firebase-tools
firebase-tools copied to clipboard
firebase
Updating safe dependencies to fix some vulnerabilities
Description
Updated a bunch of dependencies to address some open vulnerabilities. I included all the non breaking updates suggested by npm audit. Additionally, I included a major updated to firebase - this is only used in some integration tests, so as long as those pass this should be zero risk. Fixes #4421 (at least partially)
Scenarios Tested
npm audit on master: found 53 vulnerabilities (2 low, 28 moderate, 18 high, 5 critical) in 1311 scanned packages
npm audit on this branch: found 24 vulnerabilities (2 low, 9 moderate, 13 high) in 1366 scanned packages
Why has this been stale for so long? @joehan @bkendall @yuchenshi
firebase-tools is still depending on old versions of node-fetch and node-forge which include severe vulnerabilities. From what I can see there is no reason to do so.
Almost every firebase related project I know uses firebase-admin as a runtime dependency and firebase-tools as a dev dependency. Just because the firebase-tools package does not allow a more recent version of node-fetch and node-forge firebase-admin is also forced to rely on the same old vulnerable versions. This should not happen - even less so if the issue has been reported ages ago.
Hey @antonstefer -
As you can see from the commit status here, updating the dependencies does mean having to address other code to accommodate for it. Updating firebase from v7 to v9 is a non-trivial change, and it's unfortunately not something we've been able to dedicate time to.
Here's one of the other troubles that we've run into though: with npm-shrinkwrap in place, npm incorrectly installs dev dependencies when firebase-tools is installed. We've known about this issue but it's something that has to be fixed on npm's side. That shouldn't happen - even less so [since] the issue [was] reported ages ago. We're hesitant to work around that issue because it may make our publishing process more fragile as we change our dependency tree. Unfortunately, this causes more havoc in other places (especially since npm audit can be very noisy) and has been a pain for a while.
On a positive note, if you run npm audit --omit=dev to look at the modules that are being used by firebase-tools, we only currently have a single warning (I'll paste below). On the plus side, superstatic is something I'm working on updating, on the negative side, to upgrade update-notifier a major version to fix the issue would require upgrading superstatic to an ES module, which would require upgrading firebase-tools to an ES module - neither of which is a trivial operation.
There's a complex web of issues, dependencies, audits, moving parts owned by just as many people, and firebase-tools doesn't have infinite staffing behind it to instantly fix every issue. I appreciate your patience as we work through them. Keep in mind that we're all humans with limited amounts of time and varying priorities, so some specific issues may have to wait before we can fully address them.
» npm audit --omit=dev
# npm audit report
got <11.8.5
Severity: moderate
Got allows a redirect to a UNIX socket - https://github.com/advisories/GHSA-pfrx-2q88-qq97
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/got
package-json <=6.5.0
Depends on vulnerable versions of got
node_modules/package-json
latest-version 0.2.0 - 5.1.0
Depends on vulnerable versions of package-json
node_modules/latest-version
update-notifier 0.2.0 - 5.1.0
Depends on vulnerable versions of latest-version
node_modules/superstatic/node_modules/update-notifier
node_modules/update-notifier
superstatic >=0.12.11
Depends on vulnerable versions of update-notifier
node_modules/superstatic
5 moderate severity vulnerabilities
Thanks for the detailed reply, I am sure you are all doing your best.
However, this package is still by far the biggest troublemaker in most of my projects in terms of security vulnerabilities due to outdated dependencies. If it's a staffing issue, I have little sympathy for Google not assigning more people to this project. After all, it is still a product they are trying to sell.
Do you have any recommendations for the time being? The npm issue does not seem like it will be resolved in the near future.