search

vuejs / vuefire

🔥 Firebase bindings for Vue.js
https://vuefire.vuejs.org
MIT License
3.82k stars 323 forks source link

ProtobufJS critical dependency vulnerability #1530

Closed FantixX closed 1 month ago

FantixX commented 1 month ago

Reproduction

/

Steps to reproduce the bug

/

Expected behavior

/

Actual behavior

/

Additional information

npm audit report

protobufjs  7.0.0 - 7.2.4
Severity: critical
protobufjs Prototype Pollution vulnerability - https://github.com/advisories/GHSA-h755-8qp9-cq85
fix available via `npm audit fix --force`
Will install firebase-admin@12.1.0, which is a breaking change
node_modules/google-gax/node_modules/protobufjs
  google-gax  2.2.1-pre - 2.2.1-pre.2 || 2.28.2-alpha.1 - 2.28.4-alpha.1 || 3.1.4 - 4.0.3
  Depends on vulnerable versions of protobufjs
  node_modules/google-gax
    @google-cloud/firestore  6.1.0-pre.0 - 6.8.0
    Depends on vulnerable versions of google-gax
    node_modules/@google-cloud/firestore
      firebase-admin  11.1.0 - 11.11.1
      Depends on vulnerable versions of @google-cloud/firestore
      node_modules/firebase-admin
        nuxt-vuefire  >=0.0.2
        Depends on vulnerable versions of firebase-admin
        node_modules/nuxt-vuefire

5 critical severity vulnerabilities
posva commented 1 month ago

That’s Firebase-admin… You should still be able to use newer versions of it with Nuxt VueFire. Updates are always in the roadmap, don’t open issues like this because they don’t help. There are already automated services like dependabot noticing this