Bumpsnode-forge to 1.3.2 and updates ancestor dependencyfirebase-admin. These dependencies need to be updated together.
Updatesnode-forge from 0.7.4 to 1.3.2
Changelog
Sourced fromnode-forge's changelog.
1.3.2 - 2025-11-25
Security
- HIGH: ASN.1 Validator Desynchronization
- An Interpretation Conflict (CWE-436) vulnerability in node-forge versions1.3.1 and below enables remote, unauthenticated attackers to craft ASN.1structures to desynchronize schema validations, yielding a semanticdivergence that may bypass downstream cryptographic verifications andsecurity decisions.
- Reported by Hunter Wodzenski.
- CVE ID:CVE-2025-12816
- GHSA ID:GHSA-5gfm-wpxj-wjgq
- HIGH: ASN.1 Unbounded Recursion
- An Uncontrolled Recursion (CWE-674) vulnerability in node-forge versions1.3.1 and below enables remote, unauthenticated attackers to craft deepASN.1 structures that trigger unbounded recursive parsing. This leads to aDenial-of-Service (DoS) via stack exhaustion when parsing untrusted DERinputs.
- Reported by Hunter Wodzenski.
- CVE ID:CVE-2025-66031
- GHSA ID:GHSA-554w-wpv2-vw27
- MODERATE: ASN.1 OID Integer Truncation
- An Integer Overflow (CWE-190) vulnerability in node-forge versions 1.3.1and below enables remote, unauthenticated attackers to craft ASN.1structures containing OIDs with oversized arcs. These arcs may be decodedas smaller, trusted OIDs due to 32-bit bitwise truncation, enabling thebypass of downstream OID-based security decisions.
- Reported by Hunter Wodzenski.
- CVE ID:CVE-2025-66030
- GHSA ID:GHSA-65ch-62r8-g69g
Fixed
- [asn1] Fix for vulnerability identified byCVE-2025-12816 PKCS#12 MACverification bypass due to missing macData enforcement and improperasn1.validate routine.
- [asn1] Add
fromDer() max recursion depth check.- Add a
asn1.maxDepth global configurable maximum depth of 256. - Add a
asn1.fromDer() per-callmaxDepth option. - NOTE: The default maximum is assumed to be higher than needed for validdata. If this assumption is false then this could be a breaking change.Please file an issue if there are use cases that need a higher maximum.
- NOTE: The per-call
maxDepth parameter has not been exposed up throughall of the API stack due to the complexities involved. Please file an issueif there are use cases that require this instead of changing the defaultmaximum.
- [asn1] Improve OID handling.
- Error on parsed OID values larger than
2**32 - 1. - Error on DER OID values larger than
2**53 - 1.
1.3.1 - 2022-03-29
... (truncated)
Commits
Updatesfirebase-admin from 5.10.0 to 13.6.0
Release notes
Sourced fromfirebase-admin's releases.
Firebase Admin Node.js SDK v13.6.0
New Features
- feat(dc): Add executeQuery and executeMutation APIs to Data Connect (#2979)
Miscellaneous
- [chore] Release 13.6.0 (#3006)
- build(deps-dev): bump gulp from 5.0.0 to 5.0.1 (#3001)
- build(deps): bump
@firebase/database-compat from 2.0.6 to 2.1.0 (#3002) - build(deps): bump
@fastify/busboy from 3.1.1 to 3.2.0 (#2998) - build(deps-dev): bump
@firebase/api-documenter from 0.4.0 to 0.5.0 (#3000) - build(deps): bump axios in /.github/actions/send-email (#2983)
- chore(dc): Implement gen tracking (#2985)
- FDC: update api version, integration tests, and CONTRIBUTING.md (#2972)
- chore: update copyright headers from Google Inc. to Google LLC (#2974)
Firebase Admin Node.js SDK v13.5.0
New Features
- feat: initializeApp idempotency (#2947)
- feat(fcm): Support
apns.live_activity_token field in FCMApnsConfig (#2891)
Miscellaneous
- [chore] Release 13.5.0 (#2969)
- chore: Upgrade
@firebase/auth-compat and@firebase/auth-types (#2964) - build(deps): bump uuid from 11.0.3 to 11.1.0 (#2946)
- build(deps-dev): bump
@types/request from 2.48.12 to 2.48.13 (#2959) - build(deps): bump form-data in /.github/actions/send-email (#2951)
- chore: Fix strip-only mode issues in Node.js 22.18 (#2958)
- build(deps-dev): bump
