Medium Severity Vulnerability on node-fetch-2.6.1.tgz

[biswajit-ibm]

Vulnerable Library - node-fetch-2.6.1.tgz
A light-weight module that brings window.fetch to node.js

Library home page: https://registry.npmjs.org/node-fetch/-/node-fetch-2.6.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/node-fetch/package.json

Dependency Hierarchy:

firebase-admin-10.0.2.tgz (Root Library)
storage-5.3.0.tgz
gaxios-3.2.0.tgz
❌ node-fetch-2.6.1.tgz (Vulnerable Library)

Vulnerability Details
node-fetch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor

[google-oss-bot]

I found a few problems with this issue:

• I couldn't figure out how to label this issue, so I've labeled it for a human to triage. Hang tight.
• This issue does not seem to follow the issue template. Make sure you provide all the required information.

[lahirumaramba]

The Admin SDK has no direct dependencies to node-fetch. I think node-fetch is a transient dependency of @google-cloud/storage. Please update your @google-cloud/storage module to 5.18.3. #1625 also updates the package.json and will be included in the next release. Thanks!

[biswajit-ibm]

We are not using @google-cloud/storage in our package.json. Can you provide me an estimate date of next release so I can cross check then?