Security Audit & Remediation: Repository Dependencies

[inlined]

Security Audit & Remediation: Repository Dependencies

A. Previous CVEs

• GHSA-72xf-g2v4-qvf3 - tough-cookie via request & request-promise (Severity: Moderate)
• GHSA-5c6j-r48x-rmvq - serialize-javascript via mocha (Severity: High)
• GHSA-qj8w-gfj5-8c6v - serialize-javascript via mocha (Severity: Moderate)

B. Changes Made

• Purged Completely Unused Dependencies: Removed farmhash-modern from production dependencies and request, request-promise, @types/request, @types/request-promise from devDependencies. Comprehensive codebase searches (src/, test/, and scripts) confirmed these packages were 100% unused anywhere in the repository (stale leftovers from past refactorings). Removing them eliminated the tough-cookie prototype pollution vulnerability without requiring any code modifications.
• Lockfile Security Updates: Ran npm audit fix updating dev dependency lockfile resolutions for serialize-javascript and diff.

C. Remaining CVEs

• validator, semver, ajv, js-yaml, cross-spawn (Required by @firebase/api-documenter): No non-breaking fix available upstream without major version upgrades of rushstack tools.
• retry-request & teeny-request (Required by @google-cloud/storage / @google-cloud/firestore): Optional cloud SDK dependencies.

D. Introduced CVEs

• None

E. Testing Strategy

• Ran automated linter (npm run lint:src) - passing.
• Executed unit test suite (npm run test:unit) - passing.

[wiz-9635d3485b]

Wiz Scan Summary

Scanner	Findings
Vulnerabilities	1
Sensitive Data	-
Secrets	-
IaC Misconfigurations	-
SAST Findings	-
Software Management Findings	-
Total	1

View scan details in Wiz

To detect these findings earlier in the dev lifecycle, try using Wiz Code VS Code Extension.

[gemini-code-assist]

Code Review

This pull request cleans up the project's dependencies by removing farmhash-modern from the main dependencies, as well as the deprecated request and request-promise libraries along with their corresponding TypeScript type definitions (@types/request and @types/request-promise) from the development dependencies. There are no review comments to assess, and the changes appear to be a straightforward dependency cleanup.

[gemini-code-assist]

Code Review

This pull request removes the farmhash-modern dependency as well as the deprecated request and request-promise packages, along with their corresponding @types definitions, from package.json and package-lock.json. It also updates various transitive dependencies in the lock file. There are no review comments provided, and I have no feedback to offer.

[lahirumaramba]

Thank you! LGTM