Update dependency undici

[Bullfrog1234]

Operating System

N/A

Browser Version

N/A

Firebase SDK Version

10.10.0

Firebase SDK Product:

Auth, Firestore, Functions, Storage

Describe your project's tooling

NX workspace using react and node apps and libraries. With Snyk testing for vunerabilities.

Describe the problem

There is a security vulnerability in the package undici@5.28.3 that has been patched in <5.28.4 <6.11.1.

Details can be found here:

• https://security.snyk.io/vuln/SNYK-JS-UNDICI-6564963
• https://security.snyk.io/vuln/SNYK-JS-UNDICI-6564964

Introduced through:

• firebase@10.10.0 › @firebase/auth@1.7.0 › undici@5.28.3
• firebase@10.10.0 › @firebase/auth-compat@0.5.5 › undici@5.28.3
• firebase@10.10.0 › @firebase/firestore@4.5.1 › undici@5.28.3
• firebase@10.10.0 › @firebase/functions@0.11.3 › undici@5.28.3
• firebase@10.10.0 › @firebase/storage@0.12.3 › undici@5.28.3
• firebase@10.10.0 › @firebase/auth-compat@0.5.5 › @firebase/auth@1.7.0 › undici@5.28.3
• firebase@10.10.0 › @firebase/firestore-compat@0.3.28 › @firebase/firestore@4.5.1 › undici@5.28.3
• firebase@10.10.0 › @firebase/functions-compat@0.3.9 › @firebase/functions@0.11.3 › undici@5.28.3
• firebase@10.10.0 › @firebase/storage-compat@0.3.6 › @firebase/storage@0.12.3 › undici@5.28.3

I recommend that undici@5.28.4 is installed as I cannot see any breaking changes in what has been released in that version of the package.

Steps and code to reproduce issue

Install the package and run on Snyk Open-Source test. Firebase returns a low vulnerability.

[jbalidiong]

@Bullfrog1234, thank you for pointing this out. I'll communicate this to our engineers in order to update the dependencies to the patched version. I'll update this thread if I have more information to share.