Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Known vulnerability in undici subdependency #8038

Closed
m-wagner98 opened this issue Feb 22, 2024 · 2 comments · Fixed by #8044
Closed

Known vulnerability in undici subdependency #8038

m-wagner98 opened this issue Feb 22, 2024 · 2 comments · Fixed by #8044
Labels
api: core needs-attention

Comments

@m-wagner98
Copy link

Operating System

n/a

Browser Version

n/a

Firebase SDK Version

10.8.0

Firebase SDK Product:

Auth, Firestore, Functions, Storage

Describe your project's tooling

Angular app, built with ionic.

Describe the problem

The CI/CD pipeline fails because SonarQube detected a known vulnerability in the undici subdependency:
GHSA-3787-6prv-h9w3

Steps and code to reproduce issue

Perform a SonarQube scan with the owasp dependency check plugin on a package.json where the "firebase": "^10.8.0" entry is present.
@m-wagner98 m-wagner98 added new A new issue that hasn't be categoirzed as question, bug or feature request question labels Feb 22, 2024
@jbalidiong jbalidiong added needs-attention and removed new A new issue that hasn't be categoirzed as question, bug or feature request labels Feb 22, 2024
@jbalidiong
Copy link
Contributor

Hi @m-wagner98, thanks for bringing this to our attention. Let me communicate this with our engineers to update the dependency to the patched version. I’ll update this thread if I have any information to share.

@aalej aalej mentioned this issue Feb 23, 2024
Closed
@Krisell
Copy link

Krisell commented Feb 26, 2024

In case it helps, the Steps to reproduce is just npm i firebase
And to see more details, followed by npm audit

@hsubox76 hsubox76 mentioned this issue Feb 26, 2024
Merged
@danny-avila danny-avila mentioned this issue Feb 26, 2024
Merged
DellaBitta pushed a commit that referenced this issue Feb 27, 2024
@hsubox76
Bump undici due to security issue (#8044)
f3cec28 
See GHSA-3787-6prv-h9w3

For reference, `undici` is used to polyfill `fetch` in our Node bundles, as we are not restricting Node support to 18+ yet.

Fixes #8038
@google-oss-bot google-oss-bot mentioned this issue Feb 27, 2024
Merged
@firebase firebase locked and limited conversation to collaborators Mar 29, 2024
tom-andersen pushed a commit that referenced this issue Jul 24, 2024
@hsubox76 @tom-andersen
Bump undici due to security issue (#8044)
6c109c1 
See GHSA-3787-6prv-h9w3

For reference, `undici` is used to polyfill `fetch` in our Node bundles, as we are not restricting Node support to 18+ yet.

Fixes #8038
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
api: core needs-attention
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Bump undici due to security issue firebase/firebase-js-sdk
5 participants
@Krisell @google-oss-bot @m-wagner98 @Xiaoshouzi-gh @jbalidiong