Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update dependency firebase-tools to v13 [SECURITY] #279

Open
wants to merge 1 commit into
base: main
Choose a base branch
from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented May 3, 2024

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
firebase-tools 12.9.1 -> 13.6.0 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2024-4128

This vulnerability was a potential CSRF attack. When running the Firebase emulator suite, there is an export endpoint that is used normally to export data from running emulators. If a user was running the emulator and navigated to a malicious website with the exploit on a browser that allowed calls to localhost (ie Chrome before v94), the website could exfiltrate emulator data. We recommend upgrading past version 13.6.0 or commit 068a2b08dc308c7ab4b569617f5fc8821237e3a0.


Firebase vulnerable to CRSF attack

CVE-2024-4128 / GHSA-rcm2-22f3-pqv3 / GO-2024-2808

More information

Details

This vulnerability was a potential CSRF attack. When running the Firebase emulator suite, there is an export endpoint that is used normally to export data from running emulators. If a user was running the emulator and navigated to a malicious website with the exploit on a browser that allowed calls to localhost (ie Chrome before v94), the website could exfiltrate emulator data. We recommend upgrading past version 13.6.0 or commit 068a2b08dc308c7ab4b569617f5fc8821237e3a0.

Severity

  • CVSS Score: 2.6 / 10 (Low)
  • Vector String: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).


Release Notes

firebase/firebase-tools (firebase-tools)

v13.6.0

Compare Source

  • Released Firestore Emulator 1.19.4. This version fixes a minor bug with reserve ids and adds a reset endpoint for Datastore Mode.
  • Released PubSub Emulator 0.8.2. This version includes support for no_wrapper options.
  • Fixes issue where GitHub actions service account cannot add preview URLs to Auth authorized domains. (#​6895)
  • Fixes issue where GOOGLE_CLOUD_QUOTA_PROJECT breaks functions source uploads (#​6917)

v13.5.2

Compare Source

  • Fix hosting rewrite deployment bug for skipped functions (#​6658).

v13.5.1

Compare Source

  • Release Emulator Suite UI v1.11.8 which adds support for Multiple DBs in the Emulator UI Firestore page via editing the URL. (#​6874)

v13.5.0

Compare Source

  • Enable dynamic debugger port for functions + support for inspecting multiple codebases (#​6854)
  • Inject an environment variable in the node functions emulator to tell the google-gax SDK not to look for the metadata service. (#​6860)
  • Release Firestore Emulator 1.19.3 which fixes ancestor and namespace scope queries for Datastore Mode. This release also fixes internal errors seen across REST API and firebase-js-sdk.
  • v2 scheduled functions with explicit service accounts trigger eventarc to use that service account (#​6858)
  • v2 event functions with explicit service accounts trigger eventarc to use that service account (#​6859)

v13.4.1

Compare Source

  • Released Firestore emulator v1.19.2, which fixes some bugs affecting client SDKs when in Datastore Mode.
  • Fix demo projects + web frameworks with emulators (#​6737)
  • Fix Next.js static routes with server actions (#​6664)
  • Fixed an issue where GOOGLE_CLOUD_QUOTA_PROJECT was not correctly respected. (#​6801)
  • Make VPC egress settings in functions parameterizeable (#​6843)

v13.4.0

Compare Source

  • Added new commands for managing Firestore backups and restoring databases. (#​6778)
  • Fixed quota attribution for Firebase Auth API calls. (#​6819)

v13.3.1

Compare Source

  • Release Cloud Firestore emulator v1.19.1:
    • Adds support for Datastore Mode to the Firstore Emulator. Adds
      --database-mode flag to gcloud emulator firestore start command. Note
      that this is a preview feature and if you find any bugs, please file them
      here: https://github.com/firebase/firebase-tools/issues.
  • Improve FAH onboarding flow to connect backends with SCMs (#​6764).
  • Fixed issue where GitHub actions would fail due to lack of permission. (#​6791)

v13.3.0

Compare Source

  • Improved detection for when login has expired due to Google Cloud Session Control. (#​1846)
  • Added support for Python 3.12. (#​6679)
  • Fixed issues with internal utilities. (#​6754)
  • Fixed an issue where firestore:delete wouldn't target the emulator when expected. (#​6537)

v13.2.1

Compare Source

  • Fixed an issue where appdistribution:distribute would always attempt to run tests. (#​6749)

v13.2.0

Compare Source

  • Added rudimentary email enumeration protection for auth emulator. (#​6702)

v13.1.0

Compare Source

  • Point v2 function target to entrypoint. (#​6698)
  • Fixed issue where Auth emulator sign in with Google only shows default tenant. (#​6683)
  • Prevent the use of pinTags + minInstances on the same function, as the features are not mutually compatible (#​6684)
  • Added force flag to delete backend (#​6635).
  • Use framework build target in Vite builds (#​6643).
  • Use framework build target in NODE_ENV for production Vite builds (#​6644)
  • Let framework handle public directory with emulator. (#​6674)
  • Dynamically import Vite to fix deprecated CJS build warning. (#​6660)
  • Fixed unsafe array spreads on Hosting deploys. (#​6712)

v13.0.3

Compare Source

  • Fixed typo in Cloud storage bucket metadata location type. (#​6648)
  • Fixed an issue where including export in .env files caused parsing errors. (#​6629)

