Bump node-forge and firebase-tools

[dependabot]

Bumps node-forge to 1.3.2 and updates ancestor dependency firebase-tools. These dependencies need to be updated together.

Updates node-forge from 1.3.1 to 1.3.2

Changelog

Sourced from node-forge's changelog.

1.3.2 - 2025-11-25

Security

• HIGH: ASN.1 Validator Desynchronization
  • An Interpretation Conflict (CWE-436) vulnerability in node-forge versions 1.3.1 and below enables remote, unauthenticated attackers to craft ASN.1 structures to desynchronize schema validations, yielding a semantic divergence that may bypass downstream cryptographic verifications and security decisions.
  • Reported by Hunter Wodzenski.
  • CVE ID: CVE-2025-12816
  • GHSA ID: GHSA-5gfm-wpxj-wjgq
• HIGH: ASN.1 Unbounded Recursion
  • An Uncontrolled Recursion (CWE-674) vulnerability in node-forge versions 1.3.1 and below enables remote, unauthenticated attackers to craft deep ASN.1 structures that trigger unbounded recursive parsing. This leads to a Denial-of-Service (DoS) via stack exhaustion when parsing untrusted DER inputs.
  • Reported by Hunter Wodzenski.
  • CVE ID: CVE-2025-66031
  • GHSA ID: GHSA-554w-wpv2-vw27
• MODERATE: ASN.1 OID Integer Truncation
  • An Integer Overflow (CWE-190) vulnerability in node-forge versions 1.3.1 and below enables remote, unauthenticated attackers to craft ASN.1 structures containing OIDs with oversized arcs. These arcs may be decoded as smaller, trusted OIDs due to 32-bit bitwise truncation, enabling the bypass of downstream OID-based security decisions.
  • Reported by Hunter Wodzenski.
  • CVE ID: CVE-2025-66030
  • GHSA ID: GHSA-65ch-62r8-g69g

Fixed

• [asn1] Fix for vulnerability identified by CVE-2025-12816 PKCS#12 MAC verification bypass due to missing macData enforcement and improper asn1.validate routine.
• [asn1] Add fromDer() max recursion depth check.
  • Add a asn1.maxDepth global configurable maximum depth of 256.
  • Add a asn1.fromDer() per-call maxDepth option.
  • NOTE: The default maximum is assumed to be higher than needed for valid data. If this assumption is false then this could be a breaking change. Please file an issue if there are use cases that need a higher maximum.
  • NOTE: The per-call maxDepth parameter has not been exposed up through all of the API stack due to the complexities involved. Please file an issue if there are use cases that require this instead of changing the default maximum.
• [asn1] Improve OID handling.
  • Error on parsed OID values larger than 2**32 - 1.
  • Error on DER OID values larger than 2**53 - 1 .

Commits

• 235ad3e Release 1.3.2.
• 2598244 Update changelog.
• 0032dd0 Fix typos.
• d75e08d Run new security test.
• a5ce91d Update changelog formatting.
• 4652de6 Cleanups.
• eb932d9 Fix typo.
• db6954b Fix style.
• afbf7d8 Align error message style.
• 6607445 Revert minor changes.
• Additional commits viewable in compare view

Updates firebase-tools from 8.20.0 to 14.26.0

Release notes

Sourced from firebase-tools's releases.

v14.26.0

• Add support for nodejs24 (beta) runtime for Cloud Functions for Firebase. (#9475)
• Adds listServices and also defines trigger within runv2.ts (#9482)
• Updates the firebase init functions template to use firebase-functions 7.0.0 (#9496)
• Updated to v2.17.2 of the Data Connect emulator, which fixes a bug with handling of optional enum lists in generated Flutter SDKs. (#9391)

v14.25.1

• Fixed an issue that was causing the MCP server to fail to start when run from directories with deeply nested children.

v14.25.0

• Added Node 24 support.
• Updated superstatic to v10.
• Fixed a crash during parallel deployments when buildConfig is empty (#9455)
• [Added] support for new google-genai plugin during init genkit (#8957)
• Updated to v2.17.1 of the Data Connect emulator, which fixes an admin SDK bug for operation without argument #9449 (#9454).
• Fixed "Precondition failed" error when updating GCFv2 functions in a FAILED state without code changes.

v14.24.2

• Fixes MCP server issue where googleapis is not available. (#9443)

v14.24.1

• Fixed issue where MCP server was blocked by console.log

v14.24.0

• Adds 2nd gen Firebase Data Connect triggers to firebase deploy (#9394).
• Upgrades @google-cloud/pubsub to v5 (#9428).
• Updated to v2.17.0 of the Data Connect emulator, which includes internal improvements and now supports Generated Admin SDKs (#9430).

v14.23.0

• Fix the __name__ normalization of vector indexes for Firestore standard edition databases.
• Fixed an issue where the emulator would fail to start when using firebase-functions v7+ (#9401).
• Added functions.list_functions as a MCP tool (#9369)
• Added AI Logic to firebase init CLI command and firebase_init MCP tool. (#9185)
• Improved error messages for Firebase AI Logic provisioning during 'firebase init' (#9377)
• Fixed issue where 'init hosting' failed to prompt for the public directory and set up Hosting files (#9403)
• Added appdistribution:testcases:export and appdistribution:testcases:import (#9397)
• Updated to v2.16.0 of the Data Connect emulator, which includes internal improvements.
• Data Connect now allows executing a valid query / operation even if the other operations are invalid. (This toleration provides convenience on a best-effort basis. Some errors like invalid syntax can still cause the whole request to be rejected.)
• Fixed enum list deserialization in Data Connect generated Dart SDKs.
• Added GraphQL __typename support in Data Connect.
• Support enum values in Data Connect CEL expressions.
• Support _id, a global ID field in Data Connect.
• Updated to v0.8.17 of the Pub/Sub emulator, which includes vulnerability fixes.

v14.22.0

• Added 'hosting' to the 'firebase_init' MCP tool (#9375)
• Revert logic to abort function deploys in non-interactive mode when secrets are missing. (#9378)

v14.21.0

... (truncated)

Commits

• ccb85c4 14.26.0
• e4cc444 Data Connect Emulator release v2.17.2 (#9498)
• 67362a2 FDC free trial (#9494)
• f85f4db use mcp logger API (#9434)
• 8211843 Update firebase init functions template to latest SDK versions (#9496)
• eec6c5c Add maxDepth to readdirRecursive (#9488)
• 644808c feat: add node.js 24 runtime support with beta status (#9475)
• a15cc04 updates runv2.ts with listServices function and trigger updates (#9482)
• b897caa Support downloading FDC secondary schema sources in firebase init (#9476)
• b1c0572 feat(functions): add remoteSource utility and path resolution helper (#9077)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.