[Snyk] Fix for 1 vulnerabilities

[mattdanielbrown]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • package.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	658/1000 Why? Proof of Concept exploit, Recently disclosed, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-SEMVER-3247795	Yes	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: firebase-tools

The new version differs by 250 commits.

• a0f1a7f 11.21.0
• 1a8633a Remove go discovery module. (#5419)
• 811c7b4 Fix typo. (#5439)
• 661b3aa Add support for new links added to the release object (release links) (#5405) (#5438)
• 6ed2e7f update jsonwebtoken in v2 test fixture (#5435)
• c52ae18 Added status header for query upload requests (#5425)
• 1756213 Add support for system params when deploying extensions (#5414)
• 177c99d audit fixes, replace update-notifier with update-notifier-cjs (#5420)
• a1287dd Bump jsonwebtoken from 8.5.1 to 9.0.0 (#5410)
• 127ca3f Bug fix: Cloud Functions Runtime Config Hash Value (#5355)
• b501f07 update script dependencies (#5409)
• abcaaab Upgrade Storage rules runtime to v1.1.3 (ternary operators) (#5398)
• 9c2eeba Fix bug where CLI was unable to deploy Firebase Functions in some monorepo setups (#5391)
• 68bdfa7 [firebase-release] Removed change log and reset repo after 11.20.0 release
• cb8cbb7 11.20.0
• 75b3dbe Upgrade ES UI to 1.11.2. (#5394)
• a010a78 Fixes issue where secrets would be undefined in after hot reload in sequential mode (#5397)
• 1f2d8db upgrade superstatic (#5389)
• ffb09f8 Pubsub force shutdown if shutdown isn't working. (#5294)
• dfea3a5 Merge branch 'master' into master
• 09d1f1f Rename internal package name to avoid triggering vuln scan. (#5375)
• f7dbd3a Adjust from localhost to 127.0.0.1 to avoid some IP loookup issues. (#5358)
• 2957b11 Update custom_claims type to match production (#5353)
• 8fa08b2 Merge pull request #5386 from firebase/next

See the full diff

Package name: gulp

The new version differs by 134 commits.

• 55eb23a Release: 4.0.0
• 173a532 Docs: Fix the installation instructions
• ec54d09 Docs: Improve note about out-of-date docs
• 03b7c98 Docs: Update recipes to install gulp@next
• 2eba29e Docs: Remove run-sequence from recipes
• 76eb4d6 Docs: Add installation instructions & update badges
• fbc162f Docs: Remove references to gulp-util
• 3011cf9 Scaffold: Normalize repository
• f27be05 Update: Remove graceful-fs from test suite
• 361ab63 Upgrade: Update glob-watcher
• 064d100 Build: Avoid broken node 9
• 057df59 Release: 4.0.0-alpha.3
• c1ba80c Breaking: Upgrade major versions of glob-watcher, gulp-cli & vinyl-fs
• 89acc5c Docs: Improve ES2015 task exporting examples (#1999)
• 0ac9e04 Docs: Add "Project structure" section to CONTRIBUTING.md (#1859)
• 723cbc4 Docs: Fix syntax in recipe example (#1715)
• d420a6a Docs: Have gulp.lastRun take a function to avoid task registration (#1828)
• 29ece6f Upgrade: Update undertaker
• e931cb0 Docs: Fix changelog typos (#1696)
• 477db84 Docs: Add a "BrowserSync with Gulp 4" recipe (#1659)
• d4ed3c7 Docs: Add options.cwd for gulp.src API (#1645)
• 5dc3b07 Docs: Update gulp.watch API to align with glob-watcher
• 0c66069 Breaking: Replace chokidar as gulp.watch with glob-watcher wrapper
• c3dbc10 Docs: Clarify incremental builds example (#1609)

See the full diff

Package name: gulp-sass

The new version differs by 42 commits.

• 5775044 Update CHANGELOG.md
• 978b8f6 Update to major version 5 (Bump firebase dev dependency version number to 8.2.4 firebase/firebaseui-web#802)
• 10eae93 Update changelog for 4.1.1
• 947b26c Upgrade lodash to fix a security issue ("updateCurrentUser failed" error on screen, after using 4.7.1 via ES module import firebase/firebaseui-web#776)
• 8d6ac29 Update changelog
• 43c0547 4.1.0
• ebe3ec6 Set appropriate file stat times (Nothing happens when clicking the sign in buttons firebase/firebaseui-web#763)
• 7ab018e Migrate to the lodash package
• fa670c6 4.0.2
• fefa00e Revert package.json version bump
• 98254d2 Fix README typos
• 8a14419 Continue loading Node Sass by default
• 938afbe Add a note about synchronous versus asynchronous speed
• 7cc2db1 Make this package implementation-agnostic
• 643f73b Add documentation for synchronous code options
• 0b3c7e7 4.0.1
• daca90d Merge pull request Localize email action firebase/firebaseui-web#681 from DKvistgaard/master
• 71471c2 Declaring logError as function instead of arrow function.
• 450a7b8 4.0.0
• e9b1fe8 Fix node versions in appveyor.yml
• 44be409 Merge pull request Link to one tap signup is broken firebase/firebaseui-web#667 from dlmanning/next
• 7656eff Adopt airbnb eslint preset
• 1293169 Bump autoprefixer@^8.1.0, gulp-postcss@^7.0.1
• 9fa817b Bump gulp-sourcemaps@^2.6.4

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)