Re: [Firebase] npm + firebase-tools

161 views

Skip to first unread message

Sam Stern

unread,

Apr 16, 2019, 12:48:10 PM4/16/19

to Firebase Google Group

Thanks for reporting this! Looks like we need to update our dependencies in "firebase-tools" to pick up a later version of lodash. There's nothing you need to do on your end to fix this, and it looks like these issues are low/moderate severity so hopefully they don't totally block you.

- Sam

On Sun, Apr 14, 2019 at 8:53 PM Guanaco Devs <guana...@gmail.com> wrote:

In order to be able to delete a user and its collections from my Firestore, I'm using:
function cleanup(uId) { const firebase_tools = require("firebase-tools"); return firebase_tools.firestore .delete(`/user_data/${uId}`, { project: process.env.GCLOUD_PROJECT, recursive: true, yes: true }); }
firebase-tools is installed system wide and also I had to install it installed it in my project to getting working.
When I install/update firebase-tools I get the following warning:
found 4 vulnerabilities (1 low, 3 moderate) run `npm audit fix` to fix them, or `npm audit` for details
How can I deal with this warning.

npm audit
throws:
=== npm audit security report === # Run npm update lodash --depth 5 to resolve 1 vulnerability ┌───────────────┬──────────────────────────────────────────────────────────────┐ │ Moderate │ Prototype Pollution │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Package │ lodash │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Dependency of │ firebase-tools │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Path │ firebase-tools > @google-cloud/functions-emulator > │ │ │ googleapis > async > lodash │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ More info │ https://npmjs.com/advisories/782 │ └───────────────┴──────────────────────────────────────────────────────────────┘ ┌──────────────────────────────────────────────────────────────────────────────┐ │ Manual Review │ │ Some vulnerabilities require your attention to resolve │ │ │ │ Visit https://go.npm.me/audit-guide for additional guidance │ └──────────────────────────────────────────────────────────────────────────────┘ ┌───────────────┬──────────────────────────────────────────────────────────────┐ │ Moderate │ Prototype Pollution │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Package │ lodash │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Patched in │ >=4.17.11 │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Dependency of │ firebase-tools │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Path │ firebase-tools > @google-cloud/functions-emulator > │ │ │ cli-table2 > lodash │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ More info │ https://npmjs.com/advisories/782 │ └───────────────┴──────────────────────────────────────────────────────────────┘ ┌───────────────┬──────────────────────────────────────────────────────────────┐ │ Moderate │ Prototype Pollution │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Package │ lodash │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Patched in │ >=4.17.11 │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Dependency of │ firebase-tools │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Path │ firebase-tools > @google-cloud/functions-emulator > lodash │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ More info │ https://npmjs.com/advisories/782 │ └───────────────┴──────────────────────────────────────────────────────────────┘ ┌───────────────┬──────────────────────────────────────────────────────────────┐ │ Low │ Prototype Pollution │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Package │ lodash │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Patched in │ >=4.17.5 │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Dependency of │ firebase-tools │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Path │ firebase-tools > @google-cloud/functions-emulator > │ │ │ cli-table2 > lodash │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ More info │ https://npmjs.com/advisories/577 │ └───────────────┴──────────────────────────────────────────────────────────────┘ found 4 vulnerabilities (1 low, 3 moderate) in 3926 scanned packages run `npm audit fix` to fix 1 of them. 3 vulnerabilities require manual review. See the full report for details.

All warnings are Prototype Pollution related with lodash, how should I deal with this warning?

Best Regards
Guanaco Devs

--
You received this message because you are subscribed to the Google Groups "Firebase Google Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to firebase-tal...@googlegroups.com.
To post to this group, send email to fireba...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/c2cd5600-874a-45d2-a5d0-58e8364f2feb%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply all

Reply to author

Forward

0 new messages