Firebase-js-sdk: Node-Fetch downstream security vulnerability

Created on 11 Sep 2020  路  2Comments  路  Source: firebase/firebase-js-sdk


[REQUIRED] Describe your environment

  • Operating System version: macOS Catalina 10.15.4
  • Browser version: 76.0.1
  • Firebase SDK version: 7.20.0
  • Firebase Product: firestore (auth, database, storage, etc)

[REQUIRED] Describe the problem

There is a known security vulnerability with Node-Fetch that has been fixed in version 2.6.1+
https://www.npmjs.com/advisories/1556

Steps to reproduce:

Create a new project using yarn init.
Add firebase via yarn add firebase.
Run yarn audit
Note the security vulnerability on downstream dependency node-fetch.

Relevant Code:

As this is a downstream dependency issue, I dont have any relevant code to provide.

core firestore functions
Source
picture bradcypert

Most helpful comment

For my info:
The two sources of older versions of node-fetch are

  • in Firestore's package.json (I see a PR for that, thanks)
  • in Functions as a dependency of isomorphic-fetch which seems to be no longer maintained. Perhaps this should be replaced with node-fetch directly.
picture hsubox76 on 11 Sep 2020
👍6

All 2 comments

For my info:
The two sources of older versions of node-fetch are

  • in Firestore's package.json (I see a PR for that, thanks)
  • in Functions as a dependency of isomorphic-fetch which seems to be no longer maintained. Perhaps this should be replaced with node-fetch directly.
hsubox76 picture hsubox76 on 11 Sep 2020
👍6

The issue in Firestore was resolved with #3759. The issue with isomorphic-fetch remains.

wilhuff picture wilhuff on 15 Sep 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

colinskow picture colinskow  路  4Comments
ptrwtts picture ptrwtts  路  4Comments
stamler picture stamler  路  3Comments
mrfambo picture mrfambo  路  4Comments
Alex-Mann picture Alex-Mann  路  3Comments