chore(deps): bump firebase-admin in /functions from ^8.10.0 to ^12.0.0#2395
Open
ZLeventer wants to merge 1 commit intogoogleanalytics:mainfrom
Open
chore(deps): bump firebase-admin in /functions from ^8.10.0 to ^12.0.0#2395ZLeventer wants to merge 1 commit intogoogleanalytics:mainfrom
ZLeventer wants to merge 1 commit intogoogleanalytics:mainfrom
Conversation
firebase-admin v8 has reached end-of-life and has not received security patches since 2021. v12 is the current stable series (requires Node 18+, which aligns with Firebase Functions gen2). Multiple CVEs affect the bundled grpc and google-auth-library transitive deps in v8 that are resolved in v12.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Bumps
firebase-admininfunctions/package.jsonfrom^8.10.0to^12.0.0.Motivation
firebase-adminv8 reached end-of-life in 2021 and no longer receives security patches. Running an EOL version creates compounding risk through unmaintained transitive dependencies:firebase-adminv12 is the current stable release and resolves these transitive dependency vulnerabilities.Change
Migration notes
v9–v12 introduce breaking changes in several areas:
admin.initializeApp()no longer falls back toGOOGLE_APPLICATION_CREDENTIALSautomatically in all environments — ensure the hosting environment sets this env var or passes a credential explicitlyadmin.messaging()→ modular API (getMessaging(app)) preferred in v11+, though the legacy namespace still works in v12If the functions runtime is still gen1 (Node 12/14), this bump should be paired with a runtime upgrade; see Firebase runtime documentation.