fix(deps): update dependency firebase-tools to v13 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
firebase-tools	^11.30.0 -> ^13.0.0

GitHub Vulnerability Alerts

CVE-2024-4128

This vulnerability was a potential CSRF attack. When running the Firebase emulator suite, there is an export endpoint that is used normally to export data from running emulators. If a user was running the emulator and navigated to a malicious website with the exploit on a browser that allowed calls to localhost (ie Chrome before v94), the website could exfiltrate emulator data. We recommend upgrading past version 13.6.0 or commit 068a2b08dc308c7ab4b569617f5fc8821237e3a0.

---

Release Notes

firebase/firebase-tools (firebase-tools)

v13.6.0

Compare Source

• Released Firestore Emulator 1.19.4. This version fixes a minor bug with reserve ids and adds a reset endpoint for Datastore Mode.
• Released PubSub Emulator 0.8.2. This version includes support for no_wrapper options.
• Fixes issue where GitHub actions service account cannot add preview URLs to Auth authorized domains. (#​6895)
• Fixes issue where GOOGLE_CLOUD_QUOTA_PROJECT breaks functions source uploads (#​6917)

v13.5.2

Compare Source

• Fix hosting rewrite deployment bug for skipped functions (#​6658).

v13.5.1

Compare Source

• Release Emulator Suite UI v1.11.8 which adds support for Multiple DBs in the Emulator UI Firestore page via editing the URL. (#​6874)

v13.5.0

Compare Source

• Enable dynamic debugger port for functions + support for inspecting multiple codebases (#​6854)
• Inject an environment variable in the node functions emulator to tell the google-gax SDK not to look for the metadata service. (#​6860)
• Release Firestore Emulator 1.19.3 which fixes ancestor and namespace scope queries for Datastore Mode. This release also fixes internal errors seen across REST API and firebase-js-sdk.
• v2 scheduled functions with explicit service accounts trigger eventarc to use that service account (#​6858)
• v2 event functions with explicit service accounts trigger eventarc to use that service account (#​6859)

v13.4.1

Compare Source

• Released Firestore emulator v1.19.2, which fixes some bugs affecting client SDKs when in Datastore Mode.
• Fix demo projects + web frameworks with emulators (#​6737)
• Fix Next.js static routes with server actions (#​6664)
• Fixed an issue where GOOGLE_CLOUD_QUOTA_PROJECT was not correctly respected. (#​6801)
• Make VPC egress settings in functions parameterizeable (#​6843)

v13.4.0

Compare Source

• Added new commands for managing Firestore backups and restoring databases. (#​6778)
• Fixed quota attribution for Firebase Auth API calls. (#​6819)

v13.3.1

Compare Source

• Release Cloud Firestore emulator v1.19.1:
  • Adds support for Datastore Mode to the Firstore Emulator. Adds
    --database-mode flag to gcloud emulator firestore start command. Note
    that this is a preview feature and if you find any bugs, please file them
    here: https://github.com/firebase/firebase-tools/issues.
• Improve FAH onboarding flow to connect backends with SCMs (#​6764).
• Fixed issue where GitHub actions would fail due to lack of permission. (#​6791)

v13.3.0

Compare Source

• Improved detection for when login has expired due to Google Cloud Session Control. (#​1846)
• Added support for Python 3.12. (#​6679)
• Fixed issues with internal utilities. (#​6754)
• Fixed an issue where firestore:delete wouldn't target the emulator when expected. (#​6537)

v13.2.1

Compare Source

• Fixed an issue where appdistribution:distribute would always attempt to run tests. (#​6749)

v13.2.0

Compare Source

• Added rudimentary email enumeration protection for auth emulator. (#​6702)

v13.1.0

Compare Source

• Point v2 function target to entrypoint. (#​6698)
• Fixed issue where Auth emulator sign in with Google only shows default tenant. (#​6683)
• Prevent the use of pinTags + minInstances on the same function, as the features are not mutually compatible (#​6684)
• Added force flag to delete backend (#​6635).
• Use framework build target in Vite builds (#​6643).
• Use framework build target in NODE_ENV for production Vite builds (#​6644)
• Let framework handle public directory with emulator. (#​6674)
• Dynamically import Vite to fix deprecated CJS build warning. (#​6660)
• Fixed unsafe array spreads on Hosting deploys. (#​6712)

v13.0.3

Compare Source

• Fixed typo in Cloud storage bucket metadata location type. (#​6648)
• Fixed an issue where including export in .env files caused parsing errors. (#​6629)

v13.0.2

Compare Source

• Fix Next.js dynamic and static OG images. (#​6592)
• Address a regression introduced in 13.0.1 when emulating Vite applications. (#​6599)
• Add RSC headers of Next.js app directory pages to Hosting headers. (#​6608)

v13.0.1

Compare Source

• Fix bug where deploying Firestore function resulted in redudant API calls to the Firestore API (#​6583).
• Fix an issue preventing Vite applications from being emulated on Windows. (#​6411)
• Addressed an issue preventing Astro applications from being deployed from Windows. (#​5709)
• Fixed an issue preventing Angular apps using ng-deploy from being emulated or deployed. (#​6584)
• Warn if a Web Framework is outside a well known version range on deploy/emulate. (#​6562)
• Use Web Framework's well known version range in firebase init hosting. (#​6562)
• Permit use of more SSR regions in Web Frameworks deploys. (#​6086)
• Limit Web Framework's generated Cloud Function name to 23 characters, fixing deploys for some. (#​6260)
• Allow Nuxt as an option during firebase init hosting. (#​6309)

v13.0.0

Compare Source

• Breaking: dropped support for running the CLI on Node.js v16.
• Breaking: Refactored functions:shell to remove dependency on deprecated request module.
  • As part of this change, removed support for some rarely used features of request.
• Breaking: Removed deprecated ext:dev:publish command. Use ext:dev:upload instead.
• Breaking: Functions deployment no longer deploys functions directory if there is no functions config in firebase.json. (#​6450)
• Added support for running the CLI on Node.js v20.
• Switched Storage deployment to use GetDefaultBucket endpoint to fetch default Storage bucket. (#​6467)
• Fixed an issue with emulating blocking functions when using multiple codebases (#​6504).
• Added force flag call-out for bypassing prompts (#​6506).
• Added the ability to deploy Angular apps using the new application-builder. (#​6480)
• Fixed an issue where --non-interactive flag is not respected in Firestore indexes deploys. (#​6539)
• Fixed an issue where login:use would not work outside of a Firebase project directory. (#​6526)
• Prevent app router static not-found requiring a Cloud Function in Next.js deployments. (#​6558)
• Use only site id from site name in list versions API. (#​6565)

v12.9.1

Compare Source

• Fixes issue where initializing Hosting fails when selecting a project. (#​6527)

v12.9.0

Compare Source

• Revert enabling preferRest by default to avoid performance degradations for some users (#​6520).
• Fix blocking functions in the emulator when using multiple codebases (#​6504).
• Add force flag call-out for bypassing prompts (#​6506).
• Fixed an issue where the functions emulator did not respect the --log-verbosity flag (#​2859).
• Add the ability to look for the default Hosting site via Hosting's API.
• Add logic to create a Hosting site when one is not available in a project.
• Add checks for the default Hosting site when one is assumed to exist.

v12.8.1

Compare Source

• Fixed 2 bugs (unintended database mode changes and disabling of PITR or delete-protection) when updating Firestore databases (#​6478)

v12.8.0

Compare Source

• Enable preferRest option by default for Firestore functions. (#​6147)
• Fixed a bug where re-deploying 2nd Gen Firestore function failed after updating secrets. (#​6456)
• Fixed a bug where similarly-named Hosting channels would cause issues when updating authorized domains. (#​6356)

v12.7.0

Compare Source

• Fix type mismatch for parametrized function region. (#​6205)
• Ignore FIRESTORE_EMULATOR_HOST environment variable on functions deploy. (#​6442)
• Added support for enabling, disabling, and displaying Point In Time Recovery enablement state on Firestore databases (#​6388)
• Added a --verbosity flag to emulators:* commands that limits what logs are printed (#​2859)
• Fixed an issue where params would not be resolved when used to set VPC connector during functions deployment (#​6327)

v12.6.2

Compare Source

• Fixed an issue with deploying multilevel grouped functions containing v2 functions. (#​6419)
• Fixed an issue where functions deployment required a new permission.

v12.6.1

Compare Source

• Fixed an issue where the functions service account option was not treated as a param (#​6389).
• Fixed an issue with deploying function groups containing v2 functions. (#​6408)
• Use GetDefaultBucket endpoint to fetch Storage Default Bucket.

v12.6.0

Compare Source

• Improve performance and reliability when deploying multiple 2nd gen functions using single builds. (#​6376)
• Fixed an issue where emulators:export did not check if the target folder is empty. (#​6313)
• Fixed an issue where retry could not be set for event triggered functions. (#​6391)
• Fixed "Could not find the next executable" on Next.js deployments (#​6372)
• Fixed issues caused by breaking changes in Next >=v13.5.0. (#​6382)

v12.5.4

Compare Source

• Released Firestore emulator v1.18.2.
  • Removed nano precision in timestamp used in Firestore emulator (#​5893)
  • Fixed a bug where query behaves differently from production.
• Fixed an issue where very long command outputs would be cut off. (#​3286)

v12.5.3

Compare Source

• Fixed an issue where builds from https://firebase.tools could not run commands that spawn npm. (#​6132)
• Fixed an issue where --non-interactive and --force were not respected in some extension deploys. (#​6321)
• Fixed the regex in extensions changelog parser to lazy match the version prefix to allow matching higher versions (#​6326)

v12.5.2

Compare Source

• Fixed an issue causing unexpected behavior and errors on functions deploy. (#​6290)

v12.5.1

Compare Source

• Fix issue with mixed v1 and v2 functions deployments. (#​6293)

v12.5.0

Compare Source

• Fixed issue where the Extensions emulator would error when emualting local extensions with no params. (#​6271)
• Improved performance and reliability when deploying multiple 2nd gen functions using single builds. (#​6275)
• Fix bundle next.config.js (#​6287)

v12.4.8

Compare Source

• Increased functions emulator HTTPS body size limit to 32mb to match production. (#​6201)
• Fixed Astro web framework bug when loading configuration for version 2.9.7 and above. (#​6213)
• Increase Next.js config bundle timeout to 60 seconds. (#​6214)

v12.4.7

Compare Source

• Improve error message raised when firebase init hosting:github fails due to max number of keys limit for a service account. (#​6145)
• Fixed bug where functions:secrets:\* family of commands did not work when Firebase CLI is authenticated via GOOGLE_APPLICATION_CREDENTIALS (#​6190)
• Fixed bug where some extension instance updates would default to the wrong location.

v12.4.6

Compare Source

• Fixed an issue where extension instances could not be deployed when authenticated as a service account (#​6060).
• Fixed glob usage in Next.js utility function to detect images in app directory (#​6166)
• Send experiments activated with firebase experiments:enable to the emulator suite UI (#​6169)

v12.4.5

Compare Source

• Fixed bug where functions:secrets:set didn't remove stale versions of a secret. (#​6080)
• Fixed bug where firebase deploy --only firestore:named-db didn't update rules. (#​6129)
• Fixed issue where Flutter Web is not detected as a web framework. (#​6085)
• Added better messages for API permissions failures that direct the user to the URL to enable the API. (#​6130)
• Fixed issue caused by adding type checks in #​5906.
• Fixed next/image component in app directory for Next.js > 13.4.9. (#​6143)
• Fixed bug where Next.js Image Optimization in the app directory was not requiring a Cloud Function. (#​6143)
• Fixed a transitive dependency on a vulnerable version of vm2. (#​6150)

v12.4.4

Compare Source

• Disables KeepAlive timeout when debugger is attached to the functions emulator. (#​6069)
• Fixed an issue where database:list would have inaccurate results. (#​6063)

v12.4.3

Compare Source

• Fixed incorrect links in firebase open hosting and firebase open crash. (#​6073)
• Released Firebase Emulator UI v1.11.7, which includes preview support for multiple Firestore databases. (#​6079)

v12.4.2

Compare Source

• Run lifecycle hooks for specific functions. (#​6023)
• Increased extension instance create poll timeout to 1h to match backend (#​5969).
• Refactored ext:install to use the latest extension metadata. (#​5997)
• Added descriptive error when repo is private or not found during ext:dev:upload. (#​6052)
• Fixed issue where missing trigger warnings would be wrongly displayed when emulating extensions with HTTPS triggers. (#​6055)
• Normalized extension root path before usage in ext:dev:upload. (#​6054)

v12.4.1

Compare Source

• Release Firestore emulator 1.18.1 which addes a emulator configuration to start with experimental mode (#​5942).
• Run lifecycle hooks for specific codebases. (#​6011)
• Fixed issue causing firebase emulators:start to crash in Next.js apps (#​6005)

v12.4.0

Compare Source

• Added appdistribution:group:create and appdistribution:group:delete. (#​5978)
• Added --group-alias option to appdistribution:testers:add and appdistribution:testers:remove. (#​5978)
• Fixed an issue where Storage rules could not be deployed to projects without a billing plan. (#​5955)

v12.3.1

Compare Source

• Delete and re-create v2 function on Cloud Run API quota exhaustion (#​5719).
• firebase functions:secrets:* ensure the secretmanager API is enabled (#​5918)

v12.3.0

Compare Source

• Fix a bug preventing web framework's dev-mode from working out-of-box with Firebase Authentication. (#​5894)
• Address additional cases where we were attempting to deploy a framework's development bundle (#​5895)
• NextJS rewrites should be prefixed with the basePath defined in next.config.js (#​5923)
• Web Frameworks emulators will again respect existing Cloud Functions rewrites (#​5923)
• Web Frameworks rewrites/redirects/headers will only prepend those in firebase.json if there's a baseUrl (#​5923)
• Fixes issue where Authentication emulator creates a user if empty email and empty password is provided. (#​5639)
• Improve error message raised when --import flag directory does not exist. (#​5851)
• Switch ext:dev:init to default 'billingRequired' to true in extension.yaml
• Remove LOCATION param from the extensions.yaml template for ext:dev:init
• Support Astro hybrid rendering (#​5898)

v12.2.1

Compare Source

• Gracefully close rules runtime on storage emulator stop (#​4902)
• Always assume build target of production when deploying a web framework, unless overridden (#​5892)

v12.2.0

Compare Source

• Update error message when function deploy fails due to quota. (#​5867)
• Fixes RTDB emulator 127.0.0.1 namespace resolution bug. (#​5863)
• Improves RTDB emulator to GCF emulator network reliability. (#​5863)
• Allow for Angular developers to both target a PWA and leverage serveOptimizedImages. (#​5716)
• Multi-page applications that are fully staticly rendered are no longer treated as PWAs. (#​5716)
• Add fast dev-mode support for devlopers using Nuxt v2. (#​5716)
• Respect ssr: false and baseURL when using Nuxt. (#​5716)
• Fix bug where JS SDK auto-init was not working for Vite while in dev-mode (#​5610).
• Respect FIREBASE_FRAMEWORKS_BUILD_TARGET environment variable to override the default build target (#​5572).
• Improves cleanup process when reloading emulated functions in debug mode. (#​5878)
• Allow Web Frameworks to target NodeJS v20. (#​5879)

v12.1.0

Compare Source

• Fixes an issue running firebase emulators:start when Python Cloud Functions directory path has spaces. (#​5854)
• Add support for nodejs20 for Cloud Functions for Firebase. (#​5837)
• Add Flutter Web as an option in "firebase init hosting" (#​5864)
• Some failures while building Web Frameworks were not being caught (#​5864)

v12.0.1

Compare Source

• Fixes an issue in the EventArc emualtor where events missing optional fields would cause crashes. (#​5803)
• Fixes an issue running firebase emulators:start and firebase deploy when Python Cloud Functions directory path has spaces. (#​5830)

v12.0.0

Compare Source

• Breaking: drops support for running the CLI on Node.js v14.
• Adds ext:dev:* commands to publish and manage Extensions. For step-by-step instructions on how to publish your own Extensions, see https://firebase.google.com/docs/extensions/publishers/get-started.
  • Note: These commands were previously available to early access users behind an experiment flag. There are some breaking changes from the early access version of these commands.
  • ext:dev:publish has been renamed to ext:dev:upload. ext:dev:upload defaults to uploading extensions from GitHub instead of local source.
  • ext:dev:publish is deprecated and will be removed in version 13.
  • ext:dev:delete, ext:dev:unpublish, ext:sources:create and ext:dev:emualtors:* have been removed.
• Support for Next.js i18n, basePath, and more advanced rewrites/redirects/headers (#​5788)
• hosting.frameworksBackend now respects omit: true (#​5788)
• Web Frameworks now memoizes framework builds for single builds across multiple hosting sites (#​5788)
• Add support for Angular i18n and baseHref (#​5774)
• Trip the backend requirement for Angular applications using ng-deploy w/serveOptimizedImages (#​5774)
• Fixes a bug where the Storage emulator would not fall back to open rules for 'demo-' projects if firebase.json contained multiple storage targets (#​5170)
• Updates firebase init function templates for TypeScript and Javascript to 2nd gen (#​5775)
• Allow for atomic deployment of Hosting content & Functions rewrites via tag pinning (#​5753)

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.