Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(deps): update dependency firebase-tools to v13.6.0 [security] #171

Merged
merged 1 commit into from
Jul 17, 2024
Merged

fix(deps): update dependency firebase-tools to v13.6.0 [security] #171

merged 1 commit into from
Jul 17, 2024

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented May 3, 2024
edited
Loading

Mend Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
firebase-tools 13.0.3 -> 13.6.0 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2024-4128

This vulnerability was a potential CSRF attack. When running the Firebase emulator suite, there is an export endpoint that is used normally to export data from running emulators. If a user was running the emulator and navigated to a malicious website with the exploit on a browser that allowed calls to localhost (ie Chrome before v94), the website could exfiltrate emulator data. We recommend upgrading past version 13.6.0 or commit 068a2b08dc308c7ab4b569617f5fc8821237e3a0.

Firebase vulnerable to CRSF attack

CVE-2024-4128 / GHSA-rcm2-22f3-pqv3 / GO-2024-2808

More information

Details

This vulnerability was a potential CSRF attack. When running the Firebase emulator suite, there is an export endpoint that is used normally to export data from running emulators. If a user was running the emulator and navigated to a malicious website with the exploit on a browser that allowed calls to localhost (ie Chrome before v94), the website could exfiltrate emulator data. We recommend upgrading past version 13.6.0 or commit 068a2b08dc308c7ab4b569617f5fc8821237e3a0.

Severity

  • CVSS Score: 2.6 / 10 (Low)
  • Vector String: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Release Notes

firebase/firebase-tools (firebase-tools)

v13.6.0

Compare Source

  • Released Firestore Emulator 1.19.4. This version fixes a minor bug with reserve ids and adds a reset endpoint for Datastore Mode.
  • Released PubSub Emulator 0.8.2. This version includes support for no_wrapper options.
  • Fixes issue where GitHub actions service account cannot add preview URLs to Auth authorized domains. (#​6895)
  • Fixes issue where GOOGLE_CLOUD_QUOTA_PROJECT breaks functions source uploads (#​6917)

v13.5.2

Compare Source

  • Fix hosting rewrite deployment bug for skipped functions (#​6658).

v13.5.1

Compare Source

  • Release Emulator Suite UI v1.11.8 which adds support for Multiple DBs in the Emulator UI Firestore page via editing the URL. (#​6874)

v13.5.0

Compare Source

  • Enable dynamic debugger port for functions + support for inspecting multiple codebases (#​6854)
  • Inject an environment variable in the node functions emulator to tell the google-gax SDK not to look for the metadata service. (#​6860)
  • Release Firestore Emulator 1.19.3 which fixes ancestor and namespace scope queries for Datastore Mode. This release also fixes internal errors seen across REST API and firebase-js-sdk.
  • v2 scheduled functions with explicit service accounts trigger eventarc to use that service account (#​6858)
  • v2 event functions with explicit service accounts trigger eventarc to use that service account (#​6859)

v13.4.1

Compare Source

  • Released Firestore emulator v1.19.2, which fixes some bugs affecting client SDKs when in Datastore Mode.
  • Fix demo projects + web frameworks with emulators (#​6737)
  • Fix Next.js static routes with server actions (#​6664)
  • Fixed an issue where GOOGLE_CLOUD_QUOTA_PROJECT was not correctly respected. (#​6801)
  • Make VPC egress settings in functions parameterizeable (#​6843)

v13.4.0

Compare Source

  • Added new commands for managing Firestore backups and restoring databases. (#​6778)
  • Fixed quota attribution for Firebase Auth API calls. (#​6819)

v13.3.1

Compare Source

  • Release Cloud Firestore emulator v1.19.1:
    • Adds support for Datastore Mode to the Firstore Emulator. Adds
      --database-mode flag to gcloud emulator firestore start command. Note
      that this is a preview feature and if you find any bugs, please file them
      here: https://github.com/firebase/firebase-tools/issues.
  • Improve FAH onboarding flow to connect backends with SCMs (#​6764).
  • Fixed issue where GitHub actions would fail due to lack of permission. (#​6791)

v13.3.0

Compare Source

  • Improved detection for when login has expired due to Google Cloud Session Control. (#​1846)
  • Added support for Python 3.12. (#​6679)
  • Fixed issues with internal utilities. (#​6754)
  • Fixed an issue where firestore:delete wouldn't target the emulator when expected. (#​6537)

v13.2.1

Compare Source

  • Fixed an issue where appdistribution:distribute would always attempt to run tests. (#​6749)

v13.2.0

Compare Source

  • Added rudimentary email enumeration protection for auth emulator. (#​6702)

v13.1.0

Compare Source

  • Point v2 function target to entrypoint. (#​6698)
  • Fixed issue where Auth emulator sign in with Google only shows default tenant. (#​6683)
  • Prevent the use of pinTags + minInstances on the same function, as the features are not mutually compatible (#​6684)
  • Added force flag to delete backend (#​6635).
  • Use framework build target in Vite builds (#​6643).
  • Use framework build target in NODE_ENV for production Vite builds (#​6644)
  • Let framework handle public directory with emulator. (#​6674)
  • Dynamically import Vite to fix deprecated CJS build warning. (#​6660)
  • Fixed unsafe array spreads on Hosting deploys. (#​6712)

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

@renovate renovate bot requested a review from a team as a code owner May 3, 2024 22:19
@vercel Vercel
Copy link

vercel bot commented May 3, 2024
edited
Loading

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name Status Preview Comments Updated (UTC)
faucet ✅ Ready (Inspect) Visit Preview 💬 Add feedback Jul 17, 2024 1:42pm

@renovate renovate bot force-pushed the renovate/npm-firebase-tools-vulnerability branch from ca90dd0 to 3f02141 Compare June 4, 2024 12:42
@socket-security Socket Security
Copy link

socket-security bot commented Jun 4, 2024
edited
Loading

New and removed dependencies detected. Learn more about Socket for GitHub ↗︎

Package New capabilities Transitives Size Publisher
npm/@google-cloud/[email protected] Transitive: environment, filesystem, network +5 1.81 MB google-wombot
npm/@google-cloud/[email protected] None 0 55.1 kB google-wombot
npm/@google-cloud/[email protected] environment Transitive: filesystem, network, shell +43 15.9 MB google-wombot
npm/[email protected] Transitive: environment, filesystem, shell +30 2.57 MB ctalkington
npm/[email protected] filesystem +19 827 kB ctalkington
npm/[email protected] None +2 80.8 kB oprogramador
npm/[email protected] None 0 11 kB dtudury
npm/[email protected] Transitive: eval +4 83.8 kB ljharb
npm/[email protected] None 0 5.07 kB mafintosh
npm/[email protected] environment, filesystem, network Transitive: shell, unsafe +178 31.8 MB google-wombot
npm/[email protected] environment, filesystem, shell +4 670 kB google-wombot

🚮 Removed packages: npm/@babel/[email protected], npm/@babel/[email protected], npm/@babel/[email protected], npm/@google-cloud/[email protected], npm/@google-cloud/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected]

View full report↗︎

@renovate renovate bot force-pushed the renovate/npm-firebase-tools-vulnerability branch from 3f02141 to b7f5daf Compare July 6, 2024 12:20
@renovate renovate bot force-pushed the renovate/npm-firebase-tools-vulnerability branch from b7f5daf to f32f2d1 Compare July 7, 2024 08:46
@renovate renovate bot force-pushed the renovate/npm-firebase-tools-vulnerability branch from f32f2d1 to a0bd16f Compare July 7, 2024 08:59
@renovate renovate bot force-pushed the renovate/npm-firebase-tools-vulnerability branch from a0bd16f to 86ddeb5 Compare July 9, 2024 07:54
@renovate renovate bot force-pushed the renovate/npm-firebase-tools-vulnerability branch from 86ddeb5 to 5bea57e Compare July 15, 2024 09:32
@renovate
fix(deps): update dependency firebase-tools to v13.6.0 [security]
fcec0c2 
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
@renovate renovate bot force-pushed the renovate/npm-firebase-tools-vulnerability branch from 5bea57e to fcec0c2 Compare July 17, 2024 13:41
@aaronmgdr aaronmgdr merged commit be0aa9e into master Jul 17, 2024
7 checks passed
@renovate renovate bot deleted the renovate/npm-firebase-tools-vulnerability branch July 17, 2024 13:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@aaronmgdr aaronmgdr aaronmgdr approved these changes

Assignees
No one assigned
Labels
type:security
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@aaronmgdr