Security Audit & Remediation: firestore-bigquery-export#2888
Conversation
There was a problem hiding this comment.
Code Review
This pull request removes the rimraf and node-fetch dependencies, replacing the clean scripts with native Node.js commands, and links the local change tracker package. However, the new clean scripts in both package.json files will fail with a ReferenceError because they attempt to use the fs module without requiring it first.
| "scripts": { | ||
| "build": "npm run clean && npm run compile", | ||
| "clean": "rimraf lib", | ||
| "clean": "node -e \"fs.rmSync('lib', { recursive: true, force: true })\"", |
There was a problem hiding this comment.
In Node.js, the fs module is not available as a global variable. Running node -e "fs.rmSync(...)" will fail with a ReferenceError: fs is not defined, which breaks the npm run clean and npm run build scripts. You must require the fs module before calling rmSync.
"clean": "node -e \"require('fs').rmSync('lib', { recursive: true, force: true })\""| "build": "npm run clean && npm run compile", | ||
| "prepare": "npm run build", | ||
| "clean": "rimraf lib", | ||
| "clean": "node -e \"fs.rmSync('lib', { recursive: true, force: true })\"", |
There was a problem hiding this comment.
In Node.js, the fs module is not available as a global variable. Running node -e "fs.rmSync(...)" will fail with a ReferenceError: fs is not defined, which breaks the npm run clean and npm run build scripts. You must require the fs module before calling rmSync.
"clean": "node -e \"require('fs').rmSync('lib', { recursive: true, force: true })\""…ean race condition
Security Audit & Remediation: firestore-bigquery-export
A. Previous CVEs
shell-quote(Severity: Critical)protobufjs(Severity: High)uuid(Severity: Moderate)ts-deepmerge(Severity: Moderate)B. Changes Made
npm audit fixacross all subpackagesrimrafdependency and replaced"clean"script with native runtimefs.rmSyncacross all subpackagesnode-fetchdependency and refactored change trackersrc/bigquery/index.tsto use native Node.js globalfetchC. Remaining CVEs
ts-deepmerge@<8.0.0(Required byfirebase-functions-testdevDep): Breaking change upstream in test helper. Transitive tree:firebase-functions-test > ts-deepmergeuuid@<11.1.1(Required by@google-cloud/bigquery/firebase-admin): Breaking change upstream in@google-cloud/firestore/@google-cloud/bigquery.D. Introduced CVEs
E. Testing Strategy
npm run build) across all packages - 100% passing.