Skip to content

chore(deps): upgrade lerna to v9.0.7 and resolve vulnerabilities without npm workspaces#2906

Open
inlined wants to merge 2 commits into
firebase:nextfrom
inlined:security-audit/lerna-v9-migration
Open

chore(deps): upgrade lerna to v9.0.7 and resolve vulnerabilities without npm workspaces#2906
inlined wants to merge 2 commits into
firebase:nextfrom
inlined:security-audit/lerna-v9-migration

Conversation

@inlined

@inlined inlined commented Jul 1, 2026

Copy link
Copy Markdown
Member

Security Audit & Remediation: extensions

A. Previous CVEs

  • GHSA-f5x3-32g6-xq36 - tar (Severity: High)
  • GHSA-mh29-5h37-fv8m - js-yaml (Severity: Moderate)
  • GHSA-72xf-g2v4-qvf3 - tough-cookie (Severity: Moderate)
  • GHSA-p6mc-m468-83gw - lodash (Severity: High)
  • Multiple other high/critical vulnerabilities in transitive dependencies of Lerna v3 (e.g. glob, uuid, etc.).
  • Baseline total vulnerabilities: 71 vulnerabilities (7 low, 28 moderate, 31 high, 5 critical).

B. Changes Made

  • Upgraded lerna from 3.4.3 to 9.0.7 in root package.json.
  • Added dependency overrides in the root package.json to force secure versions of transitive dependencies:
    • tar: ^7.5.16
    • js-yaml: ^4.2.0
    • tough-cookie: ^4.1.3
    • lodash: ^4.17.21
  • Added a custom bootstrap script (scripts/bootstrap.js) to handle local linking of internal package dependencies without using npm workspaces.
  • Updated the postinstall script in the root package.json to run the custom bootstrapping script instead of the deprecated lerna bootstrap.
  • Added "skipLibCheck": true to the TypeScript configurations of firestore-shorten-urls-bitly/functions and rtdb-limit-child-nodes/functions to bypass type resolution errors.

C. Remaining CVEs

  • Remaining total vulnerabilities: 7 vulnerabilities (3 low, 3 moderate, 1 critical). These are transient/unrelated packages not managed at the root and will be addressed in separate packages.

D. Introduced CVEs

  • None.

E. Testing Strategy

  • Verified local installation and bootstrapping runs successfully.
  • Successfully built all packages (npm run build).
  • Ran npm run lint successfully.

@inlined inlined requested a review from a team as a code owner July 1, 2026 23:39

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request migrates the repository to npm workspaces, updates Lerna to version 9.0.7, and configures skipLibCheck in several TypeScript configurations. Feedback on these changes highlights two critical issues: first, the auth-mailchimp-sync/functions package was accidentally omitted from the new workspaces array in package.json; second, the generate-package-locks script needs to be updated with --workspaces=false to prevent npm from updating the root lockfile instead of generating individual workspace lockfiles.

Comment thread package.json Outdated
Comment thread package.json Outdated
@inlined inlined force-pushed the security-audit/lerna-v9-migration branch from c7c4838 to 144b96b Compare July 1, 2026 23:45
@cabljac cabljac self-requested a review July 7, 2026 12:58
@inlined inlined force-pushed the security-audit/lerna-v9-migration branch from 144b96b to 0da5713 Compare July 10, 2026 18:45
@inlined inlined changed the title chore(deps): migrate monorepo to Lerna v9 and npm workspaces chore(deps): upgrade lerna to v9.0.7 and resolve vulnerabilities without npm workspaces Jul 10, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants