Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore(providers): bump firebase-admin dep #7256

Open
wants to merge 7 commits into
base: next
Choose a base branch
from

Conversation

danikp
Copy link
Contributor

@danikp danikp commented Dec 9, 2024

update firebase-admin to solve supply chain issue with critical bug in protobufjs library

What changed? Why was the change needed?

protobuf.js (aka protobufjs) 6.10.0 until 6.11.4 and 7.0.0 until 7.2.4 allows Prototype Pollution, a different vulnerability than GHSA-g954-5hwp-pp24. A user-controlled protobuf message can be used by an attacker to pollute the prototype of Object.prototype by adding and overwriting its data and functions. Exploitation can involve: (1) using the function parse to parse protobuf messages on the fly, (2) loading .proto files by using load/loadSync functions, or (3) providing untrusted input to the functions ReflectionObject.setParsedOption and util.setProperty. NOTE: this CVE Record is about Object.constructor.prototype. = ...; whereas GHSA-g954-5hwp-pp24 was about Object.proto. = ...; instead.

update firebase-admin to solve supply chain issue with critical bug in protobufjs library
Copy link

netlify bot commented Dec 9, 2024

👷 Deploy request for dev-web-novu pending review.

Visit the deploys page to approve it

Name Link
🔨 Latest commit 99acc91

Copy link

netlify bot commented Dec 9, 2024

👷 Deploy request for dashboard-v2-novu-staging pending review.

Visit the deploys page to approve it

Name Link
🔨 Latest commit 99acc91

@danikp danikp changed the title bump firebase-admin dep chore(providers) bump firebase-admin dep Dec 9, 2024
@danikp danikp changed the title chore(providers) bump firebase-admin dep chore(providers): bump firebase-admin dep Dec 9, 2024
@scopsy
Copy link
Contributor

scopsy commented Dec 10, 2024

@danikp will need to also run pnpm i in the root folder to update lock file

@danikp
Copy link
Contributor Author

danikp commented Dec 11, 2024

@danikp will need to also run pnpm i in the root folder to update lock file

done

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants