[Snyk] Upgrade firebase-functions from 4.2.1 to 6.6.0 #711
Conversation
Snyk has created this PR to upgrade firebase-functions from 4.2.1 to 6.6.0. See this package in npm: firebase-functions See this project in Snyk: https://app.snyk.io/org/aravindvnair99-github-marketplace/project/3e229b24-b2de-4c21-9d58-eebf425f44fc?utm_source=github&utm_medium=referral&page=upgrade-pr
|
⏳ Code review in progress. Analyzing for code quality issues and best practices. You can monitor the review status in the checks section at the bottom of this pull request. Detailed findings will be posted upon completion. Using Amazon Q Developer for GitHubAmazon Q Developer1 is an AI-powered assistant that integrates directly into your GitHub workflow, enhancing your development process with intelligent features for code development, review, and transformation. Slash Commands
FeaturesAgentic Chat Code Review CustomizationYou can create project-specific rules for Amazon Q Developer to follow:
Example rule: FeedbackTo provide feedback on Amazon Q Developer, create an issue in the Amazon Q Developer public repository. For more detailed information, visit the Amazon Q for GitHub documentation. Footnotes
|
Summary of ChangesHello @aravindvnair99, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed! This pull request, automatically generated by Snyk, aims to enhance the project's security and functionality by upgrading the Highlights
Using Gemini Code AssistThe full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips. Invoking Gemini You can request assistance from Gemini at any point by creating a comment using either
Customization To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a Limitations & Feedback Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here. You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension. Footnotes
|
Insecure File Management (1)
More info on how to fix Insecure File Management in JavaScript. Insecure Use of Crypto (1)
More info on how to fix Insecure Use of Crypto in JavaScript. Vulnerable Libraries (8)
More info on how to fix Vulnerable Libraries in JavaScript. 👉 Go to the dashboard for detailed results. 📥 Happy? Share your feedback with us. |
|
There was a problem hiding this comment.
Security Upgrade Review Summary
This PR upgrades Firebase Functions from 4.2.1 to 6.6.0, which addresses 16 security vulnerabilities including high-severity issues like asymmetric resource consumption, internal property tampering, and infinite loops. This is a critical security update that should be merged.
Critical Issue Requiring Immediate Attention
Node.js Compatibility: Firebase Functions 6.6.0 requires Node.js 18 or higher, but the project currently specifies Node 14. This will cause deployment failures and must be updated before merging.
Security Benefits
This upgrade resolves multiple high and medium severity vulnerabilities:
- High Severity: Asymmetric Resource Consumption, Internal Property Tampering, Infinite Loop vulnerabilities
- Medium Severity: Open Redirect, Cross-site Scripting, Resource Exhaustion, Authentication issues
- Low Severity: Additional XSS and ReDoS vulnerabilities
Recommendation
- Update Node.js version to 18 in package.json engines field
- Test thoroughly after the Node.js update as this is a major version upgrade
- Merge promptly once Node.js compatibility is resolved to address the security vulnerabilities
The security benefits of this upgrade significantly outweigh the compatibility requirements, making this a high-priority update.
You can now have the agent implement changes and create commits directly on your pull request's source branch. Simply comment with /q followed by your request in natural language to ask the agent to make changes.
| "ejs": "^3.1.7", | ||
| "firebase-admin": "^11.3.0", | ||
| "firebase-functions": "^4.2.1", | ||
| "firebase-functions": "^6.6.0", |
There was a problem hiding this comment.
🛑 Compatibility Issue: Firebase Functions 6.6.0 requires Node.js 18 or higher, but this project specifies Node 14 in the engines field. This upgrade will cause deployment failures until the Node.js version is updated to 18 or higher.
There was a problem hiding this comment.
Code Review
This pull request, automatically generated by Snyk, upgrades firebase-functions from v4.2.1 to v6.6.0. This is a major version upgrade across two major versions (v4 to v6), which introduces potential breaking changes and new requirements.
My review has identified a critical issue: the new version of firebase-functions has a peer dependency on firebase-admin that is not met by your current configuration. This will likely cause your application to fail during installation or at runtime. I have also noted that the required Node.js version for firebase-functions is more specific than what is currently defined in your package.json.
I have provided a detailed comment in functions/package.json with instructions on how to resolve the dependency conflict and a note about the Node.js engine. Please address this to ensure your project remains stable after the upgrade.
| "ejs": "^3.1.7", | ||
| "firebase-admin": "^11.3.0", | ||
| "firebase-functions": "^4.2.1", | ||
| "firebase-functions": "^6.6.0", |
There was a problem hiding this comment.
This upgrade of firebase-functions to v6.6.0 has some important implications that should be addressed in package.json for correctness and future-proofing.
