Closed renovate[bot] closed 3 months ago
New and removed dependencies detected. Learn more about Socket for GitHub ↗︎
🚮 Removed packages: npm/@opentelemetry/semantic-conventions@1.12.0, npm/@types/archiver@5.3.2, npm/@types/readdir-glob@1.1.1, npm/as-array@1.0.0, npm/binary@0.3.0, npm/boxen@4.2.0, npm/buffer-indexof-polyfill@1.0.2, npm/buffers@0.1.1, npm/chainsaw@0.1.0, npm/cli-color@1.4.0, npm/compare-semver@1.1.0, npm/csv-streamify@3.0.4, npm/data-uri-to-buffer@3.0.1, npm/degenerator@3.0.3, npm/duplexer2@0.1.4, npm/es6-weak-map@2.0.3, npm/event-emitter@0.3.5, npm/exegesis-express@2.0.1, npm/exit-code@1.0.2, npm/firebase-tools@9.20.0, npm/is-promise@2.2.2, npm/latest-version@5.1.0, npm/lru-queue@0.1.0, npm/marked@0.7.0, npm/memoizee@0.4.15, npm/timers-ext@0.1.7, npm/traverse@0.3.9
🚨 Potential security issues detected. Learn more about Socket for GitHub ↗︎
To accept the risk, merge this PR and you will not be notified again.
Alert | Package | Note | Source | CI |
---|---|---|---|---|
Native code | npm/re2@1.21.3 |
| 🚫 |
Contains native code which could be a vector to obscure malicious code, and generally decrease the likelihood of reproducible or reliable installs.
Ensure that native code bindings are expected. Consumers may consider pure JS and functionally similar alternatives to avoid the challenges and risks associated with native code bindings.
Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support [AT] socket [DOT] dev.
If you happen to install a dependency that Socket reports as Known Malware you should immediately remove it and select a different dependency. For other alert types, you may may wish to investigate alternative packages or consider if there are other ways to mitigate the specific risk posed by the dependency.
To ignore an alert, reply with a comment starting with @SocketSecurity ignore
followed by a space separated list of ecosystem/package-name@version
specifiers. e.g. @SocketSecurity ignore npm/foo@1.0.0
or ignore all packages with @SocketSecurity ignore-all
@SocketSecurity ignore npm/re2@1.21.3
This PR contains the following updates:
9.20.0
->13.6.0
Firebase vulnerable to CRSF attack
CVE-2024-4128 / GHSA-rcm2-22f3-pqv3 / GO-2024-2808
More information
#### Details This vulnerability was a potential CSRF attack. When running the Firebase emulator suite, there is an export endpoint that is used normally to export data from running emulators. If a user was running the emulator and navigated to a malicious website with the exploit on a browser that allowed calls to localhost (ie Chrome before v94), the website could exfiltrate emulator data. We recommend upgrading past version 13.6.0 or [commit 068a2b08dc308c7ab4b569617f5fc8821237e3a0](https://togithub.com/firebase/firebase-tools/commit/068a2b08dc308c7ab4b569617f5fc8821237e3a0). #### Severity - CVSS Score: 2.6 / 10 (Low) - Vector String: `CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N` #### References - [https://nvd.nist.gov/vuln/detail/CVE-2024-4128](https://nvd.nist.gov/vuln/detail/CVE-2024-4128) - [https://github.com/firebase/firebase-tools/pull/6944](https://togithub.com/firebase/firebase-tools/pull/6944) - [https://github.com/firebase/firebase-tools/commit/068a2b08dc308c7ab4b569617f5fc8821237e3a0](https://togithub.com/firebase/firebase-tools/commit/068a2b08dc308c7ab4b569617f5fc8821237e3a0) - [https://github.com/firebase/firebase-tools](https://togithub.com/firebase/firebase-tools) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-rcm2-22f3-pqv3) and the [GitHub Advisory Database](https://togithub.com/github/advisory-database) ([CC-BY 4.0](https://togithub.com/github/advisory-database/blob/main/LICENSE.md)).Release Notes
firebase/firebase-tools (firebase-tools)
