🚨 [security] Update firebase 9.8.2 → 11.0.2 (major)

[depfu]

---

Welcome to Depfu 👋

This is one of the first three pull requests with dependency updates we've sent your way. We tried to start with a few easy patch-level updates. Hopefully your tests will pass and you can merge this pull request without too much risk. This should give you an idea how Depfu works in general.

After you merge your first pull request, we'll send you a few more. We'll never open more than seven PRs at the same time so you're not getting overwhelmed with updates.

Let us know if you have any questions. Thanks so much for giving Depfu a try!

---

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

Here is everything you need to know about this upgrade. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ firebase (9.8.2 → 11.0.2) · Repo · Changelog

Security Advisories 🚨

🚨 Firebase JavaScript SDK allows attackers to manipulate the "_authTokenSyncURL" to point to their own server

Firebase JavaScript SDK utilizes a "FIREBASE_DEFAULTS" cookie to store configuration data, including an "_authTokenSyncURL" field used for session synchronization. If this cookie field is preset via an attacker by any other method, the attacker can manipulate the "_authTokenSyncURL" to point to their own server and it would allow am actor to capture user session data transmitted by the SDK. We recommend upgrading Firebase JS SDK at least to 10.9.0.

↗️ @​firebase/analytics (indirect, 0.7.9 → 0.10.10) · Repo · Changelog

↗️ @​firebase/app-compat (indirect, 0.1.26 → 0.2.46) · Repo · Changelog

↗️ @​firebase/app-types (indirect, 0.7.0 → 0.9.3) · Repo · Changelog

↗️ @​firebase/auth-types (indirect, 0.11.0 → 0.12.3) · Repo · Changelog

↗️ @​firebase/database (indirect, 0.13.0 → 1.0.10) · Repo · Changelog

↗️ @​firebase/database-types (indirect, 0.9.8 → 1.0.7) · Repo · Changelog

↗️ @​firebase/storage-types (indirect, 0.6.0 → 0.8.3) · Repo · Changelog

↗️ @​firebase/util (indirect, 1.6.0 → 1.10.2) · Repo · Changelog

↗️ @​grpc/grpc-js (indirect, 1.6.7 → 1.9.15) · Repo

Security Advisories 🚨

🚨 @grpc/grpc-js can allocate memory for incoming messages well above configured limits

Impact

There are two separate code paths in which memory can be allocated per message in excess of the grpc.max_receive_message_length channel option:

1. If an incoming message has a size on the wire greater than the configured limit, the entire message is buffered before it is discarded.
2. If an incoming message has a size within the limit on the wire but decompresses to a size greater than the limit, the entire message is decompressed into memory, and on the server is not discarded.

Patches

This has been patched in versions 1.10.9, 1.9.15, and 1.8.22

🚨 @grpc/grpc-js can allocate memory for incoming messages well above configured limits

Impact

There are two separate code paths in which memory can be allocated per message in excess of the grpc.max_receive_message_length channel option:

1. If an incoming message has a size on the wire greater than the configured limit, the entire message is buffered before it is discarded.
2. If an incoming message has a size within the limit on the wire but decompresses to a size greater than the limit, the entire message is decompressed into memory, and on the server is not discarded.

Patches

This has been patched in versions 1.10.9, 1.9.15, and 1.8.22

Release Notes

1.9.1

• Fix usage of Protobuf.js Message type in TypeScript type definitions file (#177)
• Fix handling of undefined values for optional call arguments (#179)

1.9.0

• Further improve the error output when failing to load an installed precompiled binary (#175)
• Fix type definition documentation for KeyCertPair (#171)
• Fix server segfault on invalid HTTP/2 (grpc/grpc#14199)
• LB policies request re-resolution without shutting down (grpc/grpc#12829)
• On server, include receiving HTTP/2 settings in handshake timeout (grpc/grpc#13336)
• Fix max connection idleness crash (grpc/grpc#14122)
• Report metadata plugin auth errors with an UNAVAILABLE status instead of UNAUTHENTICATED (grpc/grpc#13363).

1.8.4

• Add error code name and number to status Error objects for easier debugging. The status details string is now available in the Error object's details field. (#126)
• Made a build process change that may fix some installation errors
• Add more informative error for a missing callback to the Server#tryShutdown method (#143)
• Removed extraneous files from published package
• Mark some network errors with an UNAVAILABLE status (grpc/grpc#13917)
• Fix HTTP/2 PING issues (grpc/grpc#13950)

1.8.0

• Publish precompiled binaries for Alpine Linux
• Improve the error output when failing to load an installed precompiled binary (#106).

1.7.3

• Pick up a security bug fix from gRPC core (grpc/grpc#13642).

1.7.2

• Separate precompiled binaries for glibc and musl libc (#82, courtesy of @bkw)
  • Precompiled binaries are not yet distributed for musl libc. Installations on Alpine Linux will result in compiling the binary locally.
• Remove incorrect assertion (#92)

1.7.1

Changes

• Publish prebuilt binaries for Node 9
• Fix file permissions issue with Linux prebuilt binaries (reported in #76).

1.7.0

Please see the notes for the previous releases here: https://github.com/grpc/grpc/releases. Also please see http://grpc.io/ for all information regarding this product.

This is the 1.7 release of Node gRPC.

Changes

• Significantly decrease on-disk package size. (#41)
• Allow client methods to be referenced using the exact name in the .proto file. (#42)
• Ensure that Client#waitForReady actually triggers long-idle clients to reconnect. (#43)
• Add TypeScript typings file (#52, courtesy of @Crevil)

Does any of this look wrong? Please let us know.

Sorry, we couldn't find anything useful about this release.

