I am trying to deploy my Firebase app using GitHub actions. I am running below commands for the same:
- npm install
- npm audit fix
- npm install [email protected]
It was working perfect till 10 days back now suddenly I am getting below issue:
Crash in HeaderParser in dicer - https://github.com/advisories/GHSA-wm7h-9275-46v2
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/dicer
firebase-admin >=7.1.0
Depends on vulnerable versions of dicer
node_modules/firebase-admin
firebase-functions >=3.0.0
Depends on vulnerable versions of firebase-admin
node_modules/firebase-functions
I saw that there is issue going on with Dicer but as it's a dependency with firebase-admin there is no way to skip this. I want to do urgent production deployment - how can I remove this blocker?
The issue needs to be resolved by the team maintaining the sdk. That being said, in spite of being listed as high severity, the use case for dicer in the SDK renders the risk profile low unless you are using dicer in your own code:
Here's the relevant issue on GitHub On of the maintainers explains the issue as follows: