From 19b8991d9cdfa682a4462532e33d5c9c91ece690 Mon Sep 17 00:00:00 2001
From: Zach Leventer <zleventer@gmail.com>
Date: Fri, 24 Apr 2026 10:29:33 -0400
Subject: [PATCH] chore(deps): bump node-fetch in /functions from ^2.6.7 to
 ^2.6.13

2.6.7 has a known high-severity vulnerability: CVE-2022-0235
(exposure of sensitive information to an unauthorized actor via
redirect to a non-HTTP URL such as file://, which can leak sensitive
host data). Fixed in 2.6.8+. Staying on v2 because v3 is ESM-only
and the functions package uses CommonJS.
---
 functions/package.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/functions/package.json b/functions/package.json
index 18f6bdd7..09e5b426 100644
--- a/functions/package.json
+++ b/functions/package.json
@@ -18,7 +18,7 @@
     "firebase-admin": "^8.10.0",
     "firebase-functions": "^3.13.2",
     "firebase-tools": "^9.10.0",
-    "node-fetch": "^2.6.7"
+    "node-fetch": "^2.6.13"
   },
   "devDependencies": {
     "@types/cors": "^2.8.7",