v13.0.2

Compare Source

  • Fix Next.js dynamic and static OG images. (#​6592)
  • Address a regression introduced in 13.0.1 when emulating Vite applications. (#​6599)
  • Add RSC headers of Next.js app directory pages to Hosting headers. (#​6608)

v13.0.1

Compare Source

  • Fix bug where deploying Firestore function resulted in redudant API calls to the Firestore API (#​6583).
  • Fix an issue preventing Vite applications from being emulated on Windows. (#​6411)
  • Addressed an issue preventing Astro applications from being deployed from Windows. (#​5709)
  • Fixed an issue preventing Angular apps using ng-deploy from being emulated or deployed. (#​6584)
  • Warn if a Web Framework is outside a well known version range on deploy/emulate. (#​6562)
  • Use Web Framework's well known version range in firebase init hosting. (#​6562)
  • Permit use of more SSR regions in Web Frameworks deploys. (#​6086)
  • Limit Web Framework's generated Cloud Function name to 23 characters, fixing deploys for some. (#​6260)
  • Allow Nuxt as an option during firebase init hosting. (#​6309)

v13.0.0

Compare Source

  • Breaking: dropped support for running the CLI on Node.js v16.
  • Breaking: Refactored functions:shell to remove dependency on deprecated request module.
    • As part of this change, removed support for some rarely used features of request.
  • Breaking: Removed deprecated ext:dev:publish command. Use ext:dev:upload instead.
  • Added support for running the CLI on Node.js v20.
  • Switched Storage deployment to use GetDefaultBucket endpoint to fetch default Storage bucket. (#​6467)
  • Fixed an issue with emulating blocking functions when using multiple codebases (#​6504).
  • Added force flag call-out for bypassing prompts (#​6506).
  • Added the ability to deploy Angular apps using the new application-builder. (#​6480)
  • Fixed an issue where --non-interactive flag is not respected in Firestore indexes deploys. (#​6539)
  • Fixed an issue where login:use would not work outside of a Firebase project directory. (#​6526)
  • Prevent app router static not-found requiring a Cloud Function in Next.js deployments. (#​6558)
  • Use only site id from site name in list versions API. (#​6565)

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot requested a review from a team as a code owner May 3, 2024 21:56
Copy link
Contributor Author

renovate bot commented May 3, 2024

⚠ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

  • any of the package files in this branch needs updating, or
  • the branch becomes conflicted, or
  • you click the rebase/retry checkbox if found above, or
  • you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: yarn.lock
/opt/containerbase/tools/corepack/0.28.0/18.14.2/node_modules/corepack/dist/lib/corepack.cjs:23250
  const isURL = URL.canParse(range);
                    ^

TypeError: URL.canParse is not a function
    at parseSpec (/opt/containerbase/tools/corepack/0.28.0/18.14.2/node_modules/corepack/dist/lib/corepack.cjs:23250:21)
    at loadSpec (/opt/containerbase/tools/corepack/0.28.0/18.14.2/node_modules/corepack/dist/lib/corepack.cjs:23313:11)
    at async Engine.findProjectSpec (/opt/containerbase/tools/corepack/0.28.0/18.14.2/node_modules/corepack/dist/lib/corepack.cjs:23487:22)
    at async Engine.executePackageManagerRequest (/opt/containerbase/tools/corepack/0.28.0/18.14.2/node_modules/corepack/dist/lib/corepack.cjs:23539:24)
    at async Object.runMain (/opt/containerbase/tools/corepack/0.28.0/18.14.2/node_modules/corepack/dist/lib/corepack.cjs:24232:5)

Node.js v18.14.2

Copy link

changeset-bot bot commented May 3, 2024

⚠️ No Changeset found

Latest commit: 5155c21

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
@renovate renovate bot force-pushed the renovate/npm-firebase-tools-vulnerability branch from 5e8c04a to 5155c21 Compare July 24, 2024 13:33
Copy link
Contributor Author

renovate bot commented Jul 24, 2024

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

  • any of the package files in this branch needs updating, or
  • the branch becomes conflicted, or
  • you click the rebase/retry checkbox if found above, or
  • you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: yarn.lock
/opt/containerbase/tools/corepack/0.29.3/18.14.2/node_modules/corepack/dist/lib/corepack.cjs:22095
  const isURL = URL.canParse(range);
                    ^

TypeError: URL.canParse is not a function
    at parseSpec (/opt/containerbase/tools/corepack/0.29.3/18.14.2/node_modules/corepack/dist/lib/corepack.cjs:22095:21)
    at loadSpec (/opt/containerbase/tools/corepack/0.29.3/18.14.2/node_modules/corepack/dist/lib/corepack.cjs:22158:11)
    at async Engine.findProjectSpec (/opt/containerbase/tools/corepack/0.29.3/18.14.2/node_modules/corepack/dist/lib/corepack.cjs:22348:22)
    at async Engine.executePackageManagerRequest (/opt/containerbase/tools/corepack/0.29.3/18.14.2/node_modules/corepack/dist/lib/corepack.cjs:22404:24)
    at async Object.runMain (/opt/containerbase/tools/corepack/0.29.3/18.14.2/node_modules/corepack/dist/lib/corepack.cjs:23096:5)

Node.js v18.14.2

Copy link

New and removed dependencies detected. Learn more about Socket for GitHub ↗︎

Package New capabilities Transitives Size Publisher
npm/[email protected] environment, filesystem, network Transitive: eval, shell, unsafe +374 66.7 MB google-wombot

🚮 Removed packages: npm/[email protected]

View full report↗︎

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

0 participants