-
Notifications
You must be signed in to change notification settings - Fork 8
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update dependency firebase-tools to v13 [SECURITY] #279
base: main
Are you sure you want to change the base?
Conversation
⚠ Artifact update problemRenovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is. ♻ Renovate will retry this branch, including artifacts, only when one of the following happens:
The artifact failure details are included below: File name: yarn.lock
|
|
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
5e8c04a
to
5155c21
Compare
|
New and removed dependencies detected. Learn more about Socket for GitHub ↗︎
🚮 Removed packages: npm/[email protected] |
This PR contains the following updates:
12.9.1
->13.6.0
GitHub Vulnerability Alerts
CVE-2024-4128
This vulnerability was a potential CSRF attack. When running the Firebase emulator suite, there is an export endpoint that is used normally to export data from running emulators. If a user was running the emulator and navigated to a malicious website with the exploit on a browser that allowed calls to localhost (ie Chrome before v94), the website could exfiltrate emulator data. We recommend upgrading past version 13.6.0 or commit 068a2b08dc308c7ab4b569617f5fc8821237e3a0.
Firebase vulnerable to CRSF attack
CVE-2024-4128 / GHSA-rcm2-22f3-pqv3 / GO-2024-2808
More information
Details
This vulnerability was a potential CSRF attack. When running the Firebase emulator suite, there is an export endpoint that is used normally to export data from running emulators. If a user was running the emulator and navigated to a malicious website with the exploit on a browser that allowed calls to localhost (ie Chrome before v94), the website could exfiltrate emulator data. We recommend upgrading past version 13.6.0 or commit 068a2b08dc308c7ab4b569617f5fc8821237e3a0.
Severity
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N
References
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Release Notes
firebase/firebase-tools (firebase-tools)
v13.6.0
Compare Source
reset
endpoint for Datastore Mode.no_wrapper
options.v13.5.2
Compare Source
v13.5.1
Compare Source
v13.5.0
Compare Source
v13.4.1
Compare Source
GOOGLE_CLOUD_QUOTA_PROJECT
was not correctly respected. (#6801)v13.4.0
Compare Source
v13.3.1
Compare Source
--database-mode
flag togcloud emulator firestore start
command. Notethat this is a preview feature and if you find any bugs, please file them
here: https://github.com/firebase/firebase-tools/issues.
v13.3.0
Compare Source
firestore:delete
wouldn't target the emulator when expected. (#6537)v13.2.1
Compare Source
appdistribution:distribute
would always attempt to run tests. (#6749)v13.2.0
Compare Source
v13.1.0
Compare Source
v13.0.3
Compare Source
export
in .env files caused parsing errors. (#6629)v13.0.2
Compare Source
v13.0.1
Compare Source
firebase init hosting
. (#6562)firebase init hosting
. (#6309)v13.0.0
Compare Source
functions:shell
to remove dependency on deprecatedrequest
module.request
.ext:dev:publish
command. Useext:dev:upload
instead.--non-interactive
flag is not respected in Firestore indexes deploys. (#6539)login:use
would not work outside of a Firebase project directory. (#6526)not-found
requiring a Cloud Function in Next.js deployments. (#6558)Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.