This repository has been archived by the owner on Apr 3, 2024. It is now read-only.
Vulnerabilities in dependency jsonwebtoken
, installed through firebase-admin
#1126
Labels
api: clouddebugger
Issues related to the googleapis/cloud-debug-nodejs API.
priority: p2
Moderately-important priority. Fix may not be included in next release.
type: bug
Error or flaw in code with unintended results or allowing sub-optimal usage patterns.
Overview
The npm package
jsonwebtoken
at version 8.x.x has four known vulnerabilities, three moderate and one high severity.@google-cloud/debug-agent
usesfirebase-admin
at version 10.x.x, which usesjsonwebtoken
at version 8.x.x, thus introducing the vulnerability.A patch was introduced in
firebase-admin
version 11.4.1 to upgradejsonwebtoken
to version 9.x.x (see firebase/firebase-admin-node#2023). To resolve this issue,firebase-admin
should be upgraded to version 11.4.1 or later.Breaking changes for
firebase-admin
version 11.0.0 can be found here. There are as follows:This may be a sticking point, as it looks like this library still supports Node 12. Node 12 is no longer maintained as of April 30 2022, so hopefully this means this library can drop support for it.
This package uses TypeScript 4.6.4, so this should not be an issue.
I can't speak to the impact of these changes, but it seems that
@google-cloud/firestore
andgoogle-cloud/storage
are not used directly by this package.Environment details
@google-cloud/debug-agent
version: 7.2.1Steps to reproduce
@google-cloud/debug-agent
in your NodeJS project at version 7.x.x (i.e.npm install --save @google-cloud/debug-agent
)npm audit
Observe the following npm audit report:
The text was updated successfully, but these errors were encountered: