chore(deps): update @google-cloud/firestore to ^8.0.0#3105
chore(deps): update @google-cloud/firestore to ^8.0.0#3105ouzkilic wants to merge 2 commits intofirebase:mainfrom
Conversation
…tallnate/once vulnerability Replace internal import of DEFAULT_DATABASE_ID from @google-cloud/firestore/build/src/path with a local constant, as v8 no longer ships .d.ts for that internal module. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
|
Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA). View this failed invocation of the CLA check for more information. For the most up to date status, view the checks section at the bottom of the pull request. |
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request upgrades the @google-cloud/firestore dependency to version 8.0.0 and updates several internal dependencies. It also replaces deep imports of the DEFAULT_DATABASE_ID constant with local definitions in the source and test files. The reviewer feedback suggests exporting this constant from a central location to eliminate duplication and ensure consistency across the codebase.
Address review feedback: instead of duplicating the '(default)' string in 3 places, export the constant from the source module and import it in test files. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
|
Thanks for your contribution. This is a breaking dependency upgrade and should be included in a major version release. We will look into this. |
2 participants
Summary
Update
@google-cloud/firestoreoptional dependency range from^7.11.0to^8.0.0to eliminate the vulnerable@tootallnate/once@2.0.0transitive dependency.Problem
@tootallnate/onceversions prior to 3.0.1 are vulnerable to Incorrect ControlFlow Scoping (CWE-705). When AbortSignal is used, Promises remain permanently
pending after abort, causing stalled requests and degraded availability.
The vulnerability chain through
@google-cloud/firestore@^7.11.0:google-gax@4 → retry-request@7 → teeny-request@9 → http-proxy-agent@5 → @tootallnate/once@2.0.0
Fix
@google-cloud/firestore@8.xuses an updated dependency chain that no longerincludes
@tootallnate/once:google-gax@5 → retry-request@8 → teeny-request@10 → http-proxy-agent@7 (no @tootallnate/once)
Additionally, replaced the internal import of
DEFAULT_DATABASE_IDfrom@google-cloud/firestore/build/src/pathwith a local constant'(default)',as v8 no longer ships
.d.tsfor that internal module.Note on @google-cloud/storage
@google-cloud/storage@7.19.0(latest) still pulls in the same vulnerable chainvia
teeny-request@9. This needs to be addressed separately upstream in thegoogleapis/google-cloud-node repository.
Testing
npm ls @tootallnate/onceshows reduced/no results after update