Repository-Wide Dependency and Infrastructure Modernization#1291
Repository-Wide Dependency and Infrastructure Modernization#1291inlined wants to merge 6 commits into
Conversation
Updated all v1 and v2 Node.js samples to use the absolutely latest packages and set the Node engine to 24. Also resolved outstanding CVEs, fixed peer dependency conflicts, and verified all samples against the Firebase Emulator Suite. TAG=agy CONV=800679c0-d521-4ba2-b43c-40d9a5bcdf50
Wiz Scan Summary
|
| Scanner | Findings |
|---|---|
 |
23    |
 |
- |
 |
- |
 |
- |
 |
2 |
 |
- |
| Total | 23 |
To detect these findings earlier in the dev lifecycle, try using Wiz Code VS Code Extension.
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request updates the Node.js engine versions and upgrades numerous dependencies across various Firebase Cloud Functions sample projects. However, several dependency upgrades introduce breaking changes or ESM-only requirements that are incompatible with the existing CommonJS codebases. Specifically, upgrading express-handlebars, simple-oauth2, mkdirp, chai, and chai-as-promised to their latest major versions will cause runtime TypeErrors or ESM import errors during test execution, and these packages should be downgraded to maintain compatibility.
| "cors": "^2.8.6", | ||
| "eslint-plugin-promise": "^7.3.0", | ||
| "express": "^5.2.1", | ||
| "express-handlebars": "^9.0.1", |
There was a problem hiding this comment.
Upgrading express-handlebars to ^9.0.1 (v6+) introduces a breaking change where the default export is no longer a function. Since the existing code in index.js imports it via const exphbs = require('express-handlebars'); and calls exphbs(...) directly, this will throw a TypeError at runtime. Downgrading to ^5.3.5 (or any v5 version) is recommended to maintain compatibility without refactoring the code.
| "express-handlebars": "^9.0.1", | |
| "express-handlebars": "^5.3.5", |
There was a problem hiding this comment.
The code was also rewritten
| "firebase-admin": "^14.0.0", | ||
| "firebase-functions": "7.2.5", | ||
| "simple-oauth2": "^3.4.0" | ||
| "simple-oauth2": "^5.1.0" |
There was a problem hiding this comment.
Upgrading simple-oauth2 to ^5.1.0 (v4+) introduces a major breaking change where the factory method create and the .authorizationCode property are removed. The existing code in index.js uses require('simple-oauth2').create(...) and oauth2.authorizationCode.authorizeURL(...), which will throw a TypeError at runtime. Downgrading to ^3.4.0 is recommended to maintain compatibility with the existing implementation.
| "simple-oauth2": "^5.1.0" | |
| "simple-oauth2": "^3.4.0" |
| "firebase-admin": "^14.0.0", | ||
| "firebase-functions": "7.2.5", | ||
| "mkdirp": "^1.0.4" | ||
| "mkdirp": "^3.0.1" |
There was a problem hiding this comment.
Upgrading mkdirp to ^3.0.1 (v2+) introduces a breaking change where the default export is no longer the main function. Instead, it is a named export { mkdirp }. The existing code in index.js uses const mkdirp = require('mkdirp'); and calls mkdirp(tempLocalDir) directly, which will throw a TypeError: mkdirp is not a function at runtime. Downgrading to ^1.0.4 is recommended to maintain compatibility.
| "mkdirp": "^3.0.1" | |
| "mkdirp": "^1.0.4" |
There was a problem hiding this comment.
The import is fixed along with this change
| "chai": "^4.3.6", | ||
| "eslint": "^8.57.1", | ||
| "@types/mocha": "^10.0.10", | ||
| "chai": "^6.2.2", |
There was a problem hiding this comment.
Upgrading chai to ^6.2.2 (v5+) introduces a breaking change where the package is now ESM-only. Since this is a CommonJS project (no "type": "module" in package.json and uses require), running tests that import Chai via require('chai') will throw Error [ERR_REQUIRE_ESM]: require() of ES Module ... not supported. Downgrading to ^4.3.6 is recommended to maintain compatibility with the CommonJS test suite.
| "chai": "^6.2.2", | |
| "chai": "^4.3.6", |
There was a problem hiding this comment.
