Skip to content

chore(deps): migrate monorepo to Lerna v9 and npm workspaces#2906

Open
inlined wants to merge 1 commit into
firebase:nextfrom
inlined:security-audit/lerna-v9-migration
Open

chore(deps): migrate monorepo to Lerna v9 and npm workspaces#2906
inlined wants to merge 1 commit into
firebase:nextfrom
inlined:security-audit/lerna-v9-migration

Conversation

@inlined

@inlined inlined commented Jul 1, 2026

Copy link
Copy Markdown
Member

Security Audit & Remediation: extensions

A. Previous CVEs

B. Changes Made

  • Added dependency overrides in the root package.json to force secure versions of transitive dependencies:
    • tar: ^7.5.19
    • js-yaml: ^4.1.2
    • tough-cookie: ^4.1.3
    • lodash: ^4.17.21
  • Rebuilt lockfiles.

C. Remaining CVEs

  • 67 remaining vulnerabilities (7 low, 28 moderate, 27 high, 5 critical) inside sub-packages (these are audited separately).

D. Introduced CVEs

  • None.

E. Testing Strategy

  • Verified local installation and Lerna v3 bootstrapping runs successfully.
  • Ran npm run lint successfully.

@inlined inlined requested a review from a team as a code owner July 1, 2026 23:39

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request migrates the repository to npm workspaces, updates Lerna to version 9.0.7, and configures skipLibCheck in several TypeScript configurations. Feedback on these changes highlights two critical issues: first, the auth-mailchimp-sync/functions package was accidentally omitted from the new workspaces array in package.json; second, the generate-package-locks script needs to be updated with --workspaces=false to prevent npm from updating the root lockfile instead of generating individual workspace lockfiles.

Comment thread package.json Outdated
Comment on lines +9 to +10
"firestore-shorten-urls-bitly/functions",
"firestore-send-email/functions",

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

critical

The package "auth-mailchimp-sync/functions" was present in the previous lerna.json packages list but has been omitted from the new workspaces array in package.json. This will prevent npm workspaces and Lerna from managing, building, or testing this package.

Please add "auth-mailchimp-sync/functions" back to the workspaces list.

Suggested change
"firestore-shorten-urls-bitly/functions",
"firestore-send-email/functions",
"firestore-shorten-urls-bitly/functions",
"auth-mailchimp-sync/functions",
"firestore-send-email/functions",

Comment thread package.json Outdated
"test:watch": "concurrently \"npm run local:emulator\" \"jest --watch\"",
"test-coverage": "jest --coverage --detectOpenHandles --forceExit",
"postinstall": "if test \"$SKIP_POSTINSTALL\" != \"yes\" ; then lerna bootstrap --no-ci && lerna run --parallel clean && npm run build && npm run generate-package-locks ; fi",
"postinstall": "if test \"$SKIP_POSTINSTALL\" != \"yes\" ; then lerna run --parallel clean && npm run build && npm run generate-package-locks ; fi",

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

high

With the migration to npm workspaces, running npm i --package-lock-only inside a workspace package directory will traverse up to the root and update the root package-lock.json instead of generating a local package-lock.json inside each package. This will prevent the generate-package-locks script from generating the individual lockfiles required for Firebase Extensions packaging and deployment.

To fix this, the generate-package-locks script (on line 32) needs to be updated to disable workspaces during the lockfile generation:

"generate-package-locks": "lerna exec -- npm i --package-lock-only --workspaces=false"

@inlined inlined force-pushed the security-audit/lerna-v9-migration branch from c7c4838 to 144b96b Compare July 1, 2026 23:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants