[Snyk] Upgrade firebase-tools from 3.18.4 to 3.19.3 #4

snyk-bot · 2021-07-28T00:48:20Z

Snyk has created this PR to upgrade firebase-tools from 3.18.4 to 3.19.3.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

The recommended version is 6 versions ahead of your current version.
The recommended version was released 3 years ago, on 2018-07-03.

The recommended version fixes:

Issue	PriorityScore (*)	Exploit Maturity
Directory Traversal npm:superstatic:20180429	601/1000 Why? Mature exploit, CVSS 8.6	Mature
Prototype Pollution npm:extend:20180424	601/1000 Why? Mature exploit, CVSS 8.6	No Known Exploit
Prototype Pollution npm:deep-extend:20180409	601/1000 Why? Mature exploit, CVSS 8.6	No Known Exploit
Uninitialized Memory Exposure npm:base64url:20180511	601/1000 Why? Mature exploit, CVSS 8.6	Mature
Prototype Pollution SNYK-JS-Y18N-1021887	601/1000 Why? Mature exploit, CVSS 8.6	Proof of Concept
Arbitrary File Overwrite SNYK-JS-TAR-174125	601/1000 Why? Mature exploit, CVSS 8.6	No Known Exploit
Arbitrary Command Injection npm:open:20180512	601/1000 Why? Mature exploit, CVSS 8.6	Proof of Concept
Arbitrary Code Injection SNYK-JS-OPEN-174041	601/1000 Why? Mature exploit, CVSS 8.6	No Known Exploit
Prototype Pollution SNYK-JS-LODASHMERGE-173732	601/1000 Why? Mature exploit, CVSS 8.6	No Known Exploit
Prototype Pollution SNYK-JS-INI-1048974	601/1000 Why? Mature exploit, CVSS 8.6	Proof of Concept
Remote Memory Exposure SNYK-JS-BL-608877	601/1000 Why? Mature exploit, CVSS 8.6	No Known Exploit
Prototype Pollution SNYK-JS-AJV-584908	601/1000 Why? Mature exploit, CVSS 8.6	No Known Exploit
Prototype Pollution SNYK-JS-AJV-584908	601/1000 Why? Mature exploit, CVSS 8.6	No Known Exploit
Arbitrary File Write via Archive Extraction (Zip Slip) npm:adm-zip:20180415	601/1000 Why? Mature exploit, CVSS 8.6	Mature
Uninitialized Memory Exposure npm:stringstream:20180511	601/1000 Why? Mature exploit, CVSS 8.6	Mature
Prototype Pollution npm:hoek:20180212	601/1000 Why? Mature exploit, CVSS 8.6	No Known Exploit
Insecure Randomness npm:cryptiles:20180710	601/1000 Why? Mature exploit, CVSS 8.6	No Known Exploit
Time of Check Time of Use (TOCTOU) npm:chownr:20180731	601/1000 Why? Mature exploit, CVSS 8.6	No Known Exploit
Arbitrary Code Injection SNYK-JS-MORGAN-72579	601/1000 Why? Mature exploit, CVSS 8.6	Proof of Concept
Prototype Pollution SNYK-JS-MINIMIST-559764	601/1000 Why? Mature exploit, CVSS 8.6	Proof of Concept
Prototype Pollution SNYK-JS-MINIMIST-559764	601/1000 Why? Mature exploit, CVSS 8.6	Proof of Concept
Prototype Pollution SNYK-JS-LODASHMERGE-173733	601/1000 Why? Mature exploit, CVSS 8.6	No Known Exploit
Denial of Service (DoS) SNYK-JS-AXIOS-174505	601/1000 Why? Mature exploit, CVSS 8.6	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Release notes

Package name: firebase-tools

3.19.3 - 2018-07-03
- Fix bug where API error messages were swallowed up by "TypeError: Cannot create property 'error' on string".
3.19.2 - 2018-07-02
- Fixed bug where function emulator did not properly set timeout to 9 minutes.
- Improved function deploy resilience to temporary errors during upload
3.19.1 - 2018-06-26
- Updating dependencies to patch security vulnerabilities.
3.19.0 - 2018-06-22
- Add --instance flag to firebase database:* commands to allow selection of non-default database instances.
- Add --hash-input-order flag to firebase auth:import to designate order of password and salt.
- Cloud Firestore indexes now support ARRAY_CONTAINS indexing.
3.18.6 - 2018-06-05
- Fixed bug where firestore:delete only worked for the first 20 collections.
- Fixed erroneous error message that the project did not have any HTTPS functions when running firebase serve when in fact there were.
3.18.5 - 2018-05-21
- Support the --host flag for firebase serve --only functions and firebase experimental:functions:shell (this flag was released in 3.17.0 and removed in 3.17.2 due to a bug).
- Update vulnerable jsonwebtoken dependency to v8.2.1.
3.18.4 - 2018-04-13
- Fixed an issue that caused a module loading error.
- Fixed an issue with the functions emulator returning incorrect values for before and after.

from firebase-tools GitHub release notes

Commit messages

Package name: firebase-tools

8c65d33 [firebase-release] Updated CLI to 3.19.3
d29567b Changelog for v3.19.3
5ad18b3 Fix typeError in lib/responseToError.js (#817)
b2392ae Bold product name when deploying rules (#816)
a9ff9f5 [firebase-release] Removed change log and reset repo after 3.19.2 release
c406004 [firebase-release] Updated CLI to 3.19.2
600b0fa Changelog for v3.19.2 (#813)
6e14dff Retry on 503 error when generating functions upload URL (#811)
b342ba7 Handle empty configstore with FIREBASE_TOKEN. Fixes #364
ead7027 Add 9-minute timeout to emulated functions. Fixes #669
9d1508f [firebase-release] Removed change log and reset repo after 3.19.1 release
3652b65 [firebase-release] Updated CLI to 3.19.1
b50f56f Merge pull request #808 from firebase/mb-3-19-1
352c821 Changelog for v3.19.1 and dep update
cd4fc84 Removes vulnerable deps and adds gulp dev dep (#769) (#807)
e1c1b23 [firebase-release] Removed change log and reset repo after 3.19.0 release
b5eba80 [firebase-release] Updated CLI to 3.19.0
a67bf56 Changelog for v3.19.0 (#805)
61a2ac4 Add support for ARRAY_CONTAINS index mode (#798)
f704c2b Merge branch 'master' of github.com:FirebasePrivate/firebase-tools
347f1cb Add --hash-input-order flag. (#271)
2de7029 Add MultiDB support for database:* commands (#800)
592a288 [firebase-release] Removed change log and reset repo after 3.18.6 release
242d620 [firebase-release] Updated CLI to 3.18.6