-
Incompatible
firebase-adminversion:firebase-functions@6.6.0has a peer dependency onfirebase-adminwith version^11.10.0 || ^12.0.0 || ^13.0.0. Yourpackage.jsonspecifies^11.3.0, which is not compatible. Whilenpmmay have resolved this to a compatible version inpackage-lock.json, it is crucial to updatepackage.jsonto reflect the correct requirement to avoid future installation issues. -
Node.js engine requirement:
firebase-functions@6.6.0requires Node.js version>=14.10.0. Yourpackage.jsonspecifies"node": "14". Please ensure your deployment environment uses a compatible Node.js version (14.10.0 or higher), and consider making the engine requirement more specific, e.g.,"node": ">=14.10.0". -
firebase-adminv12 incompatibility: Note thatfirebase-adminv12 and later drop support for Node.js 14. Therefore, you should upgradefirebase-adminto the latest compatible v11 release, which is11.11.1.
To fix the dependency issue, please update firebase-admin in your package.json:
"dependencies": {
...
"firebase-admin": "^11.11.1",
"firebase-functions": "^6.6.0",
...
}|
Automatically marked as stale due to lack of recent activity. Will be closed if no further activity occurs. Thank you for your contributions. |
Snyk has created this PR to upgrade firebase-functions from 4.2.1 to 6.6.0.
ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.
The recommended version is 27 versions ahead of your current version.
The recommended version was released a month ago.
Issues fixed by the recommended upgrade:
SNYK-JS-BODYPARSER-7926860
SNYK-JS-TAFFYDB-2992450
SNYK-JS-MARKDOWNIT-6483324
SNYK-JS-TMP-11501554
SNYK-JS-EXPRESS-6474509
SNYK-JS-EXPRESS-7926867
SNYK-JS-GRPCGRPCJS-7242922
SNYK-JS-JOSE-6419224
SNYK-JS-JSONWEBTOKEN-3180022
SNYK-JS-JSONWEBTOKEN-3180024
SNYK-JS-JSONWEBTOKEN-3180026
SNYK-JS-PATHTOREGEXP-7925106
SNYK-JS-PATHTOREGEXP-8482416
SNYK-JS-SEND-7926862
SNYK-JS-SERVESTATIC-7926865
SNYK-JS-WORDWRAP-3149973
Release notes
Package name: firebase-functions
-
6.6.0 - 2025-10-20
- Add
- Enhance validation against incomplete/invalid app_remove events to avoid runtime crashes. (#1738)
-
6.5.0 - 2025-10-08
- Add LLM guidance (#1736)
- Fix issue calling DataSnapshot methods with null data (#1661)
- Adds auth.rawToken to context to allow access to the underlying token. (#1678)
- Fix logger runtime exceptions #(1704)
-
6.4.0 - 2025-07-15
- Add @ deprecated annotation to callable functions's auth policy (#1675)
- Allows CORS to be a parameter. (#1688)
- Make traceContext accessible (#1696)
-
6.3.2 - 2025-02-13
-
6.3.1 - 2025-01-31
- Fix bug where sse response hangs if handler threw an error. (#1668)
-
6.3.0 - 2025-01-24
- Add onCallGenkit (#1655)
-
6.2.0 - 2024-12-19
- Add an authPolicy callback to CallableOptions for reusable auth middleware as well as helper auth policies (#1650)
- Handle ESM functions codebases containing top-level awaits, which would break in node 22.12+ (#1651)
- Multiple breaking changes to the not-yet-announced streaming feature for Callable Functions (#1652)
-
6.1.2 - 2024-12-09
-
6.1.1 - 2024-11-21
-
6.1.0 - 2024-10-22
-
6.0.1 - 2024-09-16
-
6.0.0 - 2024-09-10
-
5.1.1 - 2024-08-30
-
5.1.0 - 2024-08-19
-
5.0.1 - 2024-05-03
-
5.0.0 - 2024-05-01
-
4.9.0 - 2024-04-04
-
4.8.2 - 2024-03-29
-
4.8.1 - 2024-03-19
-
4.8.0 - 2024-03-08
-
4.7.0 - 2024-02-07
-
4.6.0 - 2024-01-03
-
4.5.0 - 2023-11-02
-
4.4.1 - 2023-06-12
-
4.4.0 - 2023-05-08
-
4.3.1 - 2023-04-20
-
4.3.0 - 2023-04-13
-
4.2.1 - 2023-02-02
from firebase-functions GitHub release notesdefineJsonSecretAPI for storing structured JSON objects in Cloud Secret Manager. (#1745)6.3.2
Important
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.
For more information: