Skip to content

Security Audit & Remediation: quickstart-testing monorepo#464

Open
inlined wants to merge 1 commit into
firebase:masterfrom
inlined:security-audit/monorepo
Open

Security Audit & Remediation: quickstart-testing monorepo#464
inlined wants to merge 1 commit into
firebase:masterfrom
inlined:security-audit/monorepo

Conversation

@inlined

@inlined inlined commented Jun 24, 2026

Copy link
Copy Markdown
Member

Security Audit & Remediation: quickstart-testing monorepo

A. Previous CVEs

  • 142 baseline vulnerabilities including critical sandbox escape in vm2, command injection in open, prototype pollution in protobufjs, merge, and tough-cookie, SSRF in ip, and arbitrary file read/write in tar.

B. Changes Made

  • Updated node engine requirements to node: ">=22.0.0" in all workspaces (and root).
  • Upgraded root devDependencies: firebase-tools from ^12.4.0 to ^15.22.1 and lerna from ^7.1.0 to ^9.0.7.
  • Upgraded firebase-tools dependency in workspaces from 9.19.0/12.4.0 to ^15.22.1.
  • Removed local package-lock.json and node-modules files from individual workspaces to consolidate workspaces under a single root package-lock.json, resolving invalid dependency resolution.
  • Removed unused file-system dependency from cs-walkthrough/functions.
  • Added dependency overrides across all workspaces to resolve transitive CVEs:
    • serialize-javascript -> ^7.0.6
    • tar -> ^7.5.16
    • qs -> ^6.15.2
    • uuid -> ^11.1.1
    • tough-cookie -> ^4.1.3
    • yaml -> ^2.9.0
    • http-proxy-agent -> ^7.0.2
    • https-proxy-agent -> ^7.0.6
    • ip -> ^2.0.1
    • ms -> ^2.1.3
    • netmask -> ^2.1.1
    • js-yaml -> ^4.1.0
    • merge -> ^2.1.1
    • degenerator -> ^5.0.1
    • extend -> ^3.0.2
    • form-data -> ^4.0.6
    • debug -> ^4.4.0
    • pac-resolver -> ^5.0.0
    • protobufjs -> ^7.6.4
    • node-forge -> ^1.4.0
    • path-to-regexp -> ^0.1.13
    • @grpc/grpc-js -> ^1.14.4
    • jsonwebtoken -> ^9.0.3
    • dicer -> ^0.3.1
    • fast-xml-parser -> ^5.9.3

C. Remaining CVEs

  • firebase (moderate SSRF protection bypass): used in unit-test-security-rules-v9. Upgrading would require migrating from v9 to v10.
  • @google-cloud/firestore / @grpc/grpc-js: used in firebase-admin and firebase. Downgraded transitives cannot be upgraded further without upgrading major library versions.
  • @opentelemetry/core (moderate memory leak): used in firebase-tools.
  • diff/minimatch/nanoid (moderate/high DoS): used in mocha.
  • ip/pac-resolver (high SSRF): transitive dependency.

D. Introduced CVEs

  • None

E. Testing Strategy

  • Consolidated workspaces compile and build correctly via root workspace.
  • Verification tests will run via CI suite (./scripts/test.sh).

@inlined
Update node engine requirements, upgrade firebase-tools/lerna, add ov…
eeec1be 
…errides, and consolidate workspaces under root lockfile
gemini-code-assist[bot]
gemini-code-assist Bot reviewed Jun 24, 2026
View reviewed changes

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request updates the Node.js engine requirement to >=22.0.0 and upgrades several dependencies, including firebase-tools and lerna, across multiple package.json files. It also introduces dependency overrides to resolve specific package versions. The feedback highlights that in npm workspaces, the overrides block is only respected in the root package.json and is ignored in individual workspace packages. To avoid redundancy and maintenance overhead, these ignored overrides blocks should be removed from the sub-packages.

Comment thread cs-walkthrough/functions/package.json
Comment on lines +27 to +53
"overrides": {
"serialize-javascript": "^7.0.6",
"tar": "^7.5.16",
"qs": "^6.15.2",
"uuid": "^11.1.1",
"tough-cookie": "^4.1.3",
"yaml": "^2.9.0",
"http-proxy-agent": "^7.0.2",
"https-proxy-agent": "^7.0.6",
"ip": "^2.0.1",
"ms": "^2.1.3",
"netmask": "^2.1.1",
"js-yaml": "^4.1.0",
"merge": "^2.1.1",
"degenerator": "^5.0.1",
"extend": "^3.0.2",
"form-data": "^4.0.6",
"debug": "^4.4.0",
"pac-resolver": "^5.0.0",
"protobufjs": "^7.6.4",
"node-forge": "^1.4.0",
"path-to-regexp": "^0.1.13",
"@grpc/grpc-js": "^1.14.4",
"jsonwebtoken": "^9.0.3",
"dicer": "^0.3.1",
"fast-xml-parser": "^5.9.3"
},

@gemini-code-assist gemini-code-assist Bot Jun 24, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

In npm workspaces, the overrides block is only respected when defined in the root package.json. Overrides defined in individual workspace package.json files are ignored by npm. To avoid redundancy and maintenance overhead, you should remove this block from the workspace configuration and rely solely on the root package.json overrides.

Comment thread manual-emulator-testing/package.json
Comment on lines +11 to 38
},
"overrides": {
"serialize-javascript": "^7.0.6",
"tar": "^7.5.16",
"qs": "^6.15.2",
"uuid": "^11.1.1",
"tough-cookie": "^4.1.3",
"yaml": "^2.9.0",
"http-proxy-agent": "^7.0.2",
"https-proxy-agent": "^7.0.6",
"ip": "^2.0.1",
"ms": "^2.1.3",
"netmask": "^2.1.1",
"js-yaml": "^4.1.0",
"merge": "^2.1.1",
"degenerator": "^5.0.1",
"extend": "^3.0.2",
"form-data": "^4.0.6",
"debug": "^4.4.0",
"pac-resolver": "^5.0.0",
"protobufjs": "^7.6.4",
"node-forge": "^1.4.0",
"path-to-regexp": "^0.1.13",
"@grpc/grpc-js": "^1.14.4",
"jsonwebtoken": "^9.0.3",
"dicer": "^0.3.1",
"fast-xml-parser": "^5.9.3"
}

@gemini-code-assist gemini-code-assist Bot Jun 24, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

In npm workspaces, the overrides block is only respected when defined in the root package.json. Overrides defined in individual workspace package.json files are ignored by npm. To avoid redundancy and maintenance overhead, you should remove this block from the workspace configuration and rely solely on the root package.json overrides.

  }

Comment thread unit-test-cloud-functions/functions/package.json
Comment on lines +20 to +46
"overrides": {
"serialize-javascript": "^7.0.6",
"tar": "^7.5.16",
"qs": "^6.15.2",
"uuid": "^11.1.1",
"tough-cookie": "^4.1.3",
"yaml": "^2.9.0",
"http-proxy-agent": "^7.0.2",
"https-proxy-agent": "^7.0.6",
"ip": "^2.0.1",
"ms": "^2.1.3",
"netmask": "^2.1.1",
"js-yaml": "^4.1.0",
"merge": "^2.1.1",
"degenerator": "^5.0.1",
"extend": "^3.0.2",
"form-data": "^4.0.6",
"debug": "^4.4.0",
"pac-resolver": "^5.0.0",
"protobufjs": "^7.6.4",
"node-forge": "^1.4.0",
"path-to-regexp": "^0.1.13",
"@grpc/grpc-js": "^1.14.4",
"jsonwebtoken": "^9.0.3",
"dicer": "^0.3.1",
"fast-xml-parser": "^5.9.3"
},

@gemini-code-assist gemini-code-assist Bot Jun 24, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

In npm workspaces, the overrides block is only respected when defined in the root package.json. Overrides defined in individual workspace package.json files are ignored by npm. To avoid redundancy and maintenance overhead, you should remove this block from the workspace configuration and rely solely on the root package.json overrides.

Comment thread unit-test-security-rules-v9/package.json
Comment on lines +21 to 48
},
"overrides": {
"serialize-javascript": "^7.0.6",
"tar": "^7.5.16",
"qs": "^6.15.2",
"uuid": "^11.1.1",
"tough-cookie": "^4.1.3",
"yaml": "^2.9.0",
"http-proxy-agent": "^7.0.2",
"https-proxy-agent": "^7.0.6",
"ip": "^2.0.1",
"ms": "^2.1.3",
"netmask": "^2.1.1",
"js-yaml": "^4.1.0",
"merge": "^2.1.1",
"degenerator": "^5.0.1",
"extend": "^3.0.2",
"form-data": "^4.0.6",
"debug": "^4.4.0",
"pac-resolver": "^5.0.0",
"protobufjs": "^7.6.4",
"node-forge": "^1.4.0",
"path-to-regexp": "^0.1.13",
"@grpc/grpc-js": "^1.14.4",
"jsonwebtoken": "^9.0.3",
"dicer": "^0.3.1",
"fast-xml-parser": "^5.9.3"
}

@gemini-code-assist gemini-code-assist Bot Jun 24, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

In npm workspaces, the overrides block is only respected when defined in the root package.json. Overrides defined in individual workspace package.json files are ignored by npm. To avoid redundancy and maintenance overhead, you should remove this block from the workspace configuration and rely solely on the root package.json overrides.

  }

Comment thread unit-test-security-rules/package.json
Comment on lines +22 to 49
},
"overrides": {
"serialize-javascript": "^7.0.6",
"tar": "^7.5.16",
"qs": "^6.15.2",
"uuid": "^11.1.1",
"tough-cookie": "^4.1.3",
"yaml": "^2.9.0",
"http-proxy-agent": "^7.0.2",
"https-proxy-agent": "^7.0.6",
"ip": "^2.0.1",
"ms": "^2.1.3",
"netmask": "^2.1.1",
"js-yaml": "^4.1.0",
"merge": "^2.1.1",
"degenerator": "^5.0.1",
"extend": "^3.0.2",
"form-data": "^4.0.6",
"debug": "^4.4.0",
"pac-resolver": "^5.0.0",
"protobufjs": "^7.6.4",
"node-forge": "^1.4.0",
"path-to-regexp": "^0.1.13",
"@grpc/grpc-js": "^1.14.4",
"jsonwebtoken": "^9.0.3",
"dicer": "^0.3.1",
"fast-xml-parser": "^5.9.3"
}

@gemini-code-assist gemini-code-assist Bot Jun 24, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

In npm workspaces, the overrides block is only respected when defined in the root package.json. Overrides defined in individual workspace package.json files are ignored by npm. To avoid redundancy and maintenance overhead, you should remove this block from the workspace configuration and rely solely on the root package.json overrides.

  }

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer
@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments
Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@inlined