### [`v13.6.0`](https://togithub.com/firebase/firebase-tools/releases/tag/v13.6.0) [Compare Source](https://togithub.com/firebase/firebase-tools/compare/v13.5.2...v13.6.0) - Released Firestore Emulator 1.19.4. This version fixes a minor bug with reserve ids and adds a `reset` endpoint for Datastore Mode. - Released PubSub Emulator 0.8.2. This version includes support for `no_wrapper` options. - Fixes issue where GitHub actions service account cannot add preview URLs to Auth authorized domains. ([#6895](https://togithub.com/firebase/firebase-tools/issues/6895)) - Fixes issue where GOOGLE_CLOUD_QUOTA_PROJECT breaks functions source uploads ([#6917](https://togithub.com/firebase/firebase-tools/issues/6917)) ### [`v13.5.2`](https://togithub.com/firebase/firebase-tools/releases/tag/v13.5.2) [Compare Source](https://togithub.com/firebase/firebase-tools/compare/v13.5.1...v13.5.2) - Fix hosting rewrite deployment bug for skipped functions ([#6658](https://togithub.com/firebase/firebase-tools/issues/6658)). ### [`v13.5.1`](https://togithub.com/firebase/firebase-tools/releases/tag/v13.5.1) [Compare Source](https://togithub.com/firebase/firebase-tools/compare/v13.5.0...v13.5.1) - Release Emulator Suite UI v1.11.8 which adds support for Multiple DBs in the Emulator UI Firestore page via editing the URL. ([#6874](https://togithub.com/firebase/firebase-tools/issues/6874)) ### [`v13.5.0`](https://togithub.com/firebase/firebase-tools/releases/tag/v13.5.0) [Compare Source](https://togithub.com/firebase/firebase-tools/compare/v13.4.1...v13.5.0) - Enable dynamic debugger port for functions + support for inspecting multiple codebases ([#6854](https://togithub.com/firebase/firebase-tools/issues/6854)) - Inject an environment variable in the node functions emulator to tell the google-gax SDK not to look for the metadata service. ([#6860](https://togithub.com/firebase/firebase-tools/issues/6860)) - Release Firestore Emulator 1.19.3 which fixes ancestor and namespace scope queries for Datastore Mode. This release also fixes internal errors seen across REST API and firebase-js-sdk. - v2 scheduled functions with explicit service accounts trigger eventarc to use that service account ([#6858](https://togithub.com/firebase/firebase-tools/issues/6858)) - v2 event functions with explicit service accounts trigger eventarc to use that service account ([#6859](https://togithub.com/firebase/firebase-tools/issues/6859)) ### [`v13.4.1`](https://togithub.com/firebase/firebase-tools/releases/tag/v13.4.1) [Compare Source](https://togithub.com/firebase/firebase-tools/compare/v13.4.0...v13.4.1) - Released Firestore emulator v1.19.2, which fixes some bugs affecting client SDKs when in Datastore Mode. - Fix demo projects + web frameworks with emulators ([#6737](https://togithub.com/firebase/firebase-tools/issues/6737)) - Fix Next.js static routes with server actions ([#6664](https://togithub.com/firebase/firebase-tools/issues/6664)) - Fixed an issue where `GOOGLE_CLOUD_QUOTA_PROJECT` was not correctly respected. ([#6801](https://togithub.com/firebase/firebase-tools/issues/6801)) - Make VPC egress settings in functions parameterizeable ([#6843](https://togithub.com/firebase/firebase-tools/issues/6843)) ### [`v13.4.0`](https://togithub.com/firebase/firebase-tools/releases/tag/v13.4.0) [Compare Source](https://togithub.com/firebase/firebase-tools/compare/v13.3.1...v13.4.0) - Added new commands for managing Firestore backups and restoring databases. ([#6778](https://togithub.com/firebase/firebase-tools/issues/6778)) - Fixed quota attribution for Firebase Auth API calls. ([#6819](https://togithub.com/firebase/firebase-tools/issues/6819)) ### [`v13.3.1`](https://togithub.com/firebase/firebase-tools/releases/tag/v13.3.1) [Compare Source](https://togithub.com/firebase/firebase-tools/compare/v13.3.0...v13.3.1) - Release Cloud Firestore emulator v1.19.1: - Adds support for Datastore Mode to the Firstore Emulator. Adds `--database-mode` flag to `gcloud emulator firestore start` command. Note that this is a preview feature and if you find any bugs, please file them here:Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.