Firebase-js-sdk: Audit: Stop minimist dependancy prototype pollution

Created on 22 Mar 2020 · 11Comments · Source: firebase/firebase-js-sdk

[REQUIRED] Describe your environment

Operating System version: macOS 10.15.3
Browser version: unrelated - it's a dependency problem
Firebase SDK version: latest version (^7.12.0)
Firebase Product: all

[REQUIRED] Describe the problem

Steps to reproduce:

npm i firebase@latest

gives these security warnings:

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ minimist                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=0.2.1 <1.0.0 || >=1.2.3                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ firebase                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ firebase > @firebase/firestore > grpc > node-pre-gyp >       │
│               │ mkdirp > minimist                                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1179

see: https://npmjs.com/advisories/1179

core needs-attention

Source

mesqueeb

👍9

Most helpful comment

Hi @google-oss-bot 👋
What info do you need more?

mesqueeb on 2 Apr 2020

👍2

All 11 comments

I couldn't figure out how to label this issue, so I've labeled it for a human to triage. Hang tight.

google-oss-bot on 22 Mar 2020

I did a fresh install of firebase and I got [email protected].
Can you try removing node_modules and package-lock.json and do a fresh install to see if it resolves the issue?

Feiyang1 on 24 Mar 2020

I have tried clearing it, and have [email protected] but still end up with the npm warning. Seems like this is an issue elsewhere.

retnikt on 24 Mar 2020

Same problem. Any solution? Safe to use on live server?

maheshkumar2150 on 25 Mar 2020

We are getting the same issue as well, with fresh install of Firebase, tried the removal of nodes+package-lock.json and it's still persisting

dev-magesstudio on 26 Mar 2020

Hey @mesqueeb. We need more information to resolve this issue but there hasn't been an update in 5 weekdays. I'm marking the issue as stale and if there are no new updates in the next 5 days I will close it automatically.

If you have more information that will help us get to the bottom of this, just add a comment!

google-oss-bot on 2 Apr 2020

Hi @google-oss-bot 👋
What info do you need more?

mesqueeb on 2 Apr 2020

👍2

Same issue here.

Firebase 7.13.2
3 low vulnerabilities all regarding minimist

Tried to clear my package-lock.json and delete node_modules folder + npm install on project folder but that did not fix the issue.

stevecastaneda on 7 Apr 2020

Same on my end as well. Showing 3 vulnerabilities in minimist. Screenshot below.

Screenshot from 2020-04-09 18-24-10

tvvignesh on 9 Apr 2020

├─┬ [email protected]
│ ├─┬ @firebase/[email protected]
│ │ ├─┬ [email protected]
│ │ │ ├─┬ [email protected]
│ │ │ │ ├─┬ [email protected]
│ │ │ │ │ └── [email protected]
│ │ │ │ ├─┬ [email protected]
│ │ │ │ │ ├── [email protected]

firebase 7.13 is using old versions of minimist .
[email protected] fix that