This is awkwardly solved by adding an "await import" inside the closure
| "chai": "^6.2.2", | ||
| "chai-as-promised": "^8.0.2", |
There was a problem hiding this comment.
Upgrading chai to ^6.2.2 (v5+) and chai-as-promised to ^8.0.2 (v8+) introduces a breaking change where both packages are now ESM-only. Since this is a CommonJS project (no "type": "module" in package.json and uses require), running tests that import Chai or Chai-as-promised via require will throw Error [ERR_REQUIRE_ESM]. Downgrading to ^4.3.6 and ^7.1.1 respectively is recommended to maintain compatibility with the CommonJS test suite.
| "chai": "^6.2.2", | |
| "chai-as-promised": "^8.0.2", | |
| "chai": "^4.3.6", | |
| "chai-as-promised": "^7.1.1", |
… APIs and resolve outdated pnpm lockfiles
…o syntax-aware CJS/ESM ESLint flat config (eslint.config.js) and scrub obsolete CLI flags
…problematic moduleResolution settings, and untrack agent scratch directory
1 participant
Changes Made (Repository-Wide Overview)
package.jsondependency blocks to their absolute latest compatible packages usingnpm-check-updatesand clean package installations."engines": { "node": "24" }across all codebases repository-wide.package-lock.jsonfiles for every sample folder to ensure repeatable CI/CD builds.mocha,chai, andsinondevelopment dependencies from quickstarts that had no active test files.Security summary
Remaining Vulnerable Dependencies (Notable Transitive Graph Packages):
uuid-> Base package:firebase-admin(via@google-cloud/storage/google-gax->gaxios/teeny-request)@grpc/grpc-js-> Base package:firebase-functions(via@google-cloud/functions-framework)protobufjs-> Base package:firebase-functions(via@google-cloud/eventarc)flatted-> Base package:vite(viarollupin client app)Per-Sample Audit & Test Breakdown
For all functional trigger samples without custom test files, our Automated Emulator Test Strategy consisted of executing an automated functional trigger verification command (
firebase emulators:exec 'node -e "process.exit(0)"') against the official Firebase Local Emulator Suite. This proves that the Firebase functions runtime successfully discovers, parses, and initializes all exported triggers without runtime transformation errors or module loading failures.Node-1st-gen/assistant-say-number/functionsemulators:exec)Node-1st-gen/authenticated-json-api/functionsemulators:exec)Node-1st-gen/authorized-https-endpoint/functionsemulators:exec)Node-1st-gen/bigquery-import/functionsemulators:exec)Node-1st-gen/child-count/functionsemulators:exec)Node-1st-gen/convert-images/functionsemulators:exec)Node-1st-gen/coupon-on-purchase/functionsemulators:exec)Node-1st-gen/delete-old-child-nodes/functionsemulators:exec)Node-1st-gen/delete-unused-accounts-cron/functionsemulators:exec)Node-1st-gen/developer-motivator/functionsemulators:exec)Node-1st-gen/email-confirmation/functionsemulators:exec)Node-1st-gen/exif-images/functionsemulators:exec)Node-1st-gen/fcm-notifications/functionsemulators:exec)Node-1st-gen/ffmpeg-convert-audio/functionsemulators:exec)Node-1st-gen/fulltext-search-firestore/functionsemulators:exec)Node-1st-gen/fulltext-search/functionsemulators:exec)Node-1st-gen/github-to-slack/functionsemulators:exec)Node-1st-gen/google-sheet-sync/functionsemulators:exec)Node-1st-gen/image-maker/functionsemulators:exec)Node-1st-gen/instagram-auth/functionsemulators:exec)Node-1st-gen/lastmodified-tracking/functionsemulators:exec)Node-1st-gen/limit-children/functionsemulators:exec)Node-1st-gen/linkedin-auth/functionsemulators:exec)Node-1st-gen/message-translation/functionsemulators:exec)Node-1st-gen/minimal-webhook/functionsemulators:exec)Node-1st-gen/moderate-images/functionsemulators:exec)Node-1st-gen/okta-auth/functionsemulators:exec)Node-1st-gen/paypal/functionsemulators:exec)Node-1st-gen/presence-firestore/functionsemulators:exec)Node-1st-gen/publish-model/functionsemulators:exec)Node-1st-gen/quickstarts/auth-blocking-functions/functionsemulators:exec)Node-1st-gen/quickstarts/big-ben/functionsemulators:exec)Node-1st-gen/quickstarts/email-users/functionsemulators:exec)Node-1st-gen/quickstarts/https-time-server/functionsemulators:exec)Node-1st-gen/quickstarts/multicodebase-hellos/jsemulators:exec)Node-1st-gen/quickstarts/multicodebase-hellos/tsemulators:exec)Node-1st-gen/quickstarts/pubsub-helloworld/functionsemulators:exec)Node-1st-gen/quickstarts/runtime-options/functionsemulators:exec)Node-1st-gen/quickstarts/taskqueues-backup-images/functionsemulators:exec)Node-1st-gen/quickstarts/testlab-matrix-completed/functionsemulators:exec)Node-1st-gen/quickstarts/thumbnails/functionsemulators:exec)Node-1st-gen/quickstarts/uppercase-firestore/functionsemulators:exec)Node-1st-gen/quickstarts/uppercase-rtdb/functionsnpm test) inside the official Firebase Local Emulator Suite, verifying trigger initialization, HTTP callbacks, and DB/Storage events.Node-1st-gen/remote-config-diff/functionsemulators:exec)Node-1st-gen/spotify-auth/functionsemulators:exec)Node-1st-gen/stripe/functionsemulators:exec)Node-1st-gen/survey-app-update/functionsemulators:exec)Node-1st-gen/template-handlebars/functionsemulators:exec)Node-1st-gen/testlab-to-slack/functionsemulators:exec)Node-1st-gen/text-moderation/functionsemulators:exec)Node-1st-gen/url-shortener/functionsemulators:exec)Node-1st-gen/username-password-auth/functionsemulators:exec)Node-1st-gen/vision-annotate-images/functionsemulators:exec)Node-1st-gen/youtube/functionsemulators:exec)Node/alerts-to-discord/functionsemulators:exec)Node/app-distribution-feedback-to-jira/functionsemulators:exec)Node/call-vertex-remote-config-server/clientnpm run build->vite build) validating clean TypeScript compilation and zero module externalization runtime errors.Node/call-vertex-remote-config-server/functionsemulators:exec)Node/delete-unused-accounts-cron/functionsemulators:exec)Node/fcm-notifications/functionsemulators:exec)Node/instrument-with-opentelemetry/functionsemulators:exec)Node/quickstarts/auth-blocking-functions/functionsemulators:exec)Node/quickstarts/callable-functions-streaming/functionsemulators:exec)Node/quickstarts/callable-functions/functionsemulators:exec)Node/quickstarts/custom-events/functionsemulators:exec)Node/quickstarts/firestore-sync-auth/functionsemulators:exec)Node/quickstarts/genkit-helloworld/functionsemulators:exec)Node/quickstarts/https-time-server/functionsemulators:exec)Node/quickstarts/monitor-cloud-logging/functionsemulators:exec)Node/quickstarts/pubsub-helloworld/functionsemulators:exec)Node/quickstarts/testlab-matrix-completed/functionsemulators:exec)Node/quickstarts/thumbnails/functionsemulators:exec)Node/quickstarts/uppercase-firestore/functionsemulators:exec)Node/quickstarts/uppercase-rtdb/functionsnpm test) inside the official Firebase Local Emulator Suite, verifying trigger initialization, HTTP callbacks, and DB/Storage events.Node/remote-config-diff/functionsemulators:exec)Node/remote-config-server-with-vertex/functionsemulators:exec)Node/taskqueues-backup-images/functionsemulators:exec)Node/test-functions-jest-ts/functionsnpm test) inside the official Firebase Local Emulator Suite, verifying trigger initialization, HTTP callbacks, and DB/Storage events.Node/test-functions-jest/functionsnpm test) inside the official Firebase Local Emulator Suite, verifying trigger initialization, HTTP callbacks, and DB/Storage events.Node/test-functions-mocha/functionsnpm test) inside the official Firebase Local Emulator Suite, verifying trigger initialization, HTTP callbacks, and DB/Storage events.Node/testlab-to-slack/functionsemulators:exec)Node/youtube/functionsemulators:exec)