Skip to content

Security Audit & Remediation: manual-emulator-testing#467

Merged
inlined merged 2 commits into
firebase:masterfrom
inlined:security-audit/manual-emulator-testing
Jul 1, 2026
Merged

Security Audit & Remediation: manual-emulator-testing#467
inlined merged 2 commits into
firebase:masterfrom
inlined:security-audit/manual-emulator-testing

Conversation

@inlined

@inlined inlined commented Jul 1, 2026

Copy link
Copy Markdown
Member

Security Audit & Remediation: manual-emulator-testing

A. Previous CVEs

  • Outdated firebase-tools dependencies and transitives containing critical/high-severity vulnerabilities, including prototype pollution, RCE, and DoS.

B. Changes Made

  • Updated node engine requirements to >=22.0.0.
  • Upgraded devDependency firebase-tools to ^15.22.1.
  • Fixed HTML syntax errors in public/index.html (unclosed <input> tags using invalid </textarea>).
  • Generated local package-lock.json with --no-workspaces to support standalone copy+paste usage of the sample project.

C. Remaining CVEs

  • firebase-tools@15.22.1 transitives: tar (high file smuggling/arbitrary file overwrite), tmp (high traversal), vm2 (critical sandbox escape RCE), uuid (moderate bounds check), tough-cookie (moderate prototype pollution), yaml (moderate stack overflow), ws (high DoS).

D. Introduced CVEs

  • None

E. Testing Strategy

  • Verified compilation and formatting (npx prettier --check .).

…add local package-lock.json for manual-emulator-testing

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request updates the firebase-tools dependency to version 15.22.1, adds a Node.js engine requirement, and applies code formatting across several files, including fixing invalid HTML tags in index.html. Feedback on the changes highlights that createUserWithEmailAndPassword returns a UserCredential rather than a User object, and that manually calling this.setUser is redundant and can cause duplicate listeners, suggesting its removal.

Comment thread manual-emulator-testing/public/index.js
@inlined inlined requested review from jhuleatt and morganchen12 July 1, 2026 20:47
this.msgInput = "";
},
signUp: async function() {
signUp: async function () {

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This and the one below are odd jetski artifacts but for the sake of speed fixing it is optional.

@inlined inlined merged commit cb6486e into firebase:master Jul 1, 2026
13 checks passed
@inlined inlined deleted the security-audit/manual-emulator-testing branch July 1, 2026 22:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants