Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Snyk] Upgrade firebase-admin from 11.3.0 to 12.2.0 #562

Closed

Conversation

aravindvnair99
Copy link
Owner

This PR was automatically created by Snyk using the credentials of a real user.


![snyk-top-banner](https://github.com/andygongea/OWASP-Benchmark/assets/818805/c518c423-16fe-447e-b67f-ad5a49b5d123)

Snyk has created this PR to upgrade firebase-admin from 11.3.0 to 12.2.0.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.


⚠️ Warning: This PR contains major version upgrade(s), and may be a breaking change.

  • The recommended version is 15 versions ahead of your current version.

  • The recommended version was released on 24 days ago.

Issues fixed by the recommended upgrade:

Issue Score Exploit Maturity
high severity Infinite loop
SNYK-JS-MARKDOWNIT-6483324
292 Proof of Concept
high severity Internal Property Tampering
SNYK-JS-TAFFYDB-2992450
292 Proof of Concept
medium severity Resource Exhaustion
SNYK-JS-JOSE-6419224
292 No Known Exploit
medium severity Improper Authentication
SNYK-JS-JSONWEBTOKEN-3180022
292 No Known Exploit
medium severity Improper Restriction of Security Token Assignment
SNYK-JS-JSONWEBTOKEN-3180024
292 No Known Exploit
medium severity Use of a Broken or Risky Cryptographic Algorithm
SNYK-JS-JSONWEBTOKEN-3180026
292 No Known Exploit
medium severity Uncontrolled Resource Consumption
SNYK-JS-GRPCGRPCJS-7242922
292 No Known Exploit
low severity Regular Expression Denial of Service (ReDoS)
SNYK-JS-WORDWRAP-3149973
292 Proof of Concept
Release notes
Package name: firebase-admin
  • 12.2.0 - 2024-06-20

    Breaking Changes

    • change: Deprecate Node.js 16 support (#2574)

    Bug Fixes

    • fix: Replace farmhash with farmhash-modern (#2603)
    • fix: Make ADC + human account work with firebase-admin (#2553)
    • fix: Use optional chaining in FirebaseError (#2581)

    Miscellaneous

    • [chore] Release 12.2.0 (#2605)
    • build(deps): bump uuid from 9.0.1 to 10.0.0 (#2599)
    • build(deps-dev): bump chai-exclude from 2.1.0 to 2.1.1 (#2593)
    • build(deps-dev): bump braces from 3.0.2 to 3.0.3 (#2595)
    • build(deps): bump @ grpc/grpc-js from 1.10.8 to 1.10.9 (#2592)
    • build(deps-dev): bump @ types/lodash from 4.17.4 to 4.17.5 (#2594)
    • build(deps): bump @ google-cloud/firestore from 7.7.0 to 7.8.0 (#2583)
    • build(deps): bump @ types/node from 20.12.12 to 20.14.0 (#2585)
    • build(deps-dev): bump @ firebase/app-compat from 0.2.34 to 0.2.35 (#2575)
    • build(deps-dev): bump chai-as-promised from 7.1.1 to 7.1.2 (#2578)
    • build(deps): bump @ google-cloud/storage from 7.11.0 to 7.11.1 (#2579)
  • 12.1.1 - 2024-05-21

    Bug Fixes

    • fix: Export error classes (#2151)

    Miscellaneous

    • [chore] Release 12.1.1 (#2561)
    • build(deps): updgrade jwks-rsa (#2570)
    • --- (#2568)
    • --- (#2566)
    • --- (#2567)
    • --- (#2569)
    • build(deps-dev): bump @ firebase/auth-types from 0.12.1 to 0.12.2 (#2556)
    • build(deps-dev): bump @ microsoft/api-extractor from 7.43.2 to 7.43.7 (#2559)
    • chore: upgrade firestore to 7.7.0 (#2560)
    • build(deps-dev): bump @ firebase/app-compat from 0.2.32 to 0.2.33 (#2555)
    • build(deps): bump @ google-cloud/firestore from 7.6.0 to 7.7.0 (#2558)
    • Fix api extractor issues to expose error types (#2549)
    • build(deps-dev): bump @ types/lodash from 4.17.0 to 4.17.1 (#2546)
    • build(deps): bump @ google-cloud/storage from 7.10.2 to 7.11.0 (#2547)
    • build(deps-dev): bump @ microsoft/api-extractor from 7.43.1 to 7.43.2 (#2545)
    • build(deps): bump @ types/node from 20.12.7 to 20.12.10 (#2544)
    • build(deps-dev): bump @ firebase/app-compat from 0.2.31 to 0.2.32 (#2540)
    • build(deps): bump @ google-cloud/storage from 7.10.1 to 7.10.2 (#2541)
    • build(deps): bump @ google-cloud/storage from 7.10.0 to 7.10.1 (#2536)
    • Update package.json to use farmhash 3.3.1 (#2534)
  • 12.1.0 - 2024-04-16

    New Features

    • feat(rc): Add server side Remote Config support (#2529)

    Miscellaneous

    • [chore] Release 12.1.0 (#2532)
    • Fix minor typo (#2533)
    • chore: Excluding certain event_types from processing uid (#2370)
    • build(deps-dev): bump gulp from 4.0.2 to 5.0.0 (#2526)
    • build(deps-dev): bump @ firebase/app-compat from 0.2.29 to 0.2.30 (#2527)
    • build(deps): bump @ google-cloud/firestore from 7.5.0 to 7.6.0 (#2528)
    • build(deps): bump undici in /.github/actions/send-email (#2521)
    • build(deps-dev): bump @ firebase/auth-types from 0.12.0 to 0.12.1 (#2514)
    • build(deps-dev): bump mocha from 10.3.0 to 10.4.0 (#2513)
    • build(deps): bump @ types/node from 20.11.30 to 20.12.2 (#2516)
    • build(deps): bump @ google-cloud/firestore from 7.4.0 to 7.5.0 (#2517)
    • build(deps-dev): bump @ firebase/app-compat from 0.2.28 to 0.2.29 (#2510)
    • build(deps): bump @ google-cloud/storage from 7.7.0 to 7.9.0 (#2509)
    • build(deps-dev): bump @ microsoft/api-extractor from 7.42.3 to 7.43.0 (#2511)
    • build(deps): bump @ types/node from 20.11.24 to 20.11.30 (#2508)
    • [chore] Fixed links to rtdb api docs (#2501)
    • issue 2467: add async to send each loop to prevent local validation from throwing in an unknown state (#2469)
    • build(deps): bump @ fastify/busboy from 2.1.0 to 2.1.1 (#2491)
    • build(deps): bump follow-redirects in /.github/actions/send-email (#2497)
    • build(deps): bump @ google-cloud/firestore from 7.3.0 to 7.4.0 (#2499)
    • build(deps): bump jose from 4.15.4 to 4.15.5 (#2489)
    • build(deps-dev): bump @ microsoft/api-extractor from 7.42.0 to 7.42.3 (#2485)
    • build(deps): bump @ types/node from 20.11.19 to 20.11.24 (#2484)
    • build(deps-dev): bump @ firebase/app-compat from 0.2.27 to 0.2.28 (#2483)
    • build(deps-dev): bump @ microsoft/api-extractor from 7.40.3 to 7.42.0 (#2480)
    • build(deps-dev): bump eslint from 8.56.0 to 8.57.0 (#2473)
    • build(deps-dev): bump nock from 13.5.3 to 13.5.4 (#2475)
    • build(deps-dev): bump @ microsoft/api-extractor from 7.40.1 to 7.40.3 (#2465)
    • build(deps-dev): bump nock from 13.5.1 to 13.5.3 (#2463)
    • build(deps): bump @ types/node from 20.11.17 to 20.11.19 (#2464)
    • build(deps): bump undici in /.github/actions/send-email (#2459)
    • build(deps): bump @ types/node from 20.11.5 to 20.11.17 (#2455)
    • build(deps-dev): bump mocha from 10.2.0 to 10.3.0 (#2454)
    • build(deps-dev): bump @ microsoft/api-extractor from 7.39.4 to 7.40.1 (#2452)
    • [chore] Update Github action workflows to fix node version and set-output deprecation warnings (#2431)
    • [chore] Bump mailgun.js to v10.1.0 (#2451)
    • build(deps): bump @ google-cloud/firestore from 7.1.0 to 7.3.0 (#2446)
    • build(deps-dev): bump @ types/uuid from 9.0.7 to 9.0.8 (#2445)
    • build(deps-dev): bump @ firebase/app-compat from 0.2.25 to 0.2.27 (#2443)
    • build(deps-dev): bump @ types/sinon from 17.0.2 to 17.0.3 (#2442)
    • [chore] Bump @ actions/core to ^1.10.1 to remove set-output warning and set action to use Node 20 (#2432)
    • build(deps-dev): bump ts-node from 10.9.1 to 10.9.2 (#2435)
    • build(deps-dev): bump @ firebase/api-documenter from 0.3.0 to 0.4.0 (#2433)
    • build(deps-dev): bump nock from 13.4.0 to 13.5.1 (#2434)
    • build(deps-dev): bump @ microsoft/api-extractor from 7.39.0 to 7.39.4 (#2436)
    • build(deps-dev): bump eslint from 8.55.0 to 8.56.0 (#2422)
    • build(deps-dev): bump chai from 4.3.10 to 4.4.1 (#2424)
    • build(deps): bump @ types/node from 20.10.6 to 20.11.5 (#2428)
    • build(deps-dev): bump @ microsoft/api-extractor from 7.38.4 to 7.39.0 (#2416)
    • build(deps): bump @ fastify/busboy from 1.2.1 to 2.1.0 (#2406)
    • build(deps): bump @ types/node from 20.10.3 to 20.10.6 (#2417)
    • chore: Update Firebase integration test project setup instructions. (#2395)
  • 12.0.0 - 2023-12-07
    • Breaking change: Upgraded the @ google-cloud/firestore package to v7. This is a breaking change. Refer to the Cloud Firestore release notes for more details.

    • Breaking change: Upgraded the @ google-cloud/storage package to v7. This is a breaking change. Refer to the Cloud Storage release notes for more details.

    • Breaking change: Upgraded TypeScript to v5.1.6.

    • Deprecated support for Node.js 14. Instead use Node.js 16 or higher when deploying the Admin SDK. Node.js 14 support will be dropped in the next major version.

    • Upgraded the google-cloud/firestore dependency to v7.1.0 to support sum() and `average() aggregation functions.

    • Upgraded the @ firebase/database-compat package to v1.

    • Dropped AutoML model support (#1974)

    Bug Fixes

    • fix(firestore): Export new aggregate types (#2396)

    Miscellaneous

    • [chore] Release 12.0.0 (#2404)
    • chore: Deprecate Node.js 14 (#2397)
    • build(deps): Bump typescript, database-compat (#2403)
    • build(deps-dev): bump @ types/firebase-token-generator (#2399)
    • build(deps-dev): bump sinon and @ types/sinon (#2398)
    • build(deps-dev): bump @ types/mocha from 10.0.1 to 10.0.6 (#2400)
    • build(deps-dev): bump @ types/minimist from 1.2.2 to 1.2.5 (#2389)
    • build(deps-dev): bump @ types/request from 2.48.8 to 2.48.12 (#2390)
    • chore(deps): bump google-cloud/firestore and google-cloud/storage
  • 11.11.1 - 2023-11-23

    Miscellaneous

    • [chore] Release 11.11.1 (#2387)
    • build(deps): bump jwks-rsa from 3.0.1 to 3.1.0 (#2381)
    • chore(deps): bump google-cloud/firestore to 6.8.0 (#2385)
    • build(deps-dev): bump @ microsoft/api-extractor from 7.36.3 to 7.38.3 (#2380)
    • build(deps-dev): bump @ types/sinon-chai from 3.2.9 to 3.2.12 (#2366)
    • build(deps-dev): bump @ babel/traverse from 7.21.4 to 7.23.2 (#2343)
    • build(deps-dev): bump eslint from 8.50.0 to 8.51.0 (#2330)
    • build(deps-dev): bump @ types/firebase-token-generator (#2322)
    • Bug Fix for issue #2320 (#2321)
  • 11.11.0 - 2023-09-28

    New Features

    • feat(auth): Add Email Privacy support in Project and Tenant config (#2198)

    Miscellaneous

    • [chore] Release 11.11.0 (#2315)
    • build(deps-dev): bump @ types/lodash from 4.14.197 to 4.14.199 (#2309)
    • build(deps-dev): bump eslint from 8.47.0 to 8.50.0 (#2311)
    • Update github.ref value in release.yml (#2313)
    • build(deps-dev): bump nock from 13.3.2 to 13.3.3 (#2288)
    • build(deps-dev): bump bcrypt from 5.1.0 to 5.1.1 (#2289)
    • build(deps-dev): bump eslint from 8.43.0 to 8.47.0 (#2279)
    • build(deps-dev): bump @ types/lodash from 4.14.195 to 4.14.197 (#2280)
    • build(deps-dev): bump @ typescript-eslint/eslint-plugin (#2282)
    • build(deps-dev): bump nock from 13.3.1 to 13.3.2 (#2270)
    • build(deps-dev): bump @ firebase/auth-compat from 0.4.3 to 0.4.4 (#2273)
    • build(deps-dev): bump @ typescript-eslint/parser from 5.59.9 to 5.62.0 (#2264)
    • build(deps): bump @ google-cloud/firestore from 6.6.1 to 6.7.0 (#2265)
    • build(deps-dev): bump @ types/uuid from 9.0.1 to 9.0.2 (#2267)
    • build(deps-dev): bump @ firebase/app-compat from 0.2.13 to 0.2.15 (#2263)
    • build(deps): bump @ google-cloud/storage from 6.11.0 to 6.12.0 (#2253)
    • build(deps-dev): bump @ microsoft/api-extractor from 7.36.1 to 7.36.3 (#2261)
    • build(deps): bump word-wrap from 1.2.3 to 1.2.4 (#2256)
    • build(deps): bump @ types/node from 20.3.2 to 20.4.2 (#2255)
    • build(deps-dev): bump @ firebase/auth-compat from 0.4.2 to 0.4.3 (#2252)
  • 11.10.1 - 2023-07-13

    Miscellaneous

    • [chore] Release 11.10.1 (#2248)
    • Revert "chore: upgrade databse-compat (

Snyk has created this PR to upgrade firebase-admin from 11.3.0 to 12.2.0.

See this package in npm:
firebase-admin

See this project in Snyk:
https://app.snyk.io/org/aravindvnair99-github-marketplace/project/3e229b24-b2de-4c21-9d58-eebf425f44fc?utm_source=github&utm_medium=referral&page=upgrade-pr
Copy link

guardrails bot commented Jul 15, 2024

⚠️ We detected 7 security issues in this pull request:

Insecure File Management (1)
Severity Details Docs
High Title: Path Traversal from user input
path.join(os.tmpdir(), path.basename(req.files.file[0].fieldname)),
📚

More info on how to fix Insecure File Management in JavaScript.


Insecure Use of Crypto (1)
Severity Details Docs
Medium Title: Insecure use of random generator
result += characters.charAt(Math.floor(Math.random() * charactersLength));
📚

More info on how to fix Insecure Use of Crypto in JavaScript.


Vulnerable Libraries (5)
Severity Details
Critical pkg:npm/@tensorflow/tfjs-node@3.14.0 upgrade to: > 3.14.0
Medium pkg:npm/axios@0.25.0 upgrade to: 1.6.0
N/A pkg:npm/ejs@3.1.7 upgrade to: 3.1.10
High pkg:npm/busboy@0.3.1 upgrade to: > 0.3.1
High pkg:npm/firebase-functions@4.2.1 upgrade to: > 4.2.1

More info on how to fix Vulnerable Libraries in JavaScript.


👉 Go to the dashboard for detailed results.

📥 Happy? Share your feedback with us.

Copy link

Copy link

stale bot commented Jul 30, 2024

Automatically marked as stale due to lack of recent activity. Will be closed if no further activity occurs. Thank you for your contributions.

@stale stale bot added the stale label Jul 30, 2024
Copy link

stale bot commented Aug 10, 2024

Automatically closed due to lack of recent activity. Tag @aravindvnair99 to reopen. Thank you for your contributions.

@stale stale bot closed this Aug 10, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants