search

firebase / firebase-js-sdk

Firebase Javascript SDK
https://firebase.google.com/docs/web/setup
Other
4.83k stars 891 forks source link

Known vulnerability in undici subdependency #8038

Closed m-wagner98 closed 7 months ago

m-wagner98 commented 8 months ago

Operating System

n/a

Browser Version

n/a

Firebase SDK Version

10.8.0

Firebase SDK Product:

Auth, Firestore, Functions, Storage

Describe your project's tooling

Angular app, built with ionic.

Describe the problem

The CI/CD pipeline fails because SonarQube detected a known vulnerability in the undici subdependency: https://github.com/advisories/GHSA-3787-6prv-h9w3

Steps and code to reproduce issue

Perform a SonarQube scan with the owasp dependency check plugin on a package.json where the "firebase": "^10.8.0" entry is present.

jbalidiong commented 8 months ago

Hi @m-wagner98, thanks for bringing this to our attention. Let me communicate this with our engineers to update the dependency to the patched version. I’ll update this thread if I have any information to share.

Krisell commented 7 months ago

In case it helps, the Steps to reproduce is just npm i firebase And to see more details, followed by npm audit