Skip to content

Security Audit & Remediation: firestore-bigquery-export#2888

Merged
inlined merged 4 commits into
masterfrom
security-audit/firestore-bigquery-export
Jun 23, 2026
Merged

Security Audit & Remediation: firestore-bigquery-export#2888
inlined merged 4 commits into
masterfrom
security-audit/firestore-bigquery-export

Conversation

@inlined

@inlined inlined commented Jun 23, 2026

Copy link
Copy Markdown
Member

Security Audit & Remediation: firestore-bigquery-export

A. Previous CVEs

B. Changes Made

  • Updated direct and transitive dependencies via npm audit fix across all subpackages
  • Removed unmaintained rimraf dependency and replaced "clean" script with native runtime fs.rmSync across all subpackages
  • Removed node-fetch dependency and refactored change tracker src/bigquery/index.ts to use native Node.js global fetch

C. Remaining CVEs

  • ts-deepmerge@<8.0.0 (Required by firebase-functions-test devDep): Breaking change upstream in test helper. Transitive tree: firebase-functions-test > ts-deepmerge
  • uuid@<11.1.1 (Required by @google-cloud/bigquery / firebase-admin): Breaking change upstream in @google-cloud/firestore / @google-cloud/bigquery.

D. Introduced CVEs

  • None

E. Testing Strategy

  • Ran unit test suite on materialized views and core utilities without GCP auth errors - passing.
  • Ran compilation & build suite (npm run build) across all packages - 100% passing.

@inlined inlined requested a review from a team as a code owner June 23, 2026 00:23

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request removes the rimraf and node-fetch dependencies, replacing the clean scripts with native Node.js commands, and links the local change tracker package. However, the new clean scripts in both package.json files will fail with a ReferenceError because they attempt to use the fs module without requiring it first.

"scripts": {
"build": "npm run clean && npm run compile",
"clean": "rimraf lib",
"clean": "node -e \"fs.rmSync('lib', { recursive: true, force: true })\"",

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

high

In Node.js, the fs module is not available as a global variable. Running node -e "fs.rmSync(...)" will fail with a ReferenceError: fs is not defined, which breaks the npm run clean and npm run build scripts. You must require the fs module before calling rmSync.

    "clean": "node -e \"require('fs').rmSync('lib', { recursive: true, force: true })\""

"build": "npm run clean && npm run compile",
"prepare": "npm run build",
"clean": "rimraf lib",
"clean": "node -e \"fs.rmSync('lib', { recursive: true, force: true })\"",

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

high

In Node.js, the fs module is not available as a global variable. Running node -e "fs.rmSync(...)" will fail with a ReferenceError: fs is not defined, which breaks the npm run clean and npm run build scripts. You must require the fs module before calling rmSync.

    "clean": "node -e \"require('fs').rmSync('lib', { recursive: true, force: true })\""

@inlined inlined changed the base branch from next to master June 23, 2026 01:30

@cabljac cabljac left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@inlined inlined merged commit 9c2842f into master Jun 23, 2026
13 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants