Skip to content

Release the security-audit dependency PRs (#2881–#2888) #2889

Description

@cabljac

Release the security-audit dependency PRs

Eight approved (lgtm) security-audit PRs are merged/ready but inert — they land code only. They do nothing for users until each extension is version-bumped and published. None of them touch extension.yaml or CHANGELOG.md.

Per-extension release steps (each)

  • Bump version: in extension.yaml
  • Add CHANGELOG.md entry
  • Publish to the Extensions registry

PRs to release

Common to all: npm audit fix dependency bumps + remove unmaintained rimraf (clean script now uses native fs.rmSync).

Remaining (unfixed) transitive CVEs — do NOT claim full clearance in release notes

  • uuid@<11.1.1 — pinned under firebase-admin > @google-cloud/firestore > google-gax (and @google-cloud/bigquery). Needs upstream bump.
  • ts-deepmerge@<8.0.0 — devDep under firebase-functions-test. Test-only, breaking upstream.

Verification done at review

  • All 8 reviewed; runtime is nodejs22 across the board (global fetch + crypto.randomUUID() both stable).
  • Security Audit & Remediation: firestore-counter #2883 test-validated: CI suite green; deep-equalisDeepStrictEqual shown to have no behavioral divergence vs base.

Metadata

Metadata

Assignees

Labels

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions