New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(deps): update dependency firebase to v10 [security] #8413

Closed

live-github-bot wants to merge 1 commit into develop from renovate/npm-firebase-vulnerability

Contributor

live-github-bot bot commented Nov 19, 2024

This PR contains the following updates:

Package	Type	Update	Change
firebase (source, changelog)	dependencies	major	`9.23.0` -> `10.9.0`

GitHub Vulnerability Alerts

CVE-2024-11023

Firebase JavaScript SDK utilizes a "FIREBASE_DEFAULTS" cookie to store configuration data, including an "_authTokenSyncURL" field used for session synchronization. If this cookie field is preset via an attacker by any other method, the attacker can manipulate the "_authTokenSyncURL" to point to their own server and it would allow am actor to capture user session data transmitted by the SDK. We recommend upgrading Firebase JS SDK at least to 10.9.0.

Release Notes

firebase/firebase-js-sdk (firebase)

`v10.9.0`

`v10.8.1`

`v10.8.0`

`v10.7.2`

`v10.7.1`

`v10.7.0`

`v10.6.0`

`v10.5.2`

`v10.5.1`

`v10.5.0`

`v10.4.0`

`v10.3.1`

`v10.3.0`

`v10.2.0`

`v10.1.0`

`v10.0.0`

Configuration

📅 Schedule: Branch creation - "" in timezone Europe/Paris, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.


          fix(deps): update dependency firebase to v10 [security]

live-github-bot bot added the security label

vercel bot commented Nov 19, 2024 •

edited

Loading

The latest updates on your projects. Learn more about Vercel for Git ↗︎

4 Skipped Deployments

Name	Status	Preview	Comments	Updated (UTC)
ledger-live-github-bot	⬜️ Ignored (Inspect)	Visit Preview		Nov 19, 2024 10:13pm
native-ui-storybook	⬜️ Ignored (Inspect)	Visit Preview		Nov 19, 2024 10:13pm
react-ui-storybook	⬜️ Ignored (Inspect)	Visit Preview		Nov 19, 2024 10:13pm
web-tools	⬜️ Ignored (Inspect)	Visit Preview		Nov 19, 2024 10:13pm

live-github-bot bot added the desktop label

Contributor Author

live-github-bot bot commented Nov 19, 2024

Desktop Bundle Checks

Comparing eb1f62b against 5ba2080.

🚀 idb library is no longer duplicated in renderer

Contributor

github-actions bot commented Dec 5, 2024

There as been no activity on this PR for the last 14 days. Please consider closing this PR.

github-actions bot added the Stale label

github-actions bot closed this

Contributor Author

live-github-bot bot commented Dec 13, 2024

Renovate Ignore Notification

Because you closed this PR without merging, Renovate will ignore this update. You will not get PRs for any future 10.x releases. But if you manually upgrade to 10.x then Renovate will re-enable minor and patch updates automatically.

If you accidentally closed this PR, or if you changed your mind: rename this PR to get a fresh replacement PR.

live-github-bot bot deleted the renovate/npm-firebase-vulnerability branch

December 13, 2024 22:06

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

desktop security Stale