New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore(deps): update dependency firebase-tools to v13 [security] #731

Open

renovate wants to merge 1 commit into master from renovate/npm-firebase-tools-vulnerability

Contributor

renovate bot commented May 3, 2024

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
firebase-tools	`12.6.1` -> `13.6.0`

GitHub Vulnerability Alerts

CVE-2024-4128

This vulnerability was a potential CSRF attack. When running the Firebase emulator suite, there is an export endpoint that is used normally to export data from running emulators. If a user was running the emulator and navigated to a malicious website with the exploit on a browser that allowed calls to localhost (ie Chrome before v94), the website could exfiltrate emulator data. We recommend upgrading past version 13.6.0 or commit 068a2b08dc308c7ab4b569617f5fc8821237e3a0.

Release Notes

firebase/firebase-tools (firebase-tools)

`v13.6.0`

Released Firestore Emulator 1.19.4. This version fixes a minor bug with reserve ids and adds a reset endpoint for Datastore Mode.
Released PubSub Emulator 0.8.2. This version includes support for no_wrapper options.
Fixes issue where GitHub actions service account cannot add preview URLs to Auth authorized domains. (#6895)
Fixes issue where GOOGLE_CLOUD_QUOTA_PROJECT breaks functions source uploads (#6917)

`v13.5.2`

Fix hosting rewrite deployment bug for skipped functions (#6658).

`v13.5.1`

Release Emulator Suite UI v1.11.8 which adds support for Multiple DBs in the Emulator UI Firestore page via editing the URL. (#6874)

`v13.5.0`

Enable dynamic debugger port for functions + support for inspecting multiple codebases (#6854)
Inject an environment variable in the node functions emulator to tell the google-gax SDK not to look for the metadata service. (#6860)
Release Firestore Emulator 1.19.3 which fixes ancestor and namespace scope queries for Datastore Mode. This release also fixes internal errors seen across REST API and firebase-js-sdk.
v2 scheduled functions with explicit service accounts trigger eventarc to use that service account (#6858)
v2 event functions with explicit service accounts trigger eventarc to use that service account (#6859)

`v13.4.1`

Released Firestore emulator v1.19.2, which fixes some bugs affecting client SDKs when in Datastore Mode.
Fix demo projects + web frameworks with emulators (#6737)
Fix Next.js static routes with server actions (#6664)
Fixed an issue where GOOGLE_CLOUD_QUOTA_PROJECT was not correctly respected. (#6801)
Make VPC egress settings in functions parameterizeable (#6843)

`v13.4.0`

Added new commands for managing Firestore backups and restoring databases. (#6778)
Fixed quota attribution for Firebase Auth API calls. (#6819)

`v13.3.1`

Release Cloud Firestore emulator v1.19.1:
- Adds support for Datastore Mode to the Firstore Emulator. Adds
  --database-mode flag to gcloud emulator firestore start command. Note
  that this is a preview feature and if you find any bugs, please file them
  here: https://github.com/firebase/firebase-tools/issues.
Improve FAH onboarding flow to connect backends with SCMs (#6764).
Fixed issue where GitHub actions would fail due to lack of permission. (#6791)

`v13.3.0`

Improved detection for when login has expired due to Google Cloud Session Control. (#1846)
Added support for Python 3.12. (#6679)
Fixed issues with internal utilities. (#6754)
Fixed an issue where firestore:delete wouldn't target the emulator when expected. (#6537)

`v13.2.1`

Fixed an issue where appdistribution:distribute would always attempt to run tests. (#6749)

`v13.2.0`

Added rudimentary email enumeration protection for auth emulator. (#6702)

`v13.1.0`

Point v2 function target to entrypoint. (#6698)
Fixed issue where Auth emulator sign in with Google only shows default tenant. (#6683)
Prevent the use of pinTags + minInstances on the same function, as the features are not mutually compatible (#6684)
Added force flag to delete backend (#6635).
Use framework build target in Vite builds (#6643).
Use framework build target in NODE_ENV for production Vite builds (#6644)
Let framework handle public directory with emulator. (#6674)
Dynamically import Vite to fix deprecated CJS build warning. (#6660)
Fixed unsafe array spreads on Hosting deploys. (#6712)

