[Snyk] Security upgrade firebase-admin from 12.7.0 to 13.0.0

[Krosebrook]

Snyk has created this PR to fix 1 vulnerabilities in the npm dependencies of this project.

Snyk changed the following file(s):

• js/testapps/firebase-functions-sample1/functions/package.json

Vulnerabilities that will be fixed with an upgrade:

	Issue	Score
	Uncaught Exception SNYK-JS-FASTXMLPARSER-15155603	828

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• Max score is 1000. Note that the real score may have changed since the PR was raised.
• This PR was automatically created by Snyk using the credentials of a real user.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Uncaught Exception

---

Note

Medium Risk
Low code-change risk but a major dependency upgrade in a server-side SDK that can introduce breaking API/runtime behavior in Firebase Functions.

Overview
Upgrades the js/testapps/firebase-functions-sample1/functions dependency on firebase-admin from ^12.2 to ^13.0.0 (Snyk security bump), pulling in updated transitive dependencies to remediate the flagged vulnerability.

^{Written by Cursor Bugbot for commit 202102d. This will update automatically on new commits. Configure here.}

---

Summary by cubic

Upgraded firebase-admin to 13.0.0 in js/testapps/firebase-functions-sample1/functions to fix a high-severity transitive vulnerability (fast-xml-parser uncaught exception, SNYK-JS-FASTXMLPARSER-15155603). This is a major version bump; verify compatibility and any breaking changes before merging.

^{Written for commit 202102d. Summary will update on new commits.}

^{Cursor Bugbot reviewed your changes and found no issues for commit 202102d}

[coderabbitai]

Important

Review skipped

Ignore keyword(s) in the title.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

• 🔍 Trigger a full review

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch snyk-fix-b137051fdfe87542a1c39a6862c97440

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Summary of Changes

Hello @Krosebrook, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request is an automated security remediation initiated by Snyk. Its primary purpose is to resolve a critical "Uncaught Exception" vulnerability by updating the firebase-admin package to its latest major version. This ensures the firebase-functions-sample1 application remains secure and stable against known exploits.

Highlights

• Security Vulnerability Fix: This pull request addresses a high-severity "Uncaught Exception" vulnerability (SNYK-JS-FASTXMLPARSER-15155603) with a score of 828.
• Dependency Upgrade: The firebase-admin dependency has been upgraded from version 12.7.0 to 13.0.0 in js/testapps/firebase-functions-sample1/functions/package.json.
• Automated Remediation: This PR was automatically generated by Snyk to apply the necessary security fix.

Changelog

• js/testapps/firebase-functions-sample1/functions/package.json
  • Updated the firebase-admin dependency from ^12.2 to ^13.0.0.

Activity

• This pull request was automatically created by Snyk to address a security vulnerability.
• The PR suggests an upgrade to firebase-admin to fix a high-severity "Uncaught Exception" issue.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request from Snyk upgrades firebase-admin to version 13.0.0 to fix a security vulnerability. This is a major version bump and is a breaking change. I've added a review comment highlighting a potential compatibility issue with the @genkit-ai/firebase package due to its broad peer dependency range. Please review the comment and ensure compatibility before merging.

[gemini-code-assist]

This upgrade to firebase-admin v13 is a major version change and may introduce breaking changes. The @genkit-ai/firebase package, which this test app depends on, has a peer dependency on firebase-admin: ">=12.2". This range is too permissive and does not guarantee compatibility with v13. This could lead to runtime errors. It's recommended to verify that @genkit-ai/firebase works with firebase-admin v13. Ideally, the peer dependency in @genkit-ai/firebase should be constrained to tested, compatible versions.

[Copilot]

Pull request overview

Updates the Firebase Functions sample app dependency tree to address a Snyk-reported vulnerability by upgrading firebase-admin.

Changes:

• Bump firebase-admin dependency from the v12 range to ^13.0.0 in the Firebase Functions sample.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Upgrading firebase-admin across a major version can introduce runtime/API breaking changes, but this js/testapps/** area doesn’t appear to be exercised by CI (no workflow references to testapps, and existing workflows build /samples/** or genkit-tools only). Consider adding a lightweight CI smoke check for js/testapps/firebase-functions-sample1/functions (install + npm run build), or otherwise document/perform a manual verification to avoid silent breakage in this sample.

[cubic-dev-ai]

1 issue found across 1 file

Prompt for AI agents (all issues)

Check if these issues are valid — if so, understand the root cause of each and fix them.


<file name="js/testapps/firebase-functions-sample1/functions/package.json">

<violation number="1" location="js/testapps/firebase-functions-sample1/functions/package.json:20">
P2: This is a major version upgrade from firebase-admin v12 to v13 which may introduce breaking changes. The `@genkit-ai/firebase` package that this test app depends on has a peer dependency of `firebase-admin: ">=12.2"` which doesn't guarantee compatibility with v13. Verify that `@genkit-ai/firebase` works correctly with firebase-admin v13 before merging to avoid potential runtime errors.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}

[cubic-dev-ai]

P2: This is a major version upgrade from firebase-admin v12 to v13 which may introduce breaking changes. The @genkit-ai/firebase package that this test app depends on has a peer dependency of firebase-admin: ">=12.2" which doesn't guarantee compatibility with v13. Verify that @genkit-ai/firebase works correctly with firebase-admin v13 before merging to avoid potential runtime errors.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At js/testapps/firebase-functions-sample1/functions/package.json, line 20:

<comment>This is a major version upgrade from firebase-admin v12 to v13 which may introduce breaking changes. The `@genkit-ai/firebase` package that this test app depends on has a peer dependency of `firebase-admin: ">=12.2"` which doesn't guarantee compatibility with v13. Verify that `@genkit-ai/firebase` works correctly with firebase-admin v13 before merging to avoid potential runtime errors.</comment>

<file context>
@@ -17,7 +17,7 @@
     "@genkit-ai/firebase": "^1.22.0",
     "@genkit-ai/google-genai": "^1.22.0",
-    "firebase-admin": "^12.2",
+    "firebase-admin": "^13.0.0",
     "firebase-functions": "^6.3.1"
   },
</file context>