Transitive dependency to vulnerable node-forge version #2671
Comments
|
This issue does not seem to follow the issue template. Make sure you provide all the required information. |
|
@wvanderdeijl thank you for all of the detail here. As you noted, we'd have to drop Node 8 support to fix this issue (via @bkendall do you have a canonical "Drop Node 8" issue or milestone where we could collect issues like this? |
|
The official firebase functions documentation states that deployment of node 8 functions hasn’t been allowed since February 2020:
This seems to indicate you can no longer deploy node8, but existing functions would continue to run until March 2021. If deployment is no longer allowed, what is the reason to keep node8 compatibility for Firebase-tools ? |
|
After reading the docs at https://firebase.google.com/docs/functions/manage-functions#upgrade-node10 again I feel that the statement about not allowing node8 deployments should have mentioned February 2021, not February 2020:
If deployments are allowed until February 2021 I understand the desire to keep node8 compatibility. But it is a shame we will run into (possibly many) security warnings until then. I guess you don’t want to go the route of jumping a major version of firebase-tools and keep both major versions supported for now; the existing major version for node8 and the higher major version for node10+ ? |
|
@wvanderdeijl thanks for pointing out that docs error, you're right it should be 2021 and that's why we're keeping compatibility. We considered having two simultaneous major versions but in the end it's just too much effort and confusion. Freezing the Node 8 CLI isn't really fair for non-Functions users and backporting features to the Node 8 tree would become more and more difficult over time. Plus our docs about how to install the CLI would be very confusing. The security warnings are definitely scary however the vast majority of them do not affect We're keeping an open mind on this one though. If any specific security warning means we're putting Firebase developers at risk we could revisit this decision and cut off CLI support for Node 8 early. |
|
For anyone following along here this blog post to be a good explanation of what a prototype pollution vulnerability is. It should be extremely hard (maybe impossible) for anyone to exploit this type of vulnerability when using the |
|
Any updates on this? As of firebase-tools 9.14.0 npm audit still throws this warning. I see above that Firebase should have retired node 8 support as of this past February. |
|
@MrAndrew have you tried removing your |
|
Oh yea, that did the trick. Thanks so much. |
|
That didn't help me, I can still reproduce 4 high severity vulnerabilities as stated in the 1st comment in this issue. |
|
I'm cleaning up the current audit issues for our dependencies, but I'm going to end up closing this issue. We get several variations on audit issues on a regular basis, and since this particular one is so old, I'm going to let it be closed. I do think that all the original issues in the 1st comment have been taken care of |
Using the latest version of firebase-tools (8.11.2) will introduce a vulnerable version of
node-forgeto your project which throwsnpm auditwarnings about a high severity vulnerability. This raises all sorts of red flags, including internal security monitoring at our enterprise.This would probably require updating the dependencies
@google-cloud/pubsub,google-auth-libraryandgoogle-gax. This would mean dropping support for node v8 and judging from #2619 you are not enthusiastic to do so. Please reconsider this as node 8 has been end of life since 2019-12-31[REQUIRED] Environment info
firebase-tools: 8.11.2
Platform: macOs 10.15.6
[REQUIRED] Test case
[REQUIRED] Steps to reproduce
see test case
[REQUIRED] Expected behavior
No vulnerabilities reported by
npm audit[REQUIRED] Actual behavior
npm auditreports vulnerabilities after a fresh install offirebase-toolsThe text was updated successfully, but these errors were encountered: