Skip to content

chore(deps): bump jsonwebtoken and firebase-admin in /functions#177

Merged
ruhdevops merged 2 commits into
mainfrom
dependabot/npm_and_yarn/functions/multi-4b11074a43
May 10, 2026
Merged

chore(deps): bump jsonwebtoken and firebase-admin in /functions#177
ruhdevops merged 2 commits into
mainfrom
dependabot/npm_and_yarn/functions/multi-4b11074a43

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github May 10, 2026
edited
Loading

⚠️ Dependabot is rebasing this PR ⚠️

Rebasing might not happen immediately, so don't worry if this takes some time.

Note: if you make any changes to this PR yourself, they will take precedence over the rebase.

Bumps jsonwebtoken to 9.0.3 and updates ancestor dependency firebase-admin. These dependencies need to be updated together.

Updates jsonwebtoken from 8.5.1 to 9.0.3

Changelog

Sourced from jsonwebtoken's changelog.

9.0.3 - 2025-12-04

  • updates jws version to 4.0.1.

9.0.2 - 2023-08-30

  • security: updating semver to 7.5.4 to resolve CVE-2022-25883, closes #921.
  • refactor: reduce library size by using lodash specific dependencies, closes #878.

9.0.1 - 2023-07-05

  • fix(stubs): allow decode method to be stubbed

9.0.0 - 2022-12-21

Breaking changes: See Migration from v8 to v9

Breaking changes

  • Removed support for Node versions 11 and below.
  • The verify() function no longer accepts unsigned tokens by default. ([834503079514b72264fd13023a3b8d648afd6a16]auth0/node-jsonwebtoken@8345030)
  • RSA key size must be 2048 bits or greater. ([ecdf6cc6073ea13a7e71df5fad043550f08d0fa6]auth0/node-jsonwebtoken@ecdf6cc)
  • Key types must be valid for the signing / verification algorithm

Security fixes

  • security: fixes Arbitrary File Write via verify function - CVE-2022-23529
  • security: fixes Insecure default algorithm in jwt.verify() could lead to signature validation bypass - CVE-2022-23540
  • security: fixes Insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC - CVE-2022-23541
  • security: fixes Unrestricted key type could lead to legacy keys usage - CVE-2022-23539
Commits
Maintainer changes

This version was pushed to npm by julien.wollscheid, a new releaser for jsonwebtoken since your current version.


Updates firebase-admin from 10.3.0 to 13.9.0

Release notes

Sourced from firebase-admin's releases.

Firebase Admin Node.js SDK v13.9.0

New Features

  • feat(remote-config): add optional exposurePercent field to ExperimentValue (#3096)

Miscellaneous

  • [chore] Release 13.9.0 (#3129)
  • chore: Deprecate support for Node.js 20 (#3128)
  • build(deps-dev): bump @​typescript-eslint/parser from 8.57.2 to 8.59.1 (#3114)
  • build(deps): bump follow-redirects in /.github/actions/send-email (#3113)
  • build(deps): bump protobufjs from 7.5.4 to 7.5.5 (#3119)
  • build(deps): bump uuid and @​actions/core in /.github/actions/send-email (#3120)
  • build(deps): bump axios in /.github/actions/send-email (#3123)
  • build(deps): bump fast-xml-parser from 5.5.9 to 5.7.1 (#3122)

Firebase Admin Node.js SDK v13.8.0

New Features

  • feat(pnv): Add support for Phone Number Verification (#3101)
  • feat(fcm): Add bandwidthConstrainedOk and restrictedSatelliteOk (#2994)

Miscellaneous

  • [chore] Release 13.8.0 (#3109)
  • chore(deps): bump node-forge to 1.4.0 (#3108)
  • build(deps-dev): bump @​types/node from 25.3.0 to 25.3.3 (#3090)
  • build(deps-dev): bump lodash and @​microsoft/api-extractor (#3106)
  • build(deps): bump fast-xml-parser from 5.5.6 to 5.5.7 (#3095)
  • build(deps): bump fast-xml-parser from 5.4.1 to 5.5.6 (#3093)
  • build(deps): bump fast-xml-parser from 5.3.7 to 5.4.1 (#3087)

Firebase Admin Node.js SDK v13.7.0

New Features

  • feat(rc): Support Rollout, Personalization, and Experiment values (#3046)

Bug Fixes

  • fix: upgrade @​google-cloud/storage@​7.19.0 (#3071)

Miscellaneous

  • [chore] Release 13.7.0 (#3081)
  • build(deps-dev): bump @​types/lodash from 4.17.18 to 4.17.24 (#3083)
  • build(deps-dev): bump @​typescript-eslint/eslint-plugin (#3086)
  • build(deps): bump node-forge from 1.3.2 to 1.3.3 (#3085)

... (truncated)

Commits
  • 0efb21f [chore] Release 13.9.0 (#3129)
  • 363a302 chore: Deprecate support for Node.js 20 (#3128)
  • b28b921 build(deps-dev): bump @​typescript-eslint/parser from 8.57.2 to 8.59.1 (#3114)
  • 5933705 build(deps): bump follow-redirects in /.github/actions/send-email (#3113)
  • ce3b9e0 build(deps): bump protobufjs from 7.5.4 to 7.5.5 (#3119)
  • e891a3c build(deps): bump uuid and @​actions/core in /.github/actions/send-email (#3120)
  • 92003fc feat(remote-config): add optional exposurePercent field to ExperimentValue (#...
  • 8b9b7a7 build(deps): bump axios in /.github/actions/send-email (#3123)
  • e310a72 build(deps): bump fast-xml-parser from 5.5.9 to 5.7.1 (#3122)
  • ff4c94d [chore] Release 13.8.0 (#3109)
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot
chore(deps): bump jsonwebtoken and firebase-admin in /functions
a46518c 
Bumps [jsonwebtoken](https://github.com/auth0/node-jsonwebtoken) to 9.0.3 and updates ancestor dependency [firebase-admin](https://github.com/firebase/firebase-admin-node). These dependencies need to be updated together.


Updates `jsonwebtoken` from 8.5.1 to 9.0.3
- [Changelog](https://github.com/auth0/node-jsonwebtoken/blob/master/CHANGELOG.md)
- [Commits](auth0/node-jsonwebtoken@v8.5.1...v9.0.3)

Updates `firebase-admin` from 10.3.0 to 13.9.0
- [Release notes](https://github.com/firebase/firebase-admin-node/releases)
- [Changelog](https://github.com/firebase/firebase-admin-node/blob/main/CHANGELOG.md)
- [Commits](firebase/firebase-admin-node@v10.3.0...v13.9.0)

---
updated-dependencies:
- dependency-name: jsonwebtoken
  dependency-version: 9.0.3
  dependency-type: indirect
- dependency-name: firebase-admin
  dependency-version: 13.9.0
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels May 10, 2026
@bolt-new-by-stackblitz
Copy link
Copy Markdown

bolt-new-by-stackblitz Bot commented May 10, 2026

Review PR in StackBlitz Codeflow Run & review this pull request in StackBlitz Codeflow.

@vercel
Copy link
Copy Markdown

vercel Bot commented May 10, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
yt-studio Error Error May 10, 2026 8:46am
yt-studio-production Error Error May 10, 2026 8:46am

@cloudflare-workers-and-pages
Copy link
Copy Markdown
Contributor

cloudflare-workers-and-pages Bot commented May 10, 2026
edited
Loading

Deploying with  Cloudflare Workers  Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status Name Latest Commit Updated (UTC)
❌ Deployment failed
View logs		 ytstudio e3001b2 May 10 2026, 08:46 AM

@cloudflare-workers-and-pages
Copy link
Copy Markdown
Contributor

cloudflare-workers-and-pages Bot commented May 10, 2026
edited
Loading

Deploying with  Cloudflare Workers  Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status Name Latest Commit Updated (UTC)
❌ Deployment failed
View logs		 ytstudio e3001b2 May 10 2026, 08:46 AM

@dependabot @github
Copy link
Copy Markdown
Contributor Author

dependabot Bot commented on behalf of github May 10, 2026

Dependabot can't parse your package-lock.json. Because of this, Dependabot cannot update this pull request.

@ruhdevops ruhdevops self-assigned this May 10, 2026
@ruhdevops ruhdevops merged commit 14e5d3f into main May 10, 2026
3 of 14 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@ruhdevops ruhdevops

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@ruhdevops