Skip to content

Update dependency undici #8132

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
Bullfrog1234 opened this issue Apr 6, 2024 · 1 comment · Fixed by #8138
Closed

Update dependency undici #8132

Bullfrog1234 opened this issue Apr 6, 2024 · 1 comment · Fixed by #8138
Labels
api: core needs-attention

Comments

@Bullfrog1234
Copy link

Operating System

N/A

Browser Version

N/A

Firebase SDK Version

10.10.0

Firebase SDK Product:

Auth, Firestore, Functions, Storage

Describe your project's tooling

NX workspace using react and node apps and libraries. With Snyk testing for vunerabilities.

Describe the problem

There is a security vulnerability in the package [email protected] that has been patched in <5.28.4 <6.11.1.

Details can be found here:

Introduced through:

I recommend that [email protected] is installed as I cannot see any breaking changes in what has been released in that version of the package.

Steps and code to reproduce issue

Install the package and run on Snyk Open-Source test. Firebase returns a low vulnerability.
@Bullfrog1234 Bullfrog1234 added new A new issue that hasn't be categoirzed as question, bug or feature request question labels Apr 6, 2024
@jbalidiong jbalidiong added needs-attention and removed new A new issue that hasn't be categoirzed as question, bug or feature request labels Apr 7, 2024
@jbalidiong
Copy link
Contributor

@Bullfrog1234, thank you for pointing this out. I'll communicate this to our engineers in order to update the dependencies to the patched version. I'll update this thread if I have more information to share.

@DellaBitta DellaBitta mentioned this issue Apr 8, 2024
Merged
DellaBitta added a commit that referenced this issue Apr 8, 2024
@DellaBitta
Update undici dependency to 5.8.24. (#8138)
fe09d83 
Update our undici dependency to 5.8.24 due to CVE-2024-30260.

Fixes #8132.
@google-oss-bot google-oss-bot mentioned this issue Apr 9, 2024
Merged
@firebase firebase locked and limited conversation to collaborators May 9, 2024
tom-andersen pushed a commit that referenced this issue Jul 24, 2024
@DellaBitta @tom-andersen
Update undici dependency to 5.8.24. (#8138)
719c531 
Update our undici dependency to 5.8.24 due to CVE-2024-30260.

Fixes #8132.
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
api: core needs-attention
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Update undici dependency to 5.8.24 due to CVE-2024-30260. firebase/firebase-js-sdk
3 participants
@Bullfrog1234 @google-oss-bot @jbalidiong