[Snyk] Upgrade firebase-functions from 4.2.1 to 6.1.1

[aravindvnair99]

Snyk has created this PR to upgrade firebase-functions from 4.2.1 to 6.1.1.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

---

⚠️ Warning: This PR contains major version upgrade(s), and may be a breaking change.

• The recommended version is 19 versions ahead of your current version.

• The recommended version was released on 24 days ago.

Issues fixed by the recommended upgrade:

	Issue	Score	Exploit Maturity
	Asymmetric Resource Consumption (Amplification) SNYK-JS-BODYPARSER-7926860	506	No Known Exploit
	Infinite loop SNYK-JS-MARKDOWNIT-6483324	506	Proof of Concept
	Internal Property Tampering SNYK-JS-TAFFYDB-2992450	506	Proof of Concept
	Cross-site Scripting SNYK-JS-EXPRESS-7926867	506	No Known Exploit
	Uncontrolled Resource Consumption SNYK-JS-GRPCGRPCJS-7242922	506	No Known Exploit
	Resource Exhaustion SNYK-JS-JOSE-6419224	506	No Known Exploit
	Improper Authentication SNYK-JS-JSONWEBTOKEN-3180022	506	No Known Exploit
	Improper Restriction of Security Token Assignment SNYK-JS-JSONWEBTOKEN-3180024	506	No Known Exploit
	Use of a Broken or Risky Cryptographic Algorithm SNYK-JS-JSONWEBTOKEN-3180026	506	No Known Exploit
	Open Redirect SNYK-JS-EXPRESS-6474509	506	No Known Exploit
	Regular Expression Denial of Service (ReDoS) SNYK-JS-PATHTOREGEXP-7925106	506	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-PATHTOREGEXP-8482416	506	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-WORDWRAP-3149973	506	Proof of Concept
	Cross-site Scripting SNYK-JS-SEND-7926862	506	No Known Exploit
	Cross-site Scripting SNYK-JS-SERVESTATIC-7926865	506	No Known Exploit

Release notes

Package name: firebase-functions

• 6.1.1 - 2024-11-21
  
  • Fix bug where wrapInit wasn't called on v2 callable functions. (#1634)
  • Add support for callable function to return streaming response (#1629)
  • Add support for firebase-admin@13 (#1641)
• 6.1.0 - 2024-10-22
  
  • Bump express version to 4.19.2 (#1624)
  • Add support for beforeSmsSent auth blocking triggers. (#1589)
• 6.0.1 - 2024-09-16
  
  • Fix bug where v1 functions can't be emulated (#1615)
• 6.0.0 - 2024-09-10
  
  • Breaking: Change default entrypoint of the firebase-functions package to v2 instead of v1 (#1594)
  • Add @ deprecated annotation on functions.config() API (#1604)
• 5.1.1 - 2024-08-30
  
  • Fix retry in event triggered functions. (#1463)
  • Expose retry configuration in v2 RTDB trigger (#1588)
  • Fix CORS options for v2 callable functions (#1564)
  • Remove invalid enforceAppCheck option for v2 onRequest trigger (#1477)
• 5.1.0 - 2024-08-19
  
  • Future Extensions support (#1590)
• 5.0.1 - 2024-05-03
  
  • Fix App fetching for named firestore instances (#1562).
• 5.0.0 - 2024-05-01
  
  • Add option to get named firestore instance for v2 firestore functions (#1550).
  • Remove firebase-admin v10 dependency for Firestore triggers multi-DB support (#1555).
• 4.9.0 - 2024-04-04
  
  • Add new 2nd gen Firestore auth context triggers. (#1519)
• 4.8.2 - 2024-03-29
  

  Fix bug with CORS options for an array of one string (#1544)

• 4.8.1 - 2024-03-19
• 4.8.0 - 2024-03-08
• 4.7.0 - 2024-02-07
• 4.6.0 - 2024-01-03
• 4.5.0 - 2023-11-02
• 4.4.1 - 2023-06-12
• 4.4.0 - 2023-05-08
• 4.3.1 - 2023-04-20
• 4.3.0 - 2023-04-13
• 4.2.1 - 2023-02-02

from firebase-functions GitHub release notes

---

Important

• Warning: This PR contains a major version upgrade, and may be a breaking change.
• Check the changes in this PR to ensure they won't cause issues with your project.
• This PR was automatically created by Snyk using the credentials of a real user.
• Max score is 1000. Note that the real score may have changed since the PR was raised.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

• 🧐 View latest project report
• 📜 Customise PR templates
• 🛠 Adjust upgrade PR settings
• 🔕 Ignore this dependency or unsubscribe from future upgrade PRs

[guardrails]

⚠️ We detected 10 security issues in this pull request:

Insecure File Management (1)

Severity	Details	Docs
High	Title: Path Traversal from user input Spot-the-Hole/functions/index.js Line 562 in daf6d66 path.join(os.tmpdir(), path.basename(req.files.file[0].fieldname)),	📚

More info on how to fix Insecure File Management in JavaScript.

---

Insecure Use of Crypto (1)

Severity	Details	Docs
Medium	Title: Insecure use of random generator Spot-the-Hole/functions/index.js Line 204 in daf6d66 result += characters.charAt(Math.floor(Math.random() * charactersLength));	📚

More info on how to fix Insecure Use of Crypto in JavaScript.

---

Vulnerable Libraries (8)

Severity	Details
High	pkg:npm/busboy@0.3.1 upgrade to: > 0.3.1
High	pkg:npm/firebase-functions@6.1.1 upgrade to: > 6.1.1
Critical	pkg:npm/firebase-admin@11.11.1 (t) upgrade to: > 11.11.1
Informational	pkg:npm/cookie-parser@1.4.6 upgrade to: > 1.4.6
N/A	pkg:npm/ejs@3.1.7 upgrade to: 3.1.10
Medium	pkg:npm/axios@0.25.0 upgrade to: 1.6.0
High	pkg:npm/eslint@8.54.0 upgrade to: > 8.54.0
Critical	pkg:npm/@tensorflow/tfjs-node@3.14.0 upgrade to: > 3.14.0

More info on how to fix Vulnerable Libraries in JavaScript.

---

👉 Go to the dashboard for detailed results.

📥 Happy? Share your feedback with us.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[stale]

Automatically marked as stale due to lack of recent activity. Will be closed if no further activity occurs. Thank you for your contributions.

[stale]

Automatically closed due to lack of recent activity. Tag @aravindvnair99 to reopen. Thank you for your contributions.