Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(deps): update dependency firebase-tools to v13 [security] #1

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Jun 21, 2024

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
firebase-tools ^11.30.0 -> ^13.0.0 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2024-4128

This vulnerability was a potential CSRF attack. When running the Firebase emulator suite, there is an export endpoint that is used normally to export data from running emulators. If a user was running the emulator and navigated to a malicious website with the exploit on a browser that allowed calls to localhost (ie Chrome before v94), the website could exfiltrate emulator data. We recommend upgrading past version 13.6.0 or commit 068a2b08dc308c7ab4b569617f5fc8821237e3a0.


Release Notes

firebase/firebase-tools (firebase-tools)

v13.6.0

Compare Source

  • Released Firestore Emulator 1.19.4. This version fixes a minor bug with reserve ids and adds a reset endpoint for Datastore Mode.
  • Released PubSub Emulator 0.8.2. This version includes support for no_wrapper options.
  • Fixes issue where GitHub actions service account cannot add preview URLs to Auth authorized domains. (#​6895)
  • Fixes issue where GOOGLE_CLOUD_QUOTA_PROJECT breaks functions source uploads (#​6917)

v13.5.2

Compare Source

  • Fix hosting rewrite deployment bug for skipped functions (#​6658).

v13.5.1

Compare Source

  • Release Emulator Suite UI v1.11.8 which adds support for Multiple DBs in the Emulator UI Firestore page via editing the URL. (#​6874)

v13.5.0

Compare Source

  • Enable dynamic debugger port for functions + support for inspecting multiple codebases (#​6854)
  • Inject an environment variable in the node functions emulator to tell the google-gax SDK not to look for the metadata service. (#​6860)
  • Release Firestore Emulator 1.19.3 which fixes ancestor and namespace scope queries for Datastore Mode. This release also fixes internal errors seen across REST API and firebase-js-sdk.
  • v2 scheduled functions with explicit service accounts trigger eventarc to use that service account (#​6858)
  • v2 event functions with explicit service accounts trigger eventarc to use that service account (#​6859)

v13.4.1

Compare Source

  • Released Firestore emulator v1.19.2, which fixes some bugs affecting client SDKs when in Datastore Mode.
  • Fix demo projects + web frameworks with emulators (#​6737)
  • Fix Next.js static routes with server actions (#​6664)
  • Fixed an issue where GOOGLE_CLOUD_QUOTA_PROJECT was not correctly respected. (#​6801)
  • Make VPC egress settings in functions parameterizeable (#​6843)

v13.4.0

Compare Source

  • Added new commands for managing Firestore backups and restoring databases. (#​6778)
  • Fixed quota attribution for Firebase Auth API calls. (#​6819)

v13.3.1

Compare Source

  • Release Cloud Firestore emulator v1.19.1:
    • Adds support for Datastore Mode to the Firstore Emulator. Adds
      --database-mode flag to gcloud emulator firestore start command. Note
      that this is a preview feature and if you find any bugs, please file them
      here: https://github.com/firebase/firebase-tools/issues.
  • Improve FAH onboarding flow to connect backends with SCMs (#​6764).
  • Fixed issue where GitHub actions would fail due to lack of permission. (#​6791)

v13.3.0

Compare Source

  • Improved detection for when login has expired due to Google Cloud Session Control. (#​1846)
  • Added support for Python 3.12. (#​6679)
  • Fixed issues with internal utilities. (#​6754)
  • Fixed an issue where firestore:delete wouldn't target the emulator when expected. (#​6537)

v13.2.1

Compare Source

  • Fixed an issue where appdistribution:distribute would always attempt to run tests. (#​6749)

v13.2.0

Compare Source

  • Added rudimentary email enumeration protection for auth emulator. (#​6702)

v13.1.0

Compare Source

  • Point v2 function target to entrypoint. (#​6698)
  • Fixed issue where Auth emulator sign in with Google only shows default tenant. (#​6683)
  • Prevent the use of pinTags + minInstances on the same function, as the features are not mutually compatible (#​6684)
  • Added force flag to delete backend (#​6635).
  • Use framework build target in Vite builds (#​6643).
  • Use framework build target in NODE_ENV for production Vite builds (#​6644)
  • Let framework handle public directory with emulator. (#​6674)
  • Dynamically import Vite to fix deprecated CJS build warning. (#​6660)
  • Fixed unsafe array spreads on Hosting deploys. (#​6712)

v13.0.3

Compare Source

  • Fixed typo in Cloud storage bucket metadata location type. (#​6648)
  • Fixed an issue where including export in .env files caused parsing errors. (#​6629)

v13.0.2

Compare Source

  • Fix Next.js dynamic and static OG images. (#​6592)
  • Address a regression introduced in 13.0.1 when emulating Vite applications. (#​6599)
  • Add RSC headers of Next.js app directory pages to Hosting headers. (#​6608)

