From f3cec28dfbdfc7f19c8218cf9d26956235d03fb0 Mon Sep 17 00:00:00 2001 From: Christina Holland Date: Tue, 27 Feb 2024 06:11:33 -0800 Subject: [PATCH] Bump undici due to security issue (#8044) See https://github.com/advisories/GHSA-3787-6prv-h9w3 For reference, `undici` is used to polyfill `fetch` in our Node bundles, as we are not restricting Node support to 18+ yet. Fixes https://github.com/firebase/firebase-js-sdk/issues/8038 --- .changeset/short-falcons-look.md | 9 +++++++++ integration/messaging/package.json | 2 +- package.json | 2 +- packages/auth-compat/package.json | 2 +- packages/auth/package.json | 2 +- packages/firestore/package.json | 2 +- packages/functions/package.json | 2 +- packages/storage/package.json | 2 +- repo-scripts/changelog-generator/package.json | 2 +- yarn.lock | 8 ++++---- 10 files changed, 21 insertions(+), 12 deletions(-) create mode 100644 .changeset/short-falcons-look.md diff --git a/.changeset/short-falcons-look.md b/.changeset/short-falcons-look.md new file mode 100644 index 00000000000..fbedc2cccec --- /dev/null +++ b/.changeset/short-falcons-look.md @@ -0,0 +1,9 @@ +--- +'@firebase/auth-compat': patch +'@firebase/firestore': patch +'@firebase/functions': patch +'@firebase/storage': patch +'@firebase/auth': patch +--- + +Bump undici version to 5.28.3 due to security issue. diff --git a/integration/messaging/package.json b/integration/messaging/package.json index f18f9fe2793..f335013cfb0 100644 --- a/integration/messaging/package.json +++ b/integration/messaging/package.json @@ -15,7 +15,7 @@ "express": "4.18.2", "geckodriver": "2.0.4", "mocha": "9.2.2", - "undici": "5.26.5", + "undici": "5.28.3", "selenium-assistant": "6.1.1" } } diff --git a/package.json b/package.json index 1bda3af3eec..48ac6c7b8f0 100644 --- a/package.json +++ b/package.json @@ -153,7 +153,7 @@ "tslint": "6.1.3", "typedoc": "0.16.11", "typescript": "4.7.4", - "undici": "5.26.5", + "undici": "5.28.3", "watch": "1.0.2", "webpack": "5.76.0", "yargs": "17.7.2" diff --git a/packages/auth-compat/package.json b/packages/auth-compat/package.json index 6f0847fd7ec..00e2f14f4e3 100644 --- a/packages/auth-compat/package.json +++ b/packages/auth-compat/package.json @@ -54,7 +54,7 @@ "@firebase/auth-types": "0.12.0", "@firebase/component": "0.6.5", "@firebase/util": "1.9.4", - "undici": "5.26.5", + "undici": "5.28.3", "tslib": "^2.1.0" }, "license": "Apache-2.0", diff --git a/packages/auth/package.json b/packages/auth/package.json index 3d83b555e53..f36b48c34ae 100644 --- a/packages/auth/package.json +++ b/packages/auth/package.json @@ -129,7 +129,7 @@ "@firebase/component": "0.6.5", "@firebase/logger": "0.4.0", "@firebase/util": "1.9.4", - "undici": "5.26.5", + "undici": "5.28.3", "tslib": "^2.1.0" }, "license": "Apache-2.0", diff --git a/packages/firestore/package.json b/packages/firestore/package.json index 94e3c73f2ae..474a2e34d75 100644 --- a/packages/firestore/package.json +++ b/packages/firestore/package.json @@ -102,7 +102,7 @@ "@firebase/webchannel-wrapper": "0.10.5", "@grpc/grpc-js": "~1.9.0", "@grpc/proto-loader": "^0.7.8", - "undici": "5.26.5", + "undici": "5.28.3", "tslib": "^2.1.0" }, "peerDependencies": { diff --git a/packages/functions/package.json b/packages/functions/package.json index 29e9e5480e2..0caaed9a3ba 100644 --- a/packages/functions/package.json +++ b/packages/functions/package.json @@ -71,7 +71,7 @@ "@firebase/auth-interop-types": "0.2.1", "@firebase/app-check-interop-types": "0.3.0", "@firebase/util": "1.9.4", - "undici": "5.26.5", + "undici": "5.28.3", "tslib": "^2.1.0" }, "nyc": { diff --git a/packages/storage/package.json b/packages/storage/package.json index 361fe189afc..7416dc8646c 100644 --- a/packages/storage/package.json +++ b/packages/storage/package.json @@ -48,7 +48,7 @@ "dependencies": { "@firebase/util": "1.9.4", "@firebase/component": "0.6.5", - "undici": "5.26.5", + "undici": "5.28.3", "tslib": "^2.1.0" }, "peerDependencies": { diff --git a/repo-scripts/changelog-generator/package.json b/repo-scripts/changelog-generator/package.json index 648892ad527..3a7989d9dc3 100644 --- a/repo-scripts/changelog-generator/package.json +++ b/repo-scripts/changelog-generator/package.json @@ -20,7 +20,7 @@ "@changesets/types": "3.3.0", "@changesets/get-github-info": "0.5.2", "@types/node": "20.8.10", - "undici": "5.26.5" + "undici": "5.28.3" }, "license": "Apache-2.0", "devDependencies": { diff --git a/yarn.lock b/yarn.lock index 2629a0f7e1e..cc12132428f 100644 --- a/yarn.lock +++ b/yarn.lock @@ -16835,10 +16835,10 @@ undici-types@~5.26.4: resolved "https://registry.npmjs.org/undici-types/-/undici-types-5.26.5.tgz#bcd539893d00b56e964fd2657a4866b221a65617" integrity sha512-JlCMO+ehdEIKqlFxk6IfVoAUVmgz7cU7zD/h9XZ0qzeosSHmUJVOzSQvvYSYWXkFXC+IfLKSIffhv0sVZup6pA== -undici@5.26.5: - version "5.26.5" - resolved "https://registry.npmjs.org/undici/-/undici-5.26.5.tgz#f6dc8c565e3cad8c4475b187f51a13e505092838" - integrity sha512-cSb4bPFd5qgR7qr2jYAi0hlX9n5YKK2ONKkLFkxl+v/9BvC0sOpZjBHDBSXc5lWAf5ty9oZdRXytBIHzgUcerw== +undici@5.28.3: + version "5.28.3" + resolved "https://registry.npmjs.org/undici/-/undici-5.28.3.tgz#a731e0eff2c3fcfd41c1169a869062be222d1e5b" + integrity sha512-3ItfzbrhDlINjaP0duwnNsKpDQk3acHI3gVJ1z4fmwMK31k5G9OVIAMLSIaP6w4FaGkaAkN6zaQO9LUvZ1t7VA== dependencies: "@fastify/busboy" "^2.0.0"