Skip to content

Security Audit & Remediation: quickstart-testing monorepo overrides#473

Open
inlined wants to merge 2 commits into
firebase:masterfrom
inlined:security-audit/quickstart-testing-overrides
Open

Security Audit & Remediation: quickstart-testing monorepo overrides#473
inlined wants to merge 2 commits into
firebase:masterfrom
inlined:security-audit/quickstart-testing-overrides

Conversation

@inlined

@inlined inlined commented Jul 1, 2026

Copy link
Copy Markdown
Member

Security Audit & Remediation: quickstart-testing monorepo overrides

A. Previous CVEs

B. Changes Made

  • Added dependency overrides in the root package.json to force secure versions of transitive dependencies:
    • tar: ^7.5.19
    • js-yaml: ^4.1.2
    • undici: ^6.27.0
    • tough-cookie: ^4.1.3

C. Remaining CVEs

  • None for these packages.

D. Introduced CVEs

  • None.

E. Testing Strategy

  • Verified local npm installation and lockfile alignment.
  • Local tests rely on GitHub Actions CI due to missing local Java emulator dependency.

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request introduces dependency overrides in package.json for tar, js-yaml, undici, and tough-cookie. The review feedback identifies that the specified versions for tar (7.5.19) and js-yaml (4.1.2) do not exist on the npm registry, which will cause installation failures. Additionally, js-yaml versions below 4.2.0 are vulnerable to CVE-2026-53550. It is recommended to update these overrides to stable, existing, and secure versions.

Comment thread package.json Outdated
Comment thread package.json Outdated
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant