[Firestore] Dependabot issue (all users of this library)

Question

[Firestore] Dependabot issue (all users of this library)

lernerb opened this issue 6 months ago · comments

Brandon Lerner commented 6 months ago

[READ] Step 1: Are you in the right place?

Yes

[REQUIRED] Step 2: Describe your environment

N/A

[REQUIRED] Step 3: Describe the problem

Steps to reproduce:

I see that the lockfile has @google-cloud/firestore set as ^6.7.0 which patches the below issue, however in the package.json file the optional dependency is set to ^6.6.0. Can we bump that up to match the Lockfile in the package.json file so that all users of this dependency have the correct firestore version without forcing a patch?

"@google-cloud/firestore": "^6.6.0",

For reference, anyone using this package currently has a dependabot advisory for word-wrap, which downstream is used by this project.

word-wrap vulnerable to Regular Expression Denial of Service.

https://cwe.mitre.org/data/definitions/1333.html

Google Open Source Bot · Answer 1 · Thu Nov 09 2023 09:17:37 GMT+0800 (China Standard Time)

I couldn't figure out how to label this issue, so I've labeled it for a human to triage. Hang tight.

Lahiru Maramba · Answer 2 · Tue Jan 02 2024 23:38:51 GMT+0800 (China Standard Time)

Closing as this is fixed in the latest release.