0

I am trying to deploy my Firebase app using GitHub actions. I am running below commands for the same:

  1. npm install
  2. npm audit fix
  3. npm install firebase-tools@10.9.2

It was working perfect till 10 days back now suddenly I am getting below issue:

Crash in HeaderParser in dicer - https://github.com/advisories/GHSA-wm7h-9275-46v2
fix available via `npm audit fix --force`
Will install firebase-admin@7.0.0, which is a breaking change
node_modules/dicer
  firebase-admin  >=7.1.0
  Depends on vulnerable versions of dicer
  node_modules/firebase-admin
    firebase-functions  >=3.0.0
    Depends on vulnerable versions of firebase-admin
    node_modules/firebase-functions

I saw that there is issue going on with Dicer but as it's a dependency with firebase-admin there is no way to skip this. I want to do urgent production deployment - how can I remove this blocker?

halfer
  • 19,824
  • 17
  • 99
  • 186
ajay dhamnikar
  • 35
  • 1
  • 5
  • It looks like it will upgrade your version of firebase-admin - is that bad? Readers don't know how your CI is structured, but the normal approach is to upgrade the library and any dependencies, commit the changes, ensure that your unit and integration tests still pass, and if your new build works, do a deployment. – halfer Jun 04 '22 at 19:24
  • It looks like [firebase-admin](https://www.npmjs.com/package/firebase-admin) is just a backend tool. If that is so, can you just set up a firewall so that this part of your app cannot be reached by anonymous users, and then you can tolerate the vuln in the short term? – halfer Jun 04 '22 at 19:27

1 Answers1

0

The issue needs to be resolved by the team maintaining the sdk. That being said, in spite of being listed as high severity, the use case for dicer in the SDK renders the risk profile low unless you are using dicer in your own code:

Here's the relevant issue on GitHub On of the maintainers explains the issue as follows:

The Admin Node.js SDK uses dicer to parse multipart responses from Firebase and GCP backend servers. IIUC the threat introduced by the vulnerability in dicer is pretty low here as we can trust the responses from the BE servers. However, if you are using the dicer package to parse responses in your own code then you might be at a higher risk. Having said that, we are looking into the fixes mentioned in #1512 and the potential to use the fixed version of dicer in Admin SDK. I will use this issue to update the progress.

Asleepious
  • 95
  • 5