Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Firestore depends on @grpc/proto-loader 0.6.13 that still depends on vulnerable version of protobufjs < 7.2.4 #7524

Closed
Arsnj opened this issue Aug 4, 2023 · 1 comment
Closed

Firestore depends on @grpc/proto-loader 0.6.13 that still depends on vulnerable version of protobufjs < 7.2.4 #7524

Arsnj opened this issue Aug 4, 2023 · 1 comment
Labels
api: firestore new A new issue that hasn't be categoirzed as question, bug or feature request question

Comments

@Arsnj
Copy link

Arsnj commented Aug 4, 2023

Operating System

WIndows

Browser Version

Chrome/114.0

Firebase SDK Version

10.1.0

Firebase SDK Product:

Firestore

Describe your project's tooling

Angular app with Webpack.

Describe the problem

protobufjs 6.10.0 - 7.2.3
Severity: high
protobufjs Prototype Pollution vulnerability - GHSA-h755-8qp9-cq85
fix available via npm audit fix --force
Will install firebase@8.6.8, which is a breaking change
node_modules/protobufjs
@grpc/proto-loader 0.6.0-pre1 - 0.6.13
Depends on vulnerable versions of protobufjs
node_modules/@grpc/proto-loader

Grpc have already fixed their security issue. Could you update this package as well, please?

Steps and code to reproduce issue

npm audit fix.
@Arsnj Arsnj added new A new issue that hasn't be categoirzed as question, bug or feature request question labels Aug 4, 2023
@Arsnj Arsnj closed this as not planned Won't fix, can't repro, duplicate, stale Aug 4, 2023
@Djeisen642
Copy link

#7484

@firebase firebase locked and limited conversation to collaborators Sep 4, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
api: firestore new A new issue that hasn't be categoirzed as question, bug or feature request question
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@google-oss-bot @Djeisen642 @Arsnj