fix(deps): update dependency firebase-tools to v13 [security]#1
Open
renovate[bot] wants to merge 1 commit into
Open
fix(deps): update dependency firebase-tools to v13 [security]#1renovate[bot] wants to merge 1 commit into
renovate[bot] wants to merge 1 commit into
Conversation
renovate
Bot
force-pushed
the
renovate/npm-firebase-tools-vulnerability
branch
from
July 1, 2024 08:43
043ef67 to
cc337ec
Compare
renovate
Bot
force-pushed
the
renovate/npm-firebase-tools-vulnerability
branch
from
August 1, 2024 09:57
cc337ec to
70c5599
Compare
renovate
Bot
force-pushed
the
renovate/npm-firebase-tools-vulnerability
branch
from
September 1, 2024 10:30
70c5599 to
93f24d9
Compare
renovate
Bot
force-pushed
the
renovate/npm-firebase-tools-vulnerability
branch
from
October 1, 2024 07:19
93f24d9 to
e879a16
Compare
renovate
Bot
force-pushed
the
renovate/npm-firebase-tools-vulnerability
branch
from
December 8, 2024 23:52
4dd1b42 to
e879a16
Compare
renovate
Bot
force-pushed
the
renovate/npm-firebase-tools-vulnerability
branch
from
February 1, 2025 09:47
e879a16 to
d251f7b
Compare
renovate
Bot
force-pushed
the
renovate/npm-firebase-tools-vulnerability
branch
from
April 1, 2025 10:18
d251f7b to
f1d48fe
Compare
renovate
Bot
force-pushed
the
renovate/npm-firebase-tools-vulnerability
branch
from
May 1, 2025 09:36
f1d48fe to
978ab58
Compare
renovate
Bot
force-pushed
the
renovate/npm-firebase-tools-vulnerability
branch
from
July 1, 2025 09:40
978ab58 to
759184f
Compare
renovate
Bot
force-pushed
the
renovate/npm-firebase-tools-vulnerability
branch
2 times, most recently
from
August 13, 2025 12:37
7c1162a to
adbe12e
Compare
renovate
Bot
force-pushed
the
renovate/npm-firebase-tools-vulnerability
branch
from
August 19, 2025 12:03
adbe12e to
03f5c8c
Compare
renovate
Bot
force-pushed
the
renovate/npm-firebase-tools-vulnerability
branch
from
August 31, 2025 11:59
03f5c8c to
eddbbdf
Compare
renovate
Bot
force-pushed
the
renovate/npm-firebase-tools-vulnerability
branch
from
September 26, 2025 07:15
eddbbdf to
e5c4343
Compare
renovate
Bot
force-pushed
the
renovate/npm-firebase-tools-vulnerability
branch
from
October 25, 2025 19:33
e5c4343 to
e05e009
Compare
renovate
Bot
force-pushed
the
renovate/npm-firebase-tools-vulnerability
branch
from
November 10, 2025 21:55
e05e009 to
1d8cbe1
Compare
renovate
Bot
force-pushed
the
renovate/npm-firebase-tools-vulnerability
branch
from
November 18, 2025 23:44
1d8cbe1 to
ae16907
Compare
renovate
Bot
force-pushed
the
renovate/npm-firebase-tools-vulnerability
branch
from
December 3, 2025 16:37
ae16907 to
c513501
Compare
renovate
Bot
force-pushed
the
renovate/npm-firebase-tools-vulnerability
branch
from
December 31, 2025 17:54
c513501 to
7e1ad45
Compare
renovate
Bot
force-pushed
the
renovate/npm-firebase-tools-vulnerability
branch
from
January 8, 2026 21:27
7e1ad45 to
5bd2c35
Compare
renovate
Bot
force-pushed
the
renovate/npm-firebase-tools-vulnerability
branch
from
