chore(deps): update @google-cloud/firestore to ^8.0.0#3105
chore(deps): update @google-cloud/firestore to ^8.0.0#3105ouzkilic wants to merge 2 commits intofirebase:mainfrom
Conversation
|
Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA). View this failed invocation of the CLA check for more information. For the most up to date status, view the checks section at the bottom of the pull request. |
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request upgrades the @google-cloud/firestore dependency to version 8.0.0 and updates several internal dependencies. It also replaces deep imports of the DEFAULT_DATABASE_ID constant with local definitions in the source and test files. The reviewer feedback suggests exporting this constant from a central location to eliminate duplication and ensure consistency across the codebase.
|
Thanks for your contribution. This is a breaking dependency upgrade and should be included in a major version release. We will look into this. |
ouzkilic
force-pushed
the
fix/update-google-cloud-firestore-optional-dep
branch
from
59bf98f to
3a060ec
Compare
…tallnate/once vulnerability Replace internal import of DEFAULT_DATABASE_ID from @google-cloud/firestore/build/src/path with a local constant, as v8 no longer ships .d.ts for that internal module.
Address review feedback: instead of duplicating the '(default)' string in 3 places, export the constant from the source module and import it in test files.
ouzkilic
force-pushed
the
fix/update-google-cloud-firestore-optional-dep
branch
from
3a060ec to
b58a3a8
Compare
2 participants
Summary
Update
@google-cloud/firestoreoptional dependency range from^7.11.0to^8.0.0to eliminate the vulnerable@tootallnate/once@2.0.0transitive dependency.Problem
@tootallnate/onceversions prior to 3.0.1 are vulnerable to Incorrect ControlFlow Scoping (CWE-705). When AbortSignal is used, Promises remain permanently
pending after abort, causing stalled requests and degraded availability.
The vulnerability chain through
@google-cloud/firestore@^7.11.0:google-gax@4 → retry-request@7 → teeny-request@9 → http-proxy-agent@5 → @tootallnate/once@2.0.0
Fix
@google-cloud/firestore@8.xuses an updated dependency chain that no longerincludes
@tootallnate/once:google-gax@5 → retry-request@8 → teeny-request@10 → http-proxy-agent@7 (no @tootallnate/once)
Additionally, replaced the internal import of
DEFAULT_DATABASE_IDfrom@google-cloud/firestore/build/src/pathwith a local constant'(default)',as v8 no longer ships
.d.tsfor that internal module.Note on @google-cloud/storage
@google-cloud/storage@7.19.0(latest) still pulls in the same vulnerable chainvia
teeny-request@9. This needs to be addressed separately upstream in thegoogleapis/google-cloud-node repository.
Testing
npm ls @tootallnate/onceshows reduced/no results after update