'npm i firebase' leading to 10 severe vulnerabilities because of vulnerable node-fetch

[himanshu1316]

Specs:

• Operating System version: M1 Apple ( 11.5.2 )
• Firebase SDK version: latest
• Firebase Product: auth, database, storage
• node -v v16.13.2
• node-gyp -v v8.3.0
• npm -v v8.1.2
• Chromium 96.0.4664.110, and
• Electron 16.0.7

Problem Description

I am trying to install firebase for my electron app
using command - npm i firebase
'npm audit' shows this output

node-fetch <2.6.7
Severity: high
node-fetch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor - GHSA-r683-j2x4-v87g
fix available via npm audit fix --force
Will install [email protected], which is a breaking change
node_modules/node-fetch
@firebase/auth <=0.0.900-exp.f919db6a9 || 0.17.0-20217250818 - 0.19.6
Depends on vulnerable versions of node-fetch
node_modules/@firebase/auth
firebase 0.800.3 - 0.900.25 || 7.9.1-0 - 7.9.1-canary.0396117e || 7.17.1-20206244562 - 7.17.1-canary.f1299756 || 7.17.2-20206291717 - 9.6.4
Depends on vulnerable versions of @firebase/auth
Depends on vulnerable versions of @firebase/auth-compat
Depends on vulnerable versions of @firebase/firestore
Depends on vulnerable versions of @firebase/functions
Depends on vulnerable versions of @firebase/storage
Depends on vulnerable versions of @firebase/storage-compat
node_modules/firebase
@firebase/auth-compat <=0.2.6
Depends on vulnerable versions of node-fetch
node_modules/@firebase/auth-compat
@firebase/firestore <=0.0.900-exp.f919db6a9 || 1.16.2-20206244562 - 1.16.2-canary.f1299756 || 1.16.3-20206291717 - 3.4.3
Depends on vulnerable versions of node-fetch
node_modules/@firebase/firestore
@firebase/firestore-compat <=0.1.12
Depends on vulnerable versions of @firebase/firestore
node_modules/@firebase/firestore-compat
@firebase/functions <=0.0.900-exp.f919db6a9 || 0.4.51-202088235442 - 0.4.51-eap-auth-emulator.df41ee388 || 0.5.0-20209118324 - 0.7.7
Depends on vulnerable versions of node-fetch
node_modules/@firebase/functions
@firebase/functions-compat <=0.1.8
Depends on vulnerable versions of @firebase/functions
node_modules/@firebase/functions-compat
@firebase/storage <=0.0.900-exp.f43d0c698 || 0.5.5-202151602035 - 0.5.5-canary.f6e1645ef || 0.5.6-20216122160 - 0.9.1
Depends on vulnerable versions of node-fetch
node_modules/@firebase/storage
@firebase/storage-compat <=0.1.9
Depends on vulnerable versions of @firebase/storage
node_modules/@firebase/storage-compat

[sam-gc]

Hi @himanshu1316, thanks for reaching out. #5928 addresses this, the fix should be included in the next release. I'll leave this issue open for now for others to find.

[qdubois]

Thanks a lot
@sam-gc will you also fix firebase sdk 8 ?

[DevProjctX]

Hi @himanshu1316, thanks for reaching out. #5928 addresses this, the fix should be included in the next release. I'll leave this issue open for now for others to find.

Thanks @sam-gc for your response

[hsubox76]

We've released a fix for v8 in 8.10.1.

[qdubois]

Thanks a lot !!