@microsoft/api-extractor from 7.52.7 to 7.52.10 (#2955) - build(deps-dev): bump
@types/lodash from 4.17.15 to 4.17.18 (#2942) - build(deps): bump undici in /.github/actions/send-email (#2922)
Firebase Admin Node.js SDK v13.4.0
New Features
- feat(fdc): Data Connect Bulk Import (#2905)
Miscellaneous
- [chore] Release 13.4.0 (#2917)
- chore(fdc): remove tags from Data Connect APIs (#2918)
- build(deps): bump
@firebase/database-compat from 2.0.3 to 2.0.5 (#2901) - build(deps-dev): bump
@microsoft/api-extractor from 7.52.1 to 7.52.7 (#2912)
... (truncated)
Commits
2e2b36a [chore] Release 13.6.0 (#3006)ad7a4f3 build(deps-dev): bump gulp from 5.0.0 to 5.0.1 (#3001)48c8ca6 build(deps): bump@firebase/database-compat from 2.0.6 to 2.1.0 (#3002)c9a3ee3 feat(dc): Add executeQuery and executeMutation APIs to Data Connect (#2979)27c682a build(deps): bump@fastify/busboy from 3.1.1 to 3.2.0 (#2998)175ca9e build(deps-dev): bump@firebase/api-documenter from 0.4.0 to 0.5.0 (#3000)8c9895e build(deps): bump axios in /.github/actions/send-email (#2983)e72c0cd chore(dc): Implement gen tracking (#2985)40325df FDC: update api version, integration tests, and CONTRIBUTING.md (#2972)3442251 chore: update copyright headers from Google Inc. to Google LLC (#2974)- Additional commits viewable incompare view
Maintainer changes
This version was pushed to npm bygoogle-wombot, a new releaser for firebase-admin since your current version.
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting@dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebase will rebase this PR@dependabot recreate will recreate this PR, overwriting any edits that have been made to it@dependabot merge will merge this PR after your CI passes on it@dependabot squash and merge will squash and merge this PR after your CI passes on it@dependabot cancel merge will cancel a previously requested merge and block automerging@dependabot reopen will reopen this PR if it is closed@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from theSecurity Alerts page.
Bumpsnode-forge to 1.3.2 and updates ancestor dependencyfirebase-admin. These dependencies need to be updated together.
Updates
node-forgefrom 0.7.4 to 1.3.2Changelog
Sourced fromnode-forge's changelog.
... (truncated)
Commits
235ad3eRelease 1.3.2.2598244Update changelog.0032dd0Fix typos.d75e08dRun new security test.a5ce91dUpdate changelog formatting.4652de6Cleanups.eb932d9Fix typo.db6954bFix style.afbf7d8Align error message style.6607445Revert minor changes.Updates
firebase-adminfrom 5.10.0 to 13.6.0Release notes
Sourced fromfirebase-admin's releases.
... (truncated)
Commits
2e2b36a[chore] Release 13.6.0 (#3006)ad7a4f3build(deps-dev): bump gulp from 5.0.0 to 5.0.1 (#3001)48c8ca6build(deps): bump@firebase/database-compatfrom 2.0.6 to 2.1.0 (#3002)c9a3ee3feat(dc): Add executeQuery and executeMutation APIs to Data Connect (#2979)27c682abuild(deps): bump@fastify/busboyfrom 3.1.1 to 3.2.0 (#2998)175ca9ebuild(deps-dev): bump@firebase/api-documenterfrom 0.4.0 to 0.5.0 (#3000)8c9895ebuild(deps): bump axios in /.github/actions/send-email (#2983)e72c0cdchore(dc): Implement gen tracking (#2985)40325dfFDC: update api version, integration tests, and CONTRIBUTING.md (#2972)3442251chore: update copyright headers from Google Inc. to Google LLC (#2974)Maintainer changes
This version was pushed to npm bygoogle-wombot, a new releaser for firebase-admin since your current version.
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot mergewill merge this PR after your CI passes on it@dependabot squash and mergewill squash and merge this PR after your CI passes on it@dependabot cancel mergewill cancel a previously requested merge and block automerging@dependabot reopenwill reopen this PR if it is closed@dependabot closewill close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)You can disable automated security fix PRs for this repo from theSecurity Alerts page.