npm install reports high severity vulnerability of dicer in firebase-admin 10.2.0
See original GitHub issueDescribe your environment
- Operating System version: debian stable
- Firebase SDK version: 10.2.0
- Firebase Product: firebase-admin
- Node.js version: 18
- NPM version: 8.11.0
Describe the problem
npm install
reports:
2 high severity vulnerabilities
npm audit
reports:
npm audit
# npm audit report
dicer *
Severity: high
Crash in HeaderParser in dicer - https://github.com/advisories/GHSA-wm7h-9275-46v2
fix available via `npm audit fix --force`
Will install firebase-admin@7.0.0, which is a breaking change
node_modules/dicer
firebase-admin >=7.1.0
Depends on vulnerable versions of dicer
node_modules/firebase-admin
2 high severity vulnerabilities
To address all issues (including breaking changes), run:
npm audit fix --force
Steps to reproduce:
- Create a project.
- Run
npm install firebase-admin
- Run
npm audit
Relevant Code:
{
"name": "audit",
"main": "lib/index.js",
"scripts": {
"start": "node lib/index.js",
},
"dependencies": {
"firebase-admin": "^10.2.0",
},
"devDependencies": {
"@types/node": "^17.0.21",
"typescript": "^4.5.4"
},
"engines": {
"node": "18.x"
},
"private": true
}
Issue Analytics
- State:
- Created a year ago
- Comments:5
Top Results From Across the Web
firebase-admin snyk issues #1718
owaineevans mentioned this issue on May 26. npm install reports high severity vulnerability of dicer in firebase-admin 10.2.0 #1727.
Read more >node.js - Is there any fix available for Dicer vulnerability ...
I am trying to deploy my Firebase app using GitHub actions. I am running below commands for the same: npm install; npm audit...
Read more >Firebase Admin Node.js SDK
We welcome bug reports, feature requests, code review feedback, and also pull requests. Supported Environments. We support Node.js 14 and higher ...
Read more >Fixing security vulnerabilities in npm dependencies in less ...
In my case mocha(7.1.0) -> mkdirp(0.5.1) -> minimist(0.0.8) — the vulnerable version. Resolutions key. 3) And finally the fix was: 3.1) First npm...
Read more >dicer - npm Package Health Analysis
Ensure you're using the healthiest npm packages. Snyk scans all the packages in your projects for vulnerabilities and provides automated fix advice.
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
@PedroEmanuelMoreiraCarvalho
This post seems the only related comment I found so far. But I still have no idea to fix the error. Let me know if you find something!
I’m with the exactly same issue 😕 some help?