↗️ @​grpc/proto-loader (indirect, 0.6.12 → 0.7.13) · Repo

Sorry, we couldn't find anything useful about this release.

↗️ long (indirect, 4.0.0 → 5.2.3) · Repo

Release Notes

5.2.3

Bug fixes

• Reorder module exports in package.json (#122) (cd84ddd)

5.2.2

Bug fixes

• Separate ESM/CJS TS definitions (#121) (453de51)

5.2.1

Bug fixes

• Add types to exports in package.json (#111) (3cea40d)

5.2.0

New features

• Add ctz and clz methods (#105) (088e44e)

Other

• Fix link to releases (93b06bd)
• Add more build instructions (d30e39c)
• Fix README formatting (9d90c0b)
• Add various instructions (fca1fa0)
• Indicate that isPositive includes zero, fixes #100 (d901220)

5.1.0

New features

• Add an UMD fallback (#104) (45f1f37)

5.0.1

Bug fixes

• Always return matching signed/unsigned zeroes, fixes #72 (19ac17b)

Other

• Move NaN/Infinity check below unsigned setup in fromString (bf68549)
• Switch to daily releases (bd8e614)

5.0.0

Breaking changes

• Switch to ESM / modernize (8641039)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 26 commits:

• fix: Reorder module exports in package.json (#122)
• fix: Separate ESM/CJS TS definitions (#121)
• fix: Add `types` to `exports` in package.json (#111)
• feat: Add ctz and clz methods (#105)
• Fix link to releases
• Add more build instructions
• Fix README formatting
• Add various instructions
• Indicate that isPositive includes zero, fixes #100
• feat: Add an UMD fallback (#104)
• Move NaN/Infinity check below unsigned setup in fromString
• fix: Always return matching signed/unsigned zeroes, fixes #72
• Switch to daily releases
• MAJOR: Switch to ESM / modernize
• Don't sign-extend unsigned input in fromInt(). (#94)
• README: high parameter in constructor is optional
• Add license header
• Implement rotate left and right (#61)
• Update typescript definitions (#74)
• Fix link to wasm sources (#67)
• Make isLong a TypeScript type guard (#63)
• Add TypeScript typings (#60)
• Fix issues with closure-compiler in ADVANCED mode (#57)
• Rename wasm.wast to wasm.wat (#54)
• Mention WebAssembly in README, fixes #51
• Add npm badge

↗️ protobufjs (indirect, 6.11.2 → 7.4.0) · Repo · Changelog

Security Advisories 🚨

🚨 protobufjs Prototype Pollution vulnerability

protobuf.js (aka protobufjs) 6.10.0 until 6.11.4 and 7.0.0 until 7.2.4 allows Prototype Pollution, a different vulnerability than CVE-2022-25878. A user-controlled protobuf message can be used by an attacker to pollute the prototype of Object.prototype by adding and overwriting its data and functions. Exploitation can involve: (1) using the function parse to parse protobuf messages on the fly, (2) loading .proto files by using load/loadSync functions, or (3) providing untrusted input to the functions ReflectionObject.setParsedOption and util.setProperty. NOTE: this CVE Record is about Object.constructor.prototype.<new-property> = ...; whereas CVE-2022-25878 was about Object.__proto__.<new-property> = ...; instead.

🚨 protobufjs Prototype Pollution vulnerability

protobuf.js (aka protobufjs) 6.10.0 until 6.11.4 and 7.0.0 until 7.2.4 allows Prototype Pollution, a different vulnerability than CVE-2022-25878. A user-controlled protobuf message can be used by an attacker to pollute the prototype of Object.prototype by adding and overwriting its data and functions. Exploitation can involve: (1) using the function parse to parse protobuf messages on the fly, (2) loading .proto files by using load/loadSync functions, or (3) providing untrusted input to the functions ReflectionObject.setParsedOption and util.setProperty. NOTE: this CVE Record is about Object.constructor.prototype.<new-property> = ...; whereas CVE-2022-25878 was about Object.__proto__.<new-property> = ...; instead.

🚨 Prototype Pollution in protobufjs

The package protobufjs is vulnerable to Prototype Pollution, which can allow an attacker to add/modify properties of the Object.prototype. Versions after and including 6.10.0 until 6.10.3 and after and including 6.11.0 until 6.11.3 are vulnerable.

This vulnerability can occur in multiple ways:

1. by providing untrusted user input to util.setProperty or to ReflectionObject.setParsedOption functions
2. by parsing/loading .proto files

Release Notes

Too many releases to show here. View the full release notes.

🆕 @​firebase/data-connect (added, 0.1.2)

🆕 @​firebase/installations-compat (added, 0.2.11)

🆕 @​firebase/installations-types (added, 0.5.3)

🆕 @​firebase/vertexai (added, 1.0.1)

🗑️ @​firebase/auth (removed)

🗑️ @​firebase/polyfill (removed)

🗑️ @​types/long (removed)

🗑️ immediate (removed)

🗑️ jszip (removed)

🗑️ lie (removed)

🗑️ node-fetch (removed)

🗑️ pako (removed)

🗑️ selenium-webdriver (removed)

🗑️ setimmediate (removed)

🗑️ tmp (removed)

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu cancel merge

Cancels automatic merging of this PR

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)

[netlify]

✅ Deploy Preview for remarkable-entremet-e59b41 ready!

Name	Link
🔨 Latest commit	3c87222
🔍 Latest deploy log	https://app.netlify.com/sites/remarkable-entremet-e59b41/deploys/673bbb34cbacc20008073b35
😎 Deploy Preview	https://deploy-preview-111--remarkable-entremet-e59b41.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify site configuration.