[Firestore] Dependabot issue (all users of this library)
lernerb opened this issue · comments
[READ] Step 1: Are you in the right place?
Yes
[REQUIRED] Step 2: Describe your environment
N/A
[REQUIRED] Step 3: Describe the problem
Steps to reproduce:
I see that the lockfile has @google-cloud/firestore
set as ^6.7.0 which patches the below issue, however in the package.json file the optional dependency is set to ^6.6.0. Can we bump that up to match the Lockfile in the package.json file so that all users of this dependency have the correct firestore version without forcing a patch?
"@google-cloud/firestore": "^6.6.0",
For reference, anyone using this package currently has a dependabot advisory for word-wrap, which downstream is used by this project.
word-wrap vulnerable to Regular Expression Denial of Service.
I couldn't figure out how to label this issue, so I've labeled it for a human to triage. Hang tight.
Closing as this is fixed in the latest release.