Skip to content

24 vulnerabilities (17 moderate, 7 high) #4673

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
cupidchan opened this issue Jun 20, 2022 · 1 comment
Closed

24 vulnerabilities (17 moderate, 7 high) #4673

cupidchan opened this issue Jun 20, 2022 · 1 comment

Comments

@cupidchan
Copy link

[REQUIRED] Environment info

firebase-tools:
11.1.0

Platform:
macOS

[REQUIRED] Test case

npm audit

[REQUIRED] Steps to reproduce

just run npm audit

[REQUIRED] Expected behavior

No vulnerabilities

[REQUIRED] Actual behavior

To be fair, not all vulnerabilities are due to firebase (e.g. ngx-quill is my own library) but report shows majority of the vulnerabilities are come from firebase. At one point, I thought that is fixed by installing the latest version and closed another issue prematurely. Indeed, I updated the CLI to the latest version and still have those issues.

npm audit report

@firebase/util <0.3.4
Severity: moderate
Uncontrolled Resource Consumption in firebase - GHSA-fpm5-vv97-jfwg
fix available via npm audit fix
node_modules/firebase-tools/node_modules/@firebase/analytics/node_modules/@firebase/util
node_modules/firebase-tools/node_modules/@firebase/app/node_modules/@firebase/util
node_modules/firebase-tools/node_modules/@firebase/component/node_modules/@firebase/util
node_modules/firebase-tools/node_modules/@firebase/database/node_modules/@firebase/util
node_modules/firebase-tools/node_modules/@firebase/firestore/node_modules/@firebase/util
node_modules/firebase-tools/node_modules/@firebase/installations/node_modules/@firebase/util
node_modules/firebase-tools/node_modules/@firebase/messaging/node_modules/@firebase/util
node_modules/firebase-tools/node_modules/@firebase/performance/node_modules/@firebase/util
node_modules/firebase-tools/node_modules/@firebase/remote-config/node_modules/@firebase/util
node_modules/firebase-tools/node_modules/@firebase/storage/node_modules/@firebase/util
node_modules/firebase-tools/node_modules/firebase/node_modules/@firebase/util
@firebase/analytics <=0.6.2-longpoll.66863f547 || 0.6.3-202111622333 - 0.6.3-canary.6afe42613 || 0.6.4-2021119233939 - 0.6.4-eap-storage-emulator.ed256f582
Depends on vulnerable versions of @firebase/component
Depends on vulnerable versions of @firebase/installations
Depends on vulnerable versions of @firebase/util
node_modules/firebase-tools/node_modules/@firebase/analytics
firebase 0.800.1 - 0.900.25 || 4.5.1 - 8.10.0 || 9.0.0-20217250818 - 9.6.4
Depends on vulnerable versions of @firebase/analytics
Depends on vulnerable versions of @firebase/app
Depends on vulnerable versions of @firebase/database
Depends on vulnerable versions of @firebase/firestore
Depends on vulnerable versions of @firebase/functions
Depends on vulnerable versions of @firebase/installations
Depends on vulnerable versions of @firebase/messaging
Depends on vulnerable versions of @firebase/performance
Depends on vulnerable versions of @firebase/remote-config
Depends on vulnerable versions of @firebase/storage
Depends on vulnerable versions of @firebase/util
node_modules/firebase-tools/node_modules/firebase
@firebase/app <=0.6.13-longpoll.66863f547 || 0.6.14-2021026232412 - 0.6.14-canary.fd16bb26d || 0.6.15-2021119233939 - 0.6.15-eap-storage-emulator.ed256f582
Depends on vulnerable versions of @firebase/component
Depends on vulnerable versions of @firebase/util
node_modules/firebase-tools/node_modules/@firebase/app
@firebase/component <=0.1.21-longpoll.66863f547 || 0.2.0-2021119233939 - 0.2.0-eap-storage-emulator.ed256f582
Depends on vulnerable versions of @firebase/util
node_modules/firebase-tools/node_modules/@firebase/component
@firebase/database <=0.7.1-canary.fc9de467b || 0.8.0-202010180421 - 0.8.0-canary.bab4e1935 || 0.8.1-1.0.0-eap-firestore-debug.9c6096f43 - 0.8.1-canary.ff9dc3460 || 0.8.2-20210721223 - 0.8.2-longpoll.66863f547 || 0.8.3-2021012224526 - 0.8.3-canary.fb90580e5 || 0.9.0-2021019222814 - 0.9.0-canary.d9b945fed || 0.9.1-2021026232412 - 0.9.1-canary.fd16bb26d || 0.9.2-202112213818 - 0.9.2-canary.f5139220e || 0.9.3-202119234540 - 0.9.3-canary.ee6980dee || 0.9.4-2021119233939 - 0.9.4-eap-storage-emulator.ed256f582
Depends on vulnerable versions of @firebase/component
Depends on vulnerable versions of @firebase/util
node_modules/firebase-tools/node_modules/@firebase/database
@firebase/firestore <=0.0.900-exp.f919db6a9 || 1.4.2-0 - 1.4.2-canary.ea3adf1 || 1.4.3-0 - 1.4.3-canary.fc5a87c || 1.4.4-0 - 2.4.0 || 3.0.0-20217250818 - 3.4.3
Depends on vulnerable versions of @firebase/component
Depends on vulnerable versions of @firebase/util
Depends on vulnerable versions of node-fetch
node_modules/firebase-tools/node_modules/@firebase/firestore
@firebase/functions <=0.0.900-exp.f919db6a9 || 0.4.26-0 - 0.4.26-canary.fe11de0 || 0.4.27-0 - 0.6.15 || 0.7.0-20217250818 - 0.7.7
Depends on vulnerable versions of @firebase/component
Depends on vulnerable versions of node-fetch
node_modules/firebase-tools/node_modules/@firebase/functions
@firebase/installations <=0.4.19-longpoll.66863f547 || 0.4.20-2021119233939 - 0.4.20-eap-storage-emulator.ed256f582
Depends on vulnerable versions of @firebase/component
Depends on vulnerable versions of @firebase/util
node_modules/firebase-tools/node_modules/@firebase/installations
@firebase/messaging <=0.7.3-longpoll.66863f547 || 0.7.4-2021119233939 - 0.7.4-eap-storage-emulator.ed256f582
Depends on vulnerable versions of @firebase/component
Depends on vulnerable versions of @firebase/installations
Depends on vulnerable versions of @firebase/util
node_modules/firebase-tools/node_modules/@firebase/messaging
@firebase/performance <=0.4.4-canary.ff9dc3460 || 0.4.5-202011822428 - 0.4.5-longpoll.66863f547 || 0.4.6-2021119233939 - 0.4.6-eap-storage-emulator.ed256f582
Depends on vulnerable versions of @firebase/component
Depends on vulnerable versions of @firebase/installations
Depends on vulnerable versions of @firebase/util
node_modules/firebase-tools/node_modules/@firebase/performance
@firebase/remote-config <=0.1.30-longpoll.66863f547 || 0.1.31-2021119233939 - 0.1.31-eap-storage-emulator.ed256f582
Depends on vulnerable versions of @firebase/component
Depends on vulnerable versions of @firebase/installations
Depends on vulnerable versions of @firebase/util
node_modules/firebase-tools/node_modules/@firebase/remote-config
@firebase/storage 0.3.4-0 - 0.3.4-canary.fc5a87c || 0.3.5-0 - 0.4.1-canary.f9dc50e35 || 0.4.2-1.0.0-eap-firestore-debug.9c6096f43 - 0.4.2-longpoll.66863f547 || 0.4.3-2021119233939 - 0.4.3-eap-storage-emulator.ed256f582 || >=1.0.0-2020922203858
Depends on vulnerable versions of @firebase/component
Depends on vulnerable versions of @firebase/util
node_modules/firebase-tools/node_modules/@firebase/storage

ajv <6.12.3
Severity: moderate
Prototype Pollution in Ajv - GHSA-v88g-cgmw-v5xw
fix available via npm audit fix
node_modules/firebase-tools/node_modules/oas-validator/node_modules/ajv
oas-validator <=4.0.8
Depends on vulnerable versions of ajv
Depends on vulnerable versions of better-ajv-errors
node_modules/firebase-tools/node_modules/oas-validator
swagger2openapi 2.12.0-0 - 6.2.3
Depends on vulnerable versions of better-ajv-errors
Depends on vulnerable versions of oas-validator
node_modules/firebase-tools/node_modules/swagger2openapi

dicer *
Severity: high
Crash in HeaderParser in dicer - GHSA-wm7h-9275-46v2
fix available via npm audit fix
node_modules/firebase-tools/node_modules/dicer
firebase-admin 5.0.0 - 10.2.0
Depends on vulnerable versions of dicer
Depends on vulnerable versions of node-forge
node_modules/firebase-tools/node_modules/firebase-admin

jsonpointer <5.0.0
Severity: moderate
Prototype Pollution in node-jsonpointer - GHSA-282f-qqgm-c34q
fix available via npm audit fix
node_modules/firebase-tools/node_modules/jsonpointer
better-ajv-errors <=0.8.1
Depends on vulnerable versions of jsonpointer
node_modules/firebase-tools/node_modules/better-ajv-errors

node-fetch <2.6.7
Severity: high
node-fetch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor - GHSA-r683-j2x4-v87g
fix available via npm audit fix
node_modules/firebase-tools/node_modules/@firebase/firestore/node_modules/node-fetch
node_modules/firebase-tools/node_modules/@firebase/functions/node_modules/node-fetch

node-forge <=1.2.1
Severity: high
Open Redirect in node-forge - GHSA-8fr3-hfg3-gpgp
Prototype Pollution in node-forge debug API. - GHSA-5rrq-pxf6-6jx5
URL parsing in node-forge could lead to undesired behavior. - GHSA-gf8q-jrpm-jvxq
Improper Verification of Cryptographic Signature in node-forge - GHSA-2r2c-g63r-vccr
Improper Verification of Cryptographic Signature in node-forge - GHSA-x4jg-mjrx-434g
Improper Verification of Cryptographic Signature in node-forge - GHSA-cfm4-qjh2-4765
fix available via npm audit fix
node_modules/firebase-tools/node_modules/node-forge

quill <=1.3.7
Severity: moderate
Cross-site Scripting in quill - GHSA-4943-9vgg-gr5r
No fix available
node_modules/quill
ngx-quill *
Depends on vulnerable versions of quill
node_modules/ngx-quill

24 vulnerabilities (17 moderate, 7 high)

To address issues that do not require attention, run:
npm audit fix

Some issues need review, and may require choosing
a different dependency.
@cupidchan cupidchan added the bug label Jun 20, 2022
@bkendall
Copy link
Contributor

We are aware of these issues in our dev dependencies. Since they do not effect the production code (as it runs), these shouldn't be an issue. This is caused by npm/cli#4323

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@bkendall @cupidchan