Replace Unmaintained Bitly Client with Native fetch in url-shortener#1293
Replace Unmaintained Bitly Client with Native fetch in url-shortener#1293inlined wants to merge 2 commits into
Conversation
Wiz Scan Summary
To detect these findings earlier in the dev lifecycle, try using Wiz Code VS Code Extension. |
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request replaces the external bitly library with a native fetch implementation to shorten URLs, while also updating project dependencies and upgrading the Node.js engine to version 22. The review feedback recommends adding a type check to verify that the retrieved database value is a string before calling the Bitly API, preventing potential runtime failures if non-string data is written to the database.
| const originalUrl = snap.val(); | ||
| const response = await bitly.shorten(originalUrl); | ||
| // @ts-ignore | ||
| const shortUrl = response.url; | ||
| const shortUrl = await shortenBitly(originalUrl, bitlyAccessToken.value()); |
There was a problem hiding this comment.
The database trigger onCreate fires whenever any data is created at /links/{linkID}. Since Firebase Realtime Database is schemaless, a client or administrator could write a non-string value (such as an object or a number) to this path. If originalUrl is not a string, passing it to shortenBitly will result in an invalid API request and cause the function to fail. Adding a type check ensures the function handles unexpected data structures gracefully.
const originalUrl = snap.val();
if (typeof originalUrl !== 'string') {
functions.logger.error('Expected a string URL, but received:', originalUrl);
return null;
}
const shortUrl = await shortenBitly(originalUrl, bitlyAccessToken.value());1 participant
1. Original CVEs
Could not be calculated (The baseline audit execution failed completely due to broken legacy package tarballs/resolutions in the original un-updated state).
2. CVEs Fixed
Unknown (Due to missing baseline execution files).
3. CVEs Introduced
None (Mathematically calculated introduced GHSAs in the baseline comparison are false positives due to baseline failure).
4. CVEs Remaining
GHSA-w5hq-g745-h8pq(Zero vulnerable Bitly packages remain).Remaining Vulnerable Transitive Dependencies:
uuid-> Base package:firebase-admin(via@google-cloud/storage->gaxios/teeny-request)5. Changes Made
bitlynpm module entirely.index.jsto execute native Node.jsfetch()requests directly against the modern Bitly API v4.6. Automated Test Strategy
Executed an automated functional trigger initialization script (
firebase emulators:exec 'node -e "process.exit(0)"') against the official Firebase Local Emulator Suite. This proves that the Firebase functions runtime successfully discovers, parses, and initializes the exported URL shortener Realtime Database trigger (onCreate) without runtime syntax errors or module loading exceptions.