v13.0.1

Compare Source

  • Fix bug where deploying Firestore function resulted in redudant API calls to the Firestore API (#​6583).
  • Fix an issue preventing Vite applications from being emulated on Windows. (#​6411)
  • Addressed an issue preventing Astro applications from being deployed from Windows. (#​5709)
  • Fixed an issue preventing Angular apps using ng-deploy from being emulated or deployed. (#​6584)
  • Warn if a Web Framework is outside a well known version range on deploy/emulate. (#​6562)
  • Use Web Framework's well known version range in firebase init hosting. (#​6562)
  • Permit use of more SSR regions in Web Frameworks deploys. (#​6086)
  • Limit Web Framework's generated Cloud Function name to 23 characters, fixing deploys for some. (#​6260)
  • Allow Nuxt as an option during firebase init hosting. (#​6309)

v13.0.0

Compare Source

  • Breaking: dropped support for running the CLI on Node.js v16.
  • Breaking: Refactored functions:shell to remove dependency on deprecated request module.
    • As part of this change, removed support for some rarely used features of request.
  • Breaking: Removed deprecated ext:dev:publish command. Use ext:dev:upload instead.
  • Added support for running the CLI on Node.js v20.
  • Switched Storage deployment to use GetDefaultBucket endpoint to fetch default Storage bucket. (#​6467)
  • Fixed an issue with emulating blocking functions when using multiple codebases (#​6504).
  • Added force flag call-out for bypassing prompts (#​6506).
  • Added the ability to deploy Angular apps using the new application-builder. (#​6480)
  • Fixed an issue where --non-interactive flag is not respected in Firestore indexes deploys. (#​6539)
  • Fixed an issue where login:use would not work outside of a Firebase project directory. (#​6526)
  • Prevent app router static not-found requiring a Cloud Function in Next.js deployments. (#​6558)
  • Use only site id from site name in list versions API. (#​6565)

v12.9.1

Compare Source

  • Fixes issue where initializing Hosting fails when selecting a project. (#​6527)

v12.9.0

Compare Source

  • Revert enabling preferRest by default to avoid performance degradations for some users (#​6520).
  • Fix blocking functions in the emulator when using multiple codebases (#​6504).
  • Add force flag call-out for bypassing prompts (#​6506).
  • Fixed an issue where the functions emulator did not respect the --log-verbosity flag (#​2859).
  • Add the ability to look for the default Hosting site via Hosting's API.
  • Add logic to create a Hosting site when one is not available in a project.
  • Add checks for the default Hosting site when one is assumed to exist.

v12.8.1

Compare Source

  • Fixed 2 bugs (unintended database mode changes and disabling of PITR or delete-protection) when updating Firestore databases (#​6478)

v12.8.0

Compare Source

  • Enable preferRest option by default for Firestore functions. (#​6147)
  • Fixed a bug where re-deploying 2nd Gen Firestore function failed after updating secrets. (#​6456)
  • Fixed a bug where similarly-named Hosting channels would cause issues when updating authorized domains. (#​6356)

v12.7.0

Compare Source

  • Fix type mismatch for parametrized function region. (#​6205)
  • Ignore FIRESTORE_EMULATOR_HOST environment variable on functions deploy. (#​6442)
  • Added support for enabling, disabling, and displaying Point In Time Recovery enablement state on Firestore databases (#​6388)
  • Added a --verbosity flag to emulators:* commands that limits what logs are printed (#​2859)
  • Fixed an issue where params would not be resolved when used to set VPC connector during functions deployment (#​6327)

v12.6.2

Compare Source

  • Fixed an issue with deploying multilevel grouped functions containing v2 functions. (#​6419)
  • Fixed an issue where functions deployment required a new permission.

v12.6.1

Compare Source

  • Fixed an issue where the functions service account option was not treated as a param (#​6389).
  • Fixed an issue with deploying function groups containing v2 functions. (#​6408)
  • Use GetDefaultBucket endpoint to fetch Storage Default Bucket.

v12.6.0

Compare Source

  • Improve performance and reliability when deploying multiple 2nd gen functions using single builds. (#​6376)
  • Fixed an issue where emulators:export did not check if the target folder is empty. (#​6313)
  • Fixed an issue where retry could not be set for event triggered functions. (#​6391)
  • Fixed "Could not find the next executable" on Next.js deployments (#​6372)
  • Fixed issues caused by breaking changes in Next >=v13.5.0. (#​6382)

v12.5.4

Compare Source

  • Released Firestore emulator v1.18.2.
    • Removed nano precision in timestamp used in Firestore emulator (#​5893)
    • Fixed a bug where query behaves differently from production.
  • Fixed an issue where very long command outputs would be cut off. (#​3286)

v12.5.3

Compare Source

  • Fixed an issue where builds from https://firebase.tools could not run commands that spawn npm. (#​6132)
  • Fixed an issue where --non-interactive and --force were not respected in some extension deploys. (#​6321)
  • Fixed the regex in extensions changelog parser to lazy match the version prefix to allow matching higher versions (#​6326)

v12.5.2

Compare Source

  • Fixed an issue causing unexpected behavior and errors on functions deploy. (#​6290)

v12.5.1

Compare Source

  • Fix issue with mixed v1 and v2 functions deployments. (#​6293)

v12.5.0

Compare Source

  • Fixed issue where the Extensions emulator would error when emualting local extensions with no params. (#​6271)
  • Improved performance and reliability when deploying multiple 2nd gen functions using single builds. (#​6275)
  • Fix bundle next.config.js (#​6287)

v12.4.8

Compare Source

  • Increased functions emulator HTTPS body size limit to 32mb to match production. (#​6201)
  • Fixed Astro web framework bug when loading configuration for version 2.9.7 and above. (#​6213)
  • Increase Next.js config bundle timeout to 60 seconds. (#​6214)

v12.4.7

Compare Source

  • Improve error message raised when firebase init hosting:github fails due to max number of keys limit for a service account. (#​6145)
  • Fixed bug where functions:secrets:\* family of commands did not work when Firebase CLI is authenticated via GOOGLE_APPLICATION_CREDENTIALS (#​6190)
  • Fixed bug where some extension instance updates would default to the wrong location.

v12.4.6

Compare Source

  • Fixed an issue where extension instances could not be deployed when authenticated as a service account (#​6060).
  • Fixed glob usage in Next.js utility function to detect images in app directory (#​6166)
  • Send experiments activated with firebase experiments:enable to the emulator suite UI (#​6169)

v12.4.5

Compare Source

  • Fixed bug where functions:secrets:set didn't remove stale versions of a secret. (#​6080)
  • Fixed bug where firebase deploy --only firestore:named-db didn't update rules. (#​6129)
  • Fixed issue where Flutter Web is not detected as a web framework. (#​6085)
  • Added better messages for API permissions failures that direct the user to the URL to enable the API. (#​6130)
  • Fixed issue caused by adding type checks in #​5906.
  • Fixed next/image component in app directory for Next.js > 13.4.9. (#​6143)
  • Fixed bug where Next.js Image Optimization in the app directory was not requiring a Cloud Function. (#​6143)
  • Fixed a transitive dependency on a vulnerable version of vm2. (#​6150)

v12.4.4

Compare Source

  • Disables KeepAlive timeout when debugger is attached to the functions emulator. (#​6069)
  • Fixed an issue where database:list would have inaccurate results. (#​6063)

v12.4.3

Compare Source

  • Fixed incorrect links in firebase open hosting and firebase open crash. (#​6073)
  • Released Firebase Emulator UI v1.11.7, which includes preview support for multiple Firestore databases. (#​6079)

v12.4.2

Compare Source

  • Run lifecycle hooks for specific functions. (#​6023)
  • Increased extension instance create poll timeout to 1h to match backend (#​5969).
  • Refactored ext:install to use the latest extension metadata. (#​5997)
  • Added descriptive error when repo is private or not found during ext:dev:upload. (#​6052)
  • Fixed issue where missing trigger warnings would be wrongly displayed when emulating extensions with HTTPS triggers. (#​6055)
  • Normalized extension root path before usage in ext:dev:upload. (#​6054)

v12.4.1

Compare Source

  • Release Firestore emulator 1.18.1 which addes a emulator configuration to start with experimental mode (#​5942).
  • Run lifecycle hooks for specific codebases. (#​6011)
  • Fixed issue causing firebase emulators:start to crash in Next.js apps (#​6005)

v12.4.0

Compare Source

  • Added appdistribution:group:create and appdistribution:group:delete. (#​5978)
  • Added --group-alias option to appdistribution:testers:add and appdistribution:testers:remove. (#​5978)
  • Fixed an issue where Storage rules could not be deployed to projects without a billing plan. (#​5955)

v12.3.1

Compare Source

  • Delete and re-create v2 function on Cloud Run API quota exhaustion (#​5719).
  • firebase functions:secrets:* ensure the secretmanager API is enabled (#​5918)

v12.3.0

Compare Source

  • Fix a bug preventing web framework's dev-mode from working out-of-box with Firebase Authentication. (#​5894)
  • Address additional cases where we were attempting to deploy a framework's development bundle (#​5895)
  • NextJS rewrites should be prefixed with the basePath defined in next.config.js (#​5923)
  • Web Frameworks emulators will again respect existing Cloud Functions rewrites (#​5923)
  • Web Frameworks rewrites/redirects/headers will only prepend those in firebase.json if there's a baseUrl (#​5923)
  • Fixes issue where Authentication emulator creates a user if empty email and empty password is provided. (#​5639)
  • Improve error message raised when --import flag directory does not exist. (#​5851)
  • Switch ext:dev:init to default 'billingRequired' to true in extension.yaml
  • Remove LOCATION param from the extensions.yaml template for ext:dev:init
  • Support Astro hybrid rendering (#​5898)

v12.2.1

Compare Source

  • Gracefully close rules runtime on storage emulator stop (#​4902)
  • Always assume build target of production when deploying a web framework, unless overridden (#​5892)

v12.2.0

Compare Source

  • Update error message when function deploy fails due to quota. (#​5867)
  • Fixes RTDB emulator 127.0.0.1 namespace resolution bug. (#​5863)
  • Improves RTDB emulator to GCF emulator network reliability. (#​5863)
  • Allow for Angular developers to both target a PWA and leverage serveOptimizedImages. (#​5716)
  • Multi-page applications that are fully staticly rendered are no longer treated as PWAs. (#​5716)
  • Add fast dev-mode support for devlopers using Nuxt v2. (#​5716)
  • Respect ssr: false and baseURL when using Nuxt. (#​5716)
  • Fix bug where JS SDK auto-init was not working for Vite while in dev-mode (#​5610).
  • Respect FIREBASE_FRAMEWORKS_BUILD_TARGET environment variable to override the default build target (#​5572).
  • Improves cleanup process when reloading emulated functions in debug mode. (#​5878)
  • Allow Web Frameworks to target NodeJS v20. (#​5879)

v12.1.0

Compare Source

  • Fixes an issue running firebase emulators:start when Python Cloud Functions directory path has spaces. (#​5854)
  • Add support for nodejs20 for Cloud Functions for Firebase. (#​5837)
  • Add Flutter Web as an option in "firebase init hosting" (#​5864)
  • Some failures while building Web Frameworks were not being caught (#​5864)

v12.0.1

Compare Source

  • Fixes an issue in the EventArc emualtor where events missing optional fields would cause crashes. (#​5803)
  • Fixes an issue running firebase emulators:start and firebase deploy when Python Cloud Functions directory path has spaces. (#​5830)

v12.0.0

Compare Source

  • Breaking: drops support for running the CLI on Node.js v14.
  • Adds ext:dev:* commands to publish and manage Extensions. For step-by-step instructions on how to publish your own Extensions, see https://firebase.google.com/docs/extensions/publishers/get-started.
    • Note: These commands were previously available to early access users behind an experiment flag. There are some breaking changes from the early access version of these commands.
    • ext:dev:publish has been renamed to ext:dev:upload. ext:dev:upload defaults to uploading extensions from GitHub instead of local source.
    • ext:dev:publish is deprecated and will be removed in version 13.
    • ext:dev:delete, ext:dev:unpublish, ext:sources:create and ext:dev:emualtors:* have been removed.
  • Support for Next.js i18n, basePath, and more advanced rewrites/redirects/headers (#​5788)
  • hosting.frameworksBackend now respects omit: true (#​5788)
  • Web Frameworks now memoizes framework builds for single builds across multiple hosting sites (#​5788)
  • Add support for Angular i18n and baseHref (#​5774)
  • Trip the backend requirement for Angular applications using ng-deploy w/serveOptimizedImages (#​5774)
  • Fixes a bug where the Storage emulator would not fall back to open rules for 'demo-' projects if firebase.json contained multiple storage targets (#​5170)
  • Updates firebase init function templates for TypeScript and Javascript to 2nd gen (#​5775)
  • Allow for atomic deployment of Hosting content & Functions rewrites via tag pinning (#​5753)

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot added the dependencies Pull requests that update a dependency file label Jun 21, 2024
@renovate renovate bot force-pushed the renovate/npm-firebase-tools-vulnerability branch from 41c3d13 to 5514248 Compare June 21, 2024 07:45
@renovate renovate bot force-pushed the renovate/npm-firebase-tools-vulnerability branch from 5514248 to 07eec04 Compare September 1, 2024 10:39
@renovate renovate bot force-pushed the renovate/npm-firebase-tools-vulnerability branch from 07eec04 to 6fefb32 Compare October 1, 2024 09:07
@renovate renovate bot force-pushed the renovate/npm-firebase-tools-vulnerability branch from 6fefb32 to c6423f1 Compare January 1, 2025 10:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
dependencies Pull requests that update a dependency file
Projects
None yet
Development

Successfully merging this pull request may close these issues.

0 participants