Update date-and-time

[paimon0715]

Subject of the issue

@google-cloud/storage@4.7.0 requires date-and-time@0.13.1, which has a security problem (see: CVE-2020-26289):
@google-cloud/storage@4.7.0 ➔ date-and-time@0.13.1

I do not know if this vulnerability actually affects @google-cloud/storage, but it will show up in security reports about dependencies. Since a large number of developers still use @google-cloud/storage@4.7.0(150,282 downloads per week), is there any posibility that you could release an update version for 4.7.* (ie 4.7.1) that introduces a patched version(>=0.14.2) of date-and-time?

In @google-cloud/storage@4.7.1, maybe you can perform the following update(not crossing major version):
date-and-time ^0.13.0 ➔ ^0.14.2
where date-and-time@0.14.2(>=0.14.2) has fixed the vulnerability CVE-2020-26289.
Thank you for your help.^_^

[shaffeeullah]

Thanks for calling this out! I will backport the fix to v4. Just curious, is there a specific reason that you have not upgraded to a more recent version of the library? v4.7.0 is quite outdated at this point. We're always looking for ways to make upgrading easier, so any feedback here would be helpful.

[paimon0715]

@shaffeeullah, thank you for your feedback and suggestion.

upgraded to a more recent version of the library

I know that it's kind of you to have removed the vulnerability since @google-cloud/storage@5.2.0. But, in fact, a large number of downstream projects cannot easily upgrade @google-cloud/storage from version 4.7.0 to (>=5.2.0):
As you can see, @google-cloud/storage@4.7.0 is introduced into the above projects via the following package dependency paths:
(1)multi-db-orm@1.0.8 ➔ node-firestore-import-export@1.1.0 ➔ firebase-admin@8.13.0 ➔ @google-cloud/storage@4.7.0 ➔ date-and-time@0.13.1
(2)node-paytmpg@2.0.4 ➔ multi-db-orm@1.0.8 ➔ node-firestore-import-export@1.1.0 ➔ firebase-admin@8.13.0 ➔ @google-cloud/storage@4.7.0 ➔ date-and-time@0.13.1
......

The projects such as node-firestore-import-export, which introduced @google-cloud/storage@4.7.0, are not maintained anymore. These unmaintained packages can neither upgrade @google-cloud/storage nor be easily migrated by the large number of affected downstream projects.

Since these inactive projects set a version constaint 4.7.* for @google-cloud/storage on the above vulnerable dependency paths, if @google-cloud/storage removes the vulnerability from 4.7.0 and releases a new patched version @google-cloud/storage@4.7.1, such a vulnerability patch can be automatically propagated into the downstream projects.
Thank you for your contributions again.

[shaffeeullah]

This is fixed in release 4.7.2