[Snyk] Security upgrade firebase-functions from 3.11.0 to 6.1.0 #7

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open

RMSPORTS1902 wants to merge 1 commit into master from snyk-fix-04f62171158d17a0286cb45b478d0163

Owner

RMSPORTS1902 commented Oct 22, 2024

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
- functions/functions/package.json
- functions/functions/package-lock.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	624/1000 Why? Has a fix available, CVSS 8.2	Asymmetric Resource Consumption (Amplification) SNYK-JS-BODYPARSER-7926860	Yes	No Known Exploit
	519/1000 Why? Has a fix available, CVSS 6.1	Open Redirect SNYK-JS-EXPRESS-6474509	Yes	No Known Exploit
	469/1000 Why? Has a fix available, CVSS 5.1	Cross-site Scripting SNYK-JS-EXPRESS-7926867	Yes	No Known Exploit
	666/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.9	Regular Expression Denial of Service (ReDoS) SNYK-JS-PATHTOREGEXP-7925106	Yes	Proof of Concept
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Prototype Poisoning SNYK-JS-QS-3153490	Yes	Proof of Concept
	319/1000 Why? Has a fix available, CVSS 2.1	Cross-site Scripting SNYK-JS-SEND-7926862	Yes	No Known Exploit
	319/1000 Why? Has a fix available, CVSS 2.1	Cross-site Scripting SNYK-JS-SERVESTATIC-7926865	Yes	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: firebase-functions

The new version differs by 250 commits.

28a8075 6.1.0
555c72b Bump express version to at least ^4.19.2. (Samsung Galaxy Note 9 firebase/quickstart-android#1624)
32a7ef3 Bump cookie and express (Update Vertex AI quickstart to use model 1.5-flash firebase/quickstart-android#1626)
827ba0e Add beforeEmailSent and beforeSmsSent trigger types (Auto-update dependencies. firebase/quickstart-android#1621)
6b02fd3 [firebase-release] Removed change log and reset repo after 6.0.1 release
24c6c7c 6.0.1
4b7b279 Export 'app' in v2 entrypoint (#1615)
0c22c28 [firebase-release] Removed change log and reset repo after 6.0.0 release
7d5d221 6.0.0
0493271 Expose functions.config in the v2 namespace to avoid breaking the Functions Emulator. (Auto-update dependencies. firebase/quickstart-android#1607)
ac948b4 Add changelog for v6 release. (Configuration of firebase.json due to firebase tools 13.0.0 breaking change firebase/quickstart-android#1606)
e95b9ef Add @ deprecated annotation on functions.config() API (Auto-update dependencies. firebase/quickstart-android#1604)
d65d35f Change default entrypoint of the firebase-functions package to v2 instead of v1 (Auto-update dependencies. firebase/quickstart-android#1594)
c0b488a [firebase-release] Removed change log and reset repo after 5.1.1 release
b545fab 5.1.1
a13ca20 Fix release script. (Auto-update dependencies. firebase/quickstart-android#1602)
3a78784 Corrected config-env link to be URL (refactor: deprecate app indexing firebase/quickstart-android#1334)
097b73c Fix bug with CORS options for an array of one item for `onCall` (raw.githubusercontent.com/psf/black/main/AUTHORS.md firebase/quickstart-android#1563) (raw.githubusercontent.com/psf/black/main/AUTHORS.md firebase/quickstart-android#1564)
e0f786f Bump tough-cookie from 4.1.2 to 4.1.3 (Auto-update dependencies. firebase/quickstart-android#1436)
f5e5e47 Bump express from 4.18.2 to 4.19.2 (chore(fcm): remove guava dependency firebase/quickstart-android#1546)
f32649d Bump word-wrap from 1.2.3 to 1.2.4 (refactor(auth): fix generic idp provider spinner not showing firebase/quickstart-android#1449)
1dced38 Bump jose from 4.14.4 to 4.15.5 (Slow firebase/quickstart-android#1535)
226a819 Bump @ grpc/grpc-js from 1.9.13 to 1.9.15 (Firebase quickstart firebase/quickstart-android#1573)
2d56bb7 Bump ws from 7.5.9 to 7.5.10 (Deprecate Dynamic Links firebase/quickstart-android#1576)

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Open Redirect
🦉 Cross-site Scripting
🦉 Regular Expression Denial of Service (ReDoS)
🦉 More lessons are available in Snyk Learn

fix: functions/functions/package.json & functions/functions/package-l…

e08bb69

…ock.json to reduce vulnerabilities The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-BODYPARSER-7926860 - https://snyk.io/vuln/SNYK-JS-EXPRESS-6474509 - https://snyk.io/vuln/SNYK-JS-EXPRESS-7926867 - https://snyk.io/vuln/SNYK-JS-PATHTOREGEXP-7925106 - https://snyk.io/vuln/SNYK-JS-QS-3153490 - https://snyk.io/vuln/SNYK-JS-SEND-7926862 - https://snyk.io/vuln/SNYK-JS-SERVESTATIC-7926865

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment