[Snyk] Upgrade firebase-admin from 11.3.0 to 12.6.0

[aravindvnair99]

Snyk has created this PR to upgrade firebase-admin from 11.3.0 to 12.6.0.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

---

Warning: This is a major version upgrade, and may be a breaking change.

• The recommended version is 20 versions ahead of your current version.
• The recommended version was released 23 days ago, on 2024-09-30.

The recommended version fixes:

Severity	Issue	PriorityScore (*)	Exploit Maturity
	Infinite loop SNYK-JS-MARKDOWNIT-6483324	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Proof of Concept
	Internal Property Tampering SNYK-JS-TAFFYDB-2992450	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Proof of Concept
	Uncontrolled Resource Consumption SNYK-JS-GRPCGRPCJS-7242922	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	No Known Exploit
	Resource Exhaustion SNYK-JS-JOSE-6419224	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	No Known Exploit
	Improper Authentication SNYK-JS-JSONWEBTOKEN-3180022	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	No Known Exploit
	Improper Restriction of Security Token Assignment SNYK-JS-JSONWEBTOKEN-3180024	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	No Known Exploit
	Use of a Broken or Risky Cryptographic Algorithm SNYK-JS-JSONWEBTOKEN-3180026	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	No Known Exploit
	Regular Expression Denial of Service (ReDoS) SNYK-JS-WORDWRAP-3149973	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Release notes

Package name: firebase-admin

• 12.6.0 - 2024-09-30
  

  New Features

  • feat: Add Data Connect API (#2701)

  Bug Fixes

  • fix(auth): Add missing Math.floor() when setting validDuration in createSessionCookie() (#2712)

  Miscellaneous

  • [chore] Release 12.6.0 (#2715)
  • build(deps-dev): bump @ types/lodash from 4.17.7 to 4.17.9 (#2710)
  • build(deps-dev): bump @ firebase/app-compat from 0.2.39 to 0.2.41 (#2711)
  • build(deps-dev): bump eslint from 8.57.0 to 8.57.1 (#2707)
  • build(deps-dev): bump @ microsoft/api-extractor from 7.47.6 to 7.47.9 (#2706)
  • build(deps): bump @ google-cloud/firestore from 7.9.0 to 7.10.0 (#2705)
• 12.5.0 - 2024-09-12
  

  New Features

  • feat(rc): SSRC targeting (#2665)

  Bug Fixes

  • fix: updating comments with VibrateTimingsMillis and defaultVibrateTimings instead of vibrate_timings and default_vibrate_timings (#2598)
  • fix: support httpAgent in JwksFetcher (#2689)

  Miscellaneous

  • [chore] Release 12.5.0 Take 2 (#2703)
  • [chore] Release 12.5.0 (#2702)
  • chore: Upgrade actions/upload-artifact@v4 (#2700)
  • build(deps): bump actions/download-artifact in /.github/workflows (#2694)
  • Create CHANGELOG.md (#2626)
• 12.4.0 - 2024-08-22
  

  Miscellaneous

  • [chore] Release 12.4.0 (#2674)
  • build(deps-dev): bump @ firebase/app-compat from 0.2.38 to 0.2.39 (#2677)
  • chore: Deprecate sendToTopic and Condition (#2683)
  • build(deps): bump @ types/node from 22.1.0 to 22.3.0 (#2675)
  • build(deps-dev): bump mocha from 10.7.0 to 10.7.3 (#2670)
  • build(deps): bump @ google-cloud/storage from 7.12.0 to 7.12.1 (#2669)
  • build(deps): bump axios in /.github/actions/send-email (#2673)
  • build(deps-dev): bump @ microsoft/api-extractor from 7.47.5 to 7.47.6 (#2671)
  • Reroute Cloud Tasks to emulator when it is running (#2649)
• 12.3.1 - 2024-08-08
  

  Bug Fixes

  • fix: getToken() returns existing promise to a token if one exists instead of a new token. (#2648)

  Miscellaneous

  • [chore] Release 12.3.1 (#2667)
  • chore: Skip sendToDeviceGroup integration test (#2666)
  • build(deps-dev): bump @ microsoft/api-extractor from 7.47.2 to 7.47.5 (#2661)
  • build(deps): bump @ types/node from 22.0.1 to 22.1.0 (#2663)
  • build(deps-dev): bump @ firebase/app-compat from 0.2.37 to 0.2.38 (#2664)
  • build(deps): bump @ types/node from 20.14.11 to 22.0.1 (#2657)
  • build(deps-dev): bump chai from 4.4.1 to 4.5.0 (#2650)
  • build(deps-dev): bump @ firebase/app-compat from 0.2.35 to 0.2.37 (#2653)
  • build(deps): bump fast-xml-parser from 4.4.0 to 4.4.1 (#2654)
• 12.3.0 - 2024-07-25
  

  New Features

  • feat(fcm): Add HTTP2 support for sendEach() and sendEachForMulticast() (#2550)

  Miscellaneous

  • [chore] Release 12.3.0 (#2644)
  • build(deps): bump @ types/node from 20.14.8 to 20.14.11 (#2641)
  • build(deps-dev): bump @ microsoft/api-extractor from 7.47.0 to 7.47.2 (#2642)
  • build(deps): bump @ google-cloud/storage from 7.11.2 to 7.12.0 (#2643)
  • build(deps-dev): bump mocha and @ types/mocha (#2640)
  • build(deps): bump @ fastify/busboy from 2.1.1 to 3.0.0 (#2632)
  • build(deps-dev): bump @ types/lodash from 4.17.5 to 4.17.7 (#2636)
  • Remove Remote Config dependency on Long JS (#2614)
  • build(deps): bump @ google-cloud/firestore from 7.8.0 to 7.9.0 (#2618)
  • build(deps-dev): bump nyc from 15.1.0 to 17.0.0 (#2616)
  • chore: update integration test resources (#2615)
  • build(deps-dev): bump @ types/uuid from 9.0.8 to 10.0.0 (#2612)
  • build(deps): bump @ types/node from 20.14.2 to 20.14.8 (#2613)
• 12.2.0 - 2024-06-20
  Read more
• 12.1.1 - 2024-05-21
  Read more
• 12.1.0 - 2024-04-16
  Read more
• 12.0.0 - 2023-12-07
  Read more
• 11.11.1 - 2023-11-23
  Read more
• 11.11.0 - 2023-09-28
• 11.10.1 - 2023-07-13
• 11.10.0 - 2023-07-12
• 11.9.0 - 2023-05-30
• 11.8.0 - 2023-05-04
• 11.7.0 - 2023-04-18
• 11.6.0 - 2023-04-06
• 11.5.0 - 2023-01-19
• 11.4.1 - 2022-12-22
• 11.4.0 - 2022-12-15
• 11.3.0 - 2022-11-17

from firebase-admin GitHub release notes

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

🧐 View latest project report

🛠 Adjust upgrade PR settings

🔕 Ignore this dependency or unsubscribe from future upgrade PRs

[guardrails]

⚠️ We detected 8 security issues in this pull request:

Insecure File Management (1)

Severity	Details	Docs
High	Title: Path Traversal from user input Spot-the-Hole/functions/index.js Line 562 in b88910b path.join(os.tmpdir(), path.basename(req.files.file[0].fieldname)),	📚

More info on how to fix Insecure File Management in JavaScript.

---

Insecure Use of Crypto (1)

Severity	Details	Docs
Medium	Title: Insecure use of random generator Spot-the-Hole/functions/index.js Line 204 in b88910b result += characters.charAt(Math.floor(Math.random() * charactersLength));	📚

More info on how to fix Insecure Use of Crypto in JavaScript.

---

Vulnerable Libraries (6)

Severity	Details
High	pkg:npm/firebase-functions@4.2.1 upgrade to: > 4.2.1
N/A	pkg:npm/ejs@3.1.7 upgrade to: 3.1.10
Medium	pkg:npm/axios@0.25.0 upgrade to: 1.6.0
Informational	pkg:npm/cookie-parser@1.4.6 upgrade to: > 1.4.6
High	pkg:npm/busboy@0.3.1 upgrade to: > 0.3.1
Critical	pkg:npm/@tensorflow/tfjs-node@3.14.0 upgrade to: > 3.14.0

More info on how to fix Vulnerable Libraries in JavaScript.

---

👉 Go to the dashboard for detailed results.

📥 Happy? Share your feedback with us.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

[stale]

Automatically marked as stale due to lack of recent activity. Will be closed if no further activity occurs. Thank you for your contributions.

[stale]

Automatically closed due to lack of recent activity. Tag @aravindvnair99 to reopen. Thank you for your contributions.