deps(deps): bump qs, express, firebase-tools and @firebase/rules-unit-testing

[dependabot]

Bumps qs to 6.14.2 and updates ancestor dependencies qs, express, firebase-tools and @firebase/rules-unit-testing. These dependencies need to be updated together.

Updates qs from 6.13.0 to 6.14.2

Changelog

Sourced from qs's changelog.

6.14.2

• [Fix] parse: mark overflow objects for indexed notation exceeding arrayLimit (#546)
• [Fix] arrayLimit means max count, not max index, in combine/merge/parseArrayValue
• [Fix] parse: throw on arrayLimit exceeded with indexed notation when throwOnLimitExceeded is true (#529)
• [Fix] parse: enforce arrayLimit on comma-parsed values
• [Fix] parse: fix error message to reflect arrayLimit as max index; remove extraneous comments (#545)
• [Robustness] avoid .push, use void
• [readme] document that addQueryPrefix does not add ? to empty output (#418)
• [readme] clarify parseArrays and arrayLimit documentation (#543)
• [readme] replace runkit CI badge with shields.io check-runs badge
• [meta] fix changelog typo (arrayLength → arrayLimit)
• [actions] fix rebase workflow permissions

6.14.1

• [Fix] ensure arrayLimit applies to [] notation as well
• [Fix] parse: when a custom decoder returns null for a key, ignore that key
• [Refactor] parse: extract key segment splitting helper
• [meta] add threat model
• [actions] add workflow permissions
• [Tests] stringify: increase coverage
• [Dev Deps] update eslint, @ljharb/eslint-config, npmignore, es-value-fixtures, for-each, object-inspect

6.14.0

• [New] parse: add throwOnParameterLimitExceeded option (#517)
• [Refactor] parse: use utils.combine more
• [patch] parse: add explicit throwOnLimitExceeded default
• [actions] use shared action; re-add finishers
• [meta] Fix changelog formatting bug
• [Deps] update side-channel
• [Dev Deps] update es-value-fixtures, has-bigints, has-proto, has-symbols
• [Tests] increase coverage

6.13.3

[Fix] fix regressions from robustness refactor [actions] update reusable workflows

6.13.2

• [Robustness] avoid .push, use void
• [readme] clarify parseArrays and arrayLimit documentation (#543)
• [readme] document that addQueryPrefix does not add ? to empty output (#418)
• [readme] replace runkit CI badge with shields.io check-runs badge
• [actions] fix rebase workflow permissions

6.13.1

• [Fix] stringify: avoid a crash when a filter key is null
• [Fix] utils.merge: functions should not be stringified into keys
• [Fix] parse: avoid a crash with interpretNumericEntities: true, comma: true, and iso charset
• [Fix] stringify: ensure a non-string filter does not crash
• [Refactor] use __proto__ syntax instead of Object.create for null objects
• [Refactor] misc cleanup

... (truncated)

Commits

• bdcf0c7 v6.14.2
• 294db90 [readme] document that addQueryPrefix does not add ? to empty output
• 5c308e5 [readme] clarify parseArrays and arrayLimit documentation
• 6addf8c [Fix] parse: mark overflow objects for indexed notation exceeding arrayLimit
• cfc108f [Fix] arrayLimit means max count, not max index, in combine/merge/`pars...
• febb644 [Fix] parse: throw on arrayLimit exceeded with indexed notation when `thr...
• f6a7abf [Fix] parse: enforce arrayLimit on comma-parsed values
• fbc5206 [Fix] parse: fix error message to reflect arrayLimit as max index; remove e...
• 1b9a8b4 [actions] fix rebase workflow permissions
• 2a35775 [meta] fix changelog typo (arrayLength → arrayLimit)
• Additional commits viewable in compare view

Updates express from 4.21.2 to 4.22.1

Release notes

Sourced from express's releases.

v4.22.1

What's Changed

[!IMPORTANT]
The prior release (4.22.0) included an erroneous breaking change related to the extended query parser. There is no actual security vulnerability associated with this behavior (CVE-2024-51999 has been rejected). The change has been fully reverted in this release.

• Release: 4.22.1 by @​UlisesGascon in expressjs/express#6934

Full Changelog: expressjs/express@4.22.0...v4.22.1

4.22.0

Important: Security

• Security fix for CVE-2024-51999 (GHSA-pj86-cfqh-vqx6)

What's Changed

• Refactor: improve readability by @​sazk07 in expressjs/express#6190
• ci: add support for Node.js@23.0 by @​UlisesGascon in expressjs/express#6080
• Method functions with no path should error by @​wesleytodd in expressjs/express#5957
• ci: updated github actions ci workflow by @​Phillip9587 in expressjs/express#6323
• ci: reorder npm i steps to fix ci for older node versions by @​Phillip9587 in expressjs/express#6336
• Backport: ci: add node.js 24 to test matrix by @​Phillip9587 in expressjs/express#6506
• chore(4.x): wider range for query test skip by @​jonchurch in expressjs/express#6513
• use tilde notation for certain dependencies by @​UlisesGascon in expressjs/express#6905
• deps: qs@6.14.0 by @​UlisesGascon in expressjs/express#6909
• deps: use tilde notation for qs by @​Phillip9587 in expressjs/express#6919
• Release: 4.22.0 by @​UlisesGascon in expressjs/express#6921

Full Changelog: expressjs/express@4.21.2...4.22.0

Changelog

Sourced from express's changelog.

4.22.1 / 2025-12-01

• Revert security fix for CVE-2024-51999 (GHSA-pj86-cfqh-vqx6)

4.22.0 / 2025-12-01

• Security fix for CVE-2024-51999 (GHSA-pj86-cfqh-vqx6)
• deps: use tilde notation for dependencies
• deps: qs@6.14.0

Commits

• 12fae14 4.22.1
• 5ddf311 Revert "sec: security patch for CVE-2024-51999"
• 49744ab 4.22.0 (#6921)
• 6e97452 sec: security patch for CVE-2024-51999
• 6a23d34 deps: use tilde notation for qs (#6919)
• 8c12cdf deps: qs@6.14.0 (#6909)
• 7fea74f deps: use tilde notation for certain dependencies (#6905)
• dac7a04 chore: wider range for query test skip (#6513)
• 997919b ci: add node.js 24 to test matrix (#6506)
• 36fb59c fix(ci): reorder npm i steps to fix ci for older node versions (#6336)
• Additional commits viewable in compare view

Updates firebase-tools from 9.23.3 to 15.8.0

Release notes

Sourced from firebase-tools's releases.

v15.8.0

• Corrects issue with updateService in runv2.ts (#9918)
• Updated suite of MCP tools for Firestore to include many new tools. Firestore tools no longer support emulator mode.
• Updated the Firebase Data Connect local toolkit to v3.2.0, which includes the following changes: (#9975)
  • Support for uuidV7()
  • Support for custom PostgreSQL schema names.

v15.7.0

• Updated Python Functions template to use firebase_functions v0.5.x
• Update the Firebase Data Connect local toolkit to v3.1.4, which includes the following changes: (#9944)
  • Add support for @searchable on varchar fields.
  • Fix a runtime error when using aggregations with nested reference fields.
  • Update the Golang dependency version from v1.24.12 to v1.24.13.
• Added Developer Knowledge MCP tools which can search Google doumentation to help agents answer questions.

v15.6.0

• Added support for enabling Firebase Authentication providers via firebase deploy. You can configure providers in firebase.json like so:

{
  "auth": {
    "providers": {
      "anonymous": true,
      "emailPassword": true,
      "googleSignIn": {
        "oAuthBrandDisplayName": "My App",
        "supportEmail": "support@myapp.com"
      }
    }
  }
}

• Added initial zip deploy support in functions deploy for HTTP functions (#9707)
• Fixes an issue where Python was missing from the firebase-tools Docker image (#9855).
• Fixes billing information check to use user's project quota (#9879).
• Updated the Firebase Data Connect local toolkit to v3.1.2, which contains the following changes: (#9882)
  • Improved insecure operation warning messages and reduced the severity of existing insecure operation warnings to LOG_ONLY.
  • Updated the Golang dependency version from 1.24.4 to 1.24.12.
• Fixes issue where auth emulator multi-tenant mode exports/imports only users tied to the default tenant (#5623)
• Updated Pub/Sub emulator to version 0.8.27.
• Updated the Data Connect emulator to v3.1.3, which enables the native SQL feature.

v15.5.1

• Fixes issues with calls to serviceusage (#9844)

v15.5.0

• Added firebase dataconnect:compile command.
• Loads experiments earlier in CLI startup so they can be used earlier. (#9797)
• Fixed issue where AuthBlockingEvent had invalid format for metadata.creationTime and metadata.lastSignInTime. (#8109)

... (truncated)

Commits

• ec50959 15.8.0
• 0dd56f7 Update FDC local toolkit to v3.2.0 (#9975)
• e4937af Add a firebase studio export command under an experiment flag. (#9964)
• aad903c Modifies updateService related to functions deployment (#9918)
• d459404 vscode 2.1.2 (#9959)
• 9dd6032 Firestore OneMCP proxy (#9957)
• a77e2f6 [firebase-release] Removed change log and reset repo after 15.7.0 release
• e3b7a90 15.7.0
• 3acda5e update the firebase_functions version (#9940)
• c526697 Developer Knowledge OneMCP proxy (#9921)
• Additional commits viewable in compare view

Updates @firebase/rules-unit-testing from 1.3.16 to 5.0.0

Release notes

Sourced from @​firebase/rules-unit-testing's releases.

4.5.2

Fixes

• Fixed a regression where the react-native property was missing from the firebase package.json
• Fixed a regression where the value of firebase.SDK_VERSION wasn't properly being populated.

4.5.1

Features

Shipped individual modules for the following packages:

• @firebase/app
• @firebase/auth
• @firebase/database
• @firebase/firestore
• @firebase/messaging
• @firebase/polyfill
• @firebase/storage
• @firebase/util

4.5.0

Features

• Added support for Cloud Firestore. For more information, see the following resources:
  • Blog post
  • Web getting started guide
  • Reference Documentation

4.4.0

Features

• Released multi-resource support for database #159

Fixes

• Fixed issue with null initialization in externs #160

4.3.0

Features

• Added client side localization for email actions (password reset, email verification, etc), phone authentication SMS messages, OAuth flows and reCAPTCHA verification.
• Added the ability to pass a continue URL/state when triggering a password reset/email verification which gives a user the ability to go back to the app after completion. In addition, added support for the ability to open these links directly from a mobile app instead of a web flow using Firebase Dynamic Links.

Fixes

• Fixed issue with IE10 auth state synchronization across tabs

4.2.0

Features

... (truncated)

Changelog

Sourced from @​firebase/rules-unit-testing's changelog.

5.0.0

Minor Changes

• 25b60fd #9128 - Update node "engines" version to a minimum of Node 20.

Patch Changes

• Updated dependencies [a4ccd25, 5200f7b, 6ab4e13, 91fa484, e59cd7d, cb19688, d91169f, ec5f374, 25b60fd]:
  • firebase@12.0.0

4.0.1

Patch Changes

• b80711925 #8604 - Upgrade to TypeScript 5.5.4

4.0.0

Patch Changes

• 479226bf3 #8475 - Remove ES5 bundles. The minimum required ES version is now ES2017.

• 479226bf3 #8475 - Removed dependency on undici and node-fetch in our node bundles, replacing them with the native fetch implementation.

• Updated dependencies [479226bf3, 479226bf3, b942e9e6e]:

  • firebase@11.0.0

3.0.4

Patch Changes

• d752e8096 #8298 - Upgrade firebase-admin to 11.11.1

3.0.3

Patch Changes

• ab883d016 #8237 - Bump all packages so staging works.

3.0.2

Patch Changes

• 0c5150106 #8079 - Update repository.url field in all package.json files to NPM's preferred format.

3.0.1

Patch Changes

... (truncated)

Commits

• 52c8579 Version Packages (#9165)
• 25b60fd chore!: update engines.node to minimum of 20 (#9128)
• 2f92a74 Update dependencies in packages and repo-scripts (#8729)
• ffbf5a6 Version Packages (#8635)
• e577a40 Upgrade to TypeScript 5 (#8561)
• a97ac88 Version Packages (#8581)
• 479226b Merge v11 Feature Branch (#8475)
• 14b7720 Merge branch 'release'
• 67ea4f7 Version Packages (#8369)
• 025f2a1 Spelling (#8280)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[dependabot]

Labels

The following labels could not be found: npm. Please create it before Dependabot can add it to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.