`v13.0.3`

Fixed typo in Cloud storage bucket metadata location type. (#6648)
Fixed an issue where including export in .env files caused parsing errors. (#6629)

`v13.0.2`

Fix Next.js dynamic and static OG images. (#6592)
Address a regression introduced in 13.0.1 when emulating Vite applications. (#6599)
Add RSC headers of Next.js app directory pages to Hosting headers. (#6608)

`v13.0.1`

Fix bug where deploying Firestore function resulted in redudant API calls to the Firestore API (#6583).
Fix an issue preventing Vite applications from being emulated on Windows. (#6411)
Addressed an issue preventing Astro applications from being deployed from Windows. (#5709)
Fixed an issue preventing Angular apps using ng-deploy from being emulated or deployed. (#6584)
Warn if a Web Framework is outside a well known version range on deploy/emulate. (#6562)
Use Web Framework's well known version range in firebase init hosting. (#6562)
Permit use of more SSR regions in Web Frameworks deploys. (#6086)
Limit Web Framework's generated Cloud Function name to 23 characters, fixing deploys for some. (#6260)
Allow Nuxt as an option during firebase init hosting. (#6309)

`v13.0.0`

Breaking: dropped support for running the CLI on Node.js v16.
Breaking: Refactored functions:shell to remove dependency on deprecated request module.
- As part of this change, removed support for some rarely used features of request.
Breaking: Removed deprecated ext:dev:publish command. Use ext:dev:upload instead.
Added support for running the CLI on Node.js v20.
Switched Storage deployment to use GetDefaultBucket endpoint to fetch default Storage bucket. (#6467)
Fixed an issue with emulating blocking functions when using multiple codebases (#6504).
Added force flag call-out for bypassing prompts (#6506).
Added the ability to deploy Angular apps using the new application-builder. (#6480)
Fixed an issue where --non-interactive flag is not respected in Firestore indexes deploys. (#6539)
Fixed an issue where login:use would not work outside of a Firebase project directory. (#6526)
Prevent app router static not-found requiring a Cloud Function in Next.js deployments. (#6558)
Use only site id from site name in list versions API. (#6565)

`v12.9.1`

Fixes issue where initializing Hosting fails when selecting a project. (#6527)

`v12.9.0`

Revert enabling preferRest by default to avoid performance degradations for some users (#6520).
Fix blocking functions in the emulator when using multiple codebases (#6504).
Add force flag call-out for bypassing prompts (#6506).
Fixed an issue where the functions emulator did not respect the --log-verbosity flag (#2859).
Add the ability to look for the default Hosting site via Hosting's API.
Add logic to create a Hosting site when one is not available in a project.
Add checks for the default Hosting site when one is assumed to exist.

`v12.8.1`

Fixed 2 bugs (unintended database mode changes and disabling of PITR or delete-protection) when updating Firestore databases (#6478)

`v12.8.0`

Enable preferRest option by default for Firestore functions. (#6147)
Fixed a bug where re-deploying 2nd Gen Firestore function failed after updating secrets. (#6456)
Fixed a bug where similarly-named Hosting channels would cause issues when updating authorized domains. (#6356)

`v12.7.0`

Fix type mismatch for parametrized function region. (#6205)
Ignore FIRESTORE_EMULATOR_HOST environment variable on functions deploy. (#6442)
Added support for enabling, disabling, and displaying Point In Time Recovery enablement state on Firestore databases (#6388)
Added a --verbosity flag to emulators:* commands that limits what logs are printed (#2859)
Fixed an issue where params would not be resolved when used to set VPC connector during functions deployment (#6327)

`v12.6.2`

Fixed an issue with deploying multilevel grouped functions containing v2 functions. (#6419)
Fixed an issue where functions deployment required a new permission.

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.


          chore(deps): update dependency firebase-tools to v13 [security]

e5f0dad

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet