Node-Fetch downstream security vulnerability

[bradcypert]

[REQUIRED] Describe your environment

• Operating System version: macOS Catalina 10.15.4
• Browser version: 76.0.1
• Firebase SDK version: 7.20.0
• Firebase Product: firestore (auth, database, storage, etc)

[REQUIRED] Describe the problem

There is a known security vulnerability with Node-Fetch that has been fixed in version 2.6.1+
https://www.npmjs.com/advisories/1556

Steps to reproduce:

Create a new project using yarn init.
Add firebase via yarn add firebase.
Run yarn audit
Note the security vulnerability on downstream dependency node-fetch.

Relevant Code:

As this is a downstream dependency issue, I dont have any relevant code to provide.

[hsubox76]

For my info:
The two sources of older versions of node-fetch are

• in Firestore's package.json (I see a PR for that, thanks)
• in Functions as a dependency of isomorphic-fetch which seems to be no longer maintained. Perhaps this should be replaced with node-fetch directly.

[wilhuff]

The issue in Firestore was resolved with #3759. The issue with isomorphic-fetch remains.