[Firestore] Dependabot issue (all users of this library)

[lernerb]

[READ] Step 1: Are you in the right place?

Yes

[REQUIRED] Step 2: Describe your environment

N/A

[REQUIRED] Step 3: Describe the problem

Steps to reproduce:

I see that the lockfile has @google-cloud/firestore set as ^6.7.0 which patches the below issue, however in the package.json file the optional dependency is set to ^6.6.0. Can we bump that up to match the Lockfile in the package.json file so that all users of this dependency have the correct firestore version without forcing a patch?

"@google-cloud/firestore": "^6.6.0",

For reference, anyone using this package currently has a dependabot advisory for word-wrap, which downstream is used by this project.

word-wrap vulnerable to Regular Expression Denial of Service.

https://cwe.mitre.org/data/definitions/1333.html

[google-oss-bot]

I couldn't figure out how to label this issue, so I've labeled it for a human to triage. Hang tight.

[lahirumaramba]

Closing as this is fixed in the latest release.