


// Your web app's Firebase configuration
const firebaseConfig = {
  // My config
};

// Initialize Firebase
const app = initializeApp(firebaseConfig);

const db = getFirestore(app);

export { db };

Any workarounds are also greatly appreciated.

Steps and code to reproduce issue

npm create vite@latest my-vue-app -- --template vue
cd my-vue-app
npm i
npm i firebase --save
npm audit fix --force

[Bullfrog1234]

This is currently being discussed in #7484 suggest this issue is closed as duplicate.

[doctor-entropy]

@Bullfrog1234 Okay 👍 Will mark it as duplicate. But is the Uncaught SyntaxError: ambiguous indirect export: initializeApp related to this issue? If so is there a work around for this? I'm unable to understand what this issue is about and move forward. Thanks!

[dconeybe]

Note that v8.6.8 (to which node is downgrading you) is a very old version (released June 2021) and it had a completely different API surface (see https://firebase.google.com/docs/web/modular-upgrade). In fact, the function initializeApp() didn't even exist in v8.6.8 (it was introduced in v9.0.0). So there is no "fix" for the SyntaxError and to use v8.6.8 you'd have to re-write your code to use the old Firebase APIs.

[doctor-entropy]

@dconeybe When can we expect a new version with the fix?

[dconeybe]

@doctor-entropy Please post this question to #7484 where the actual work to fix this vulnerability is being tracked.