build(deps): pin firebase-js-sdk, disallow install of recent packages

[mikehardy]

Description

This PR is focused on hardening the repository to supply chain attacks

Specifically, one of the most effective means to stop the repo from direct compromise (and then possibly propagating) a supply-chain attack is to only install packages that have aged a certain amount - allowing detection and remediation in the broader ecosystem to take place on potentially trojan packages prior to any attempt to install.

I have conservatively chosen 7 days as a minimum age here, though 3 days is also common.

Yarn and dependabot configs are updated to enforce this

Please note this may conflict with a desire to update the firebase-js-sdk package, this is an unavoidable tension between usability and security. The appropriate action is to add an exception for a specific version that is younger than 7 days in .yarnrc.yml as described in that file should the need arise

Related issues

None logged, but security is a process and the entire broader ecosystem is hardening repositories bit by bit. This is us doing our part.

Release Summary

No release necessary, all local build related

Checklist

• I read the Contributor Guide and followed the process outlined there for submitting PRs.
  • Yes
• My change supports the following platforms;
  • Android
  • iOS
  • Other (macOS, web)
• My change includes tests;
  • e2e tests added or updated in packages/\*\*/e2e
  • jest tests added or updated in packages/\*\*/__tests__
• I have updated TypeScript types that are affected by my change.
• This is a breaking change;
  • Yes
  • No

Test Plan

If CI still passes, this is good. There should be no practical effect at the moment.

---

Think react-native-firebase is great? Please consider supporting the project with any of the below:

• 👉 Star this repo on GitHub ⭐️
• 👉 Follow React Native Firebase and Invertase on Twitter

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request introduces security hardening measures to the repository by implementing a mandatory age-based gate for package installations. By requiring packages to be at least 7 days old before they can be installed, the project aims to reduce the risk of incorporating malicious code from compromised packages. The changes include updates to dependency management tools and specific pinning for the Firebase SDK to ensure stability while maintaining the new security posture.

Highlights

• Supply Chain Security: Implemented a 7-day minimum age gate for new package installations to mitigate potential supply-chain attacks.
• Dependency Configuration: Updated Dependabot and Yarn configurations to enforce the age-based installation policy.
• Firebase Pinning: Pinned the firebase-js-sdk version and added an explicit exception to allow its usage despite the new age restrictions.

Ignored Files

• Ignored by pattern: .github/workflows/** (1)
  • .github/workflows/scripts/functions/.yarnrc.yml

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize the Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counterproductive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[mikehardy]

None of the Gemini comments have merit. This survives local testing as an A/B to verify it does what's expected with regards to which package versions of things actually install and which do not. The configuration options used are relatively new, but the usage matches documented examples.