January 19, 2026 20:35
5bd2c35 to
ed276c5
Compare
renovate
Bot
force-pushed
the
renovate/npm-firebase-tools-vulnerability
branch
from
February 2, 2026 16:33
ed276c5 to
8b84493
Compare
renovate
Bot
force-pushed
the
renovate/npm-firebase-tools-vulnerability
branch
2 times, most recently
from
February 17, 2026 18:02
726d7cc to
9d66927
Compare
renovate
Bot
force-pushed
the
renovate/npm-firebase-tools-vulnerability
branch
from
March 5, 2026 16:35
9d66927 to
4e2548f
Compare
renovate
Bot
force-pushed
the
renovate/npm-firebase-tools-vulnerability
branch
from
March 13, 2026 12:33
4e2548f to
3aab6cf
Compare
renovate
Bot
force-pushed
the
renovate/npm-firebase-tools-vulnerability
branch
3 times, most recently
from
April 1, 2026 22:06
fea58bc to
fe32de1
Compare
renovate
Bot
force-pushed
the
renovate/npm-firebase-tools-vulnerability
branch
from
April 8, 2026 16:06
fe32de1 to
000a917
Compare
renovate
Bot
force-pushed
the
renovate/npm-firebase-tools-vulnerability
branch
from
April 29, 2026 17:00
000a917 to
099abd3
Compare
renovate
Bot
force-pushed
the
renovate/npm-firebase-tools-vulnerability
branch
2 times, most recently
from
May 18, 2026 13:31
4f4720a to
194e8dc
Compare
renovate
Bot
force-pushed
the
renovate/npm-firebase-tools-vulnerability
branch
2 times, most recently
from
June 2, 2026 00:04
1f9101a to
a9960d7
Compare
renovate
Bot
force-pushed
the
renovate/npm-firebase-tools-vulnerability
branch
from
June 11, 2026 09:46
a9960d7 to
111efc8
Compare
renovate
Bot
force-pushed
the
renovate/npm-firebase-tools-vulnerability
branch
from
July 12, 2026 15:14
111efc8 to
610137e
Compare
renovate
Bot
force-pushed
the
renovate/npm-firebase-tools-vulnerability
branch
from
July 16, 2026 18:36
610137e to
0bc68c1
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
^11.30.0→^13.0.0Firebase vulnerable to CRSF attack
CVE-2024-4128 / GHSA-rcm2-22f3-pqv3
More information
Details
This vulnerability was a potential CSRF attack. When running the Firebase emulator suite, there is an export endpoint that is used normally to export data from running emulators. If a user was running the emulator and navigated to a malicious website with the exploit on a browser that allowed calls to localhost (ie Chrome before v94), the website could exfiltrate emulator data. We recommend upgrading past version 13.6.0 or commit 068a2b08dc308c7ab4b569617f5fc8821237e3a0.
Severity
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Release Notes
firebase/firebase-tools (firebase-tools)
v13.6.0Compare Source
resetendpoint for Datastore Mode.no_wrapperoptions.v13.5.2Compare Source
v13.5.1Compare Source
v13.5.0Compare Source
v13.4.1Compare Source
GOOGLE_CLOUD_QUOTA_PROJECTwas not correctly respected. (#6801)v13.4.0Compare Source
v13.3.1Compare Source
--database-modeflag togcloud emulator firestore startcommand. Notethat this is a preview feature and if you find any bugs, please file them
here: https://github.com/firebase/firebase-tools/issues.
v13.3.0Compare Source
firestore:deletewouldn't target the emulator when expected. (#6537)v13.2.1Compare Source
appdistribution:distributewould always attempt to run tests. (#6749)v13.2.0Compare Source
v13.1.0Compare Source
v13.0.3Compare Source
exportin .env files caused parsing errors. (#6629)v13.0.2Compare Source
v13.0.1Compare Source
firebase init hosting. (#6562)firebase init hosting. (#6309)v13.0.0Compare Source
functions:shellto remove dependency on deprecatedrequestmodule.request.ext:dev:publishcommand. Useext:dev:uploadinstead.functionsdirectory if there is nofunctionsconfig infirebase.json. (#6450)--non-interactiveflag is not respected in Firestore indexes deploys. (#6539)login:usewould not work outside of a Firebase project directory. (#6526)not-foundrequiring a Cloud Function in Next.js deployments. (#6558)v12.9.1Compare Source
v12.9.0Compare Source
--log-verbosityflag (#2859).v12.8.1Compare Source
v12.8.0Compare Source
v12.7.0Compare Source
FIRESTORE_EMULATOR_HOSTenvironment variable on functions deploy. (#6442)--verbosityflag toemulators:*commands that limits what logs are printed (#2859)v12.6.2Compare Source
v12.6.1Compare Source
v12.6.0Compare Source
emulators:exportdid not check if the target folder is empty. (#6313)v12.5.4Compare Source
v12.5.3Compare Source
npm. (#6132)--non-interactiveand--forcewere not respected in some extension deploys. (#6321)v12.5.2Compare Source
v12.5.1Compare Source
v12.5.0Compare Source
v12.4.8Compare Source
2.9.7and above. (#6213)v12.4.7Compare Source
firebase init hosting:githubfails due to max number of keys limit for a service account. (#6145)functions:secrets:\*family of commands did not work when Firebase CLI is authenticated via GOOGLE_APPLICATION_CREDENTIALS (#6190)v12.4.6Compare Source
globusage in Next.js utility function to detect images inappdirectory (#6166)firebase experiments:enableto the emulator suite UI (#6169)v12.4.5Compare Source
functions:secrets:setdidn't remove stale versions of a secret. (#6080)firebase deploy --only firestore:named-dbdidn't update rules. (#6129)next/imagecomponent in app directory for Next.js > 13.4.9. (#6143)vm2. (#6150)v12.4.4Compare Source
database:listwould have inaccurate results. (#6063)v12.4.3Compare Source
firebase open hostingandfirebase open crash. (#6073)v12.4.2Compare Source
ext:installto use the latest extension metadata. (#5997)ext:dev:upload. (#6052)ext:dev:upload. (#6054)v12.4.1Compare Source
firebase emulators:startto crash in Next.js apps (#6005)v12.4.0Compare Source
appdistribution:group:createandappdistribution:group:delete. (#5978)--group-aliasoption toappdistribution:testers:addandappdistribution:testers:remove. (#5978)v12.3.1Compare Source
v12.3.0Compare Source
--importflag directory does not exist. (#5851)ext:dev:initto default 'billingRequired' to true inextension.yamlLOCATIONparam from theextensions.yamltemplate forext:dev:initv12.2.1Compare Source
v12.2.0Compare Source
serveOptimizedImages. (#5716)ssr: falseandbaseURLwhen using Nuxt. (#5716)FIREBASE_FRAMEWORKS_BUILD_TARGETenvironment variable to override the default build target (#5572).v12.1.0Compare Source
firebase emulators:startwhen Python Cloud Functions directory path has spaces. (#5854)v12.0.1Compare Source
firebase emulators:startandfirebase deploywhen Python Cloud Functions directory path has spaces. (#5830)v12.0.0Compare Source
ext:dev:*commands to publish and manage Extensions. For step-by-step instructions on how to publish your own Extensions, see https://firebase.google.com/docs/extensions/publishers/get-started.ext:dev:publishhas been renamed toext:dev:upload.ext:dev:uploaddefaults to uploading extensions from GitHub instead of local source.ext:dev:publishis deprecated and will be removed in version 13.ext:dev:delete,ext:dev:unpublish,ext:sources:createandext:dev:emualtors:*have been removed.firebase.jsoncontained multiple storage targets (#5170)firebase initfunction templates for TypeScript and Javascript to 2nd gen (#5775)Configuration
📅 Schedule: (UTC)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.