Bump protobufjs, @google-cloud/firestore, firebase, firebase-admin and firebase-tools

[dependabot]

Bumps protobufjs to 7.6.0 and updates ancestor dependencies protobufjs, @google-cloud/firestore, firebase, firebase-admin and firebase-tools. These dependencies need to be updated together.

Updates protobufjs from 6.11.3 to 7.6.0

Release notes

Sourced from protobufjs's releases.

protobufjs: v7.6.0

7.6.0 (2026-05-18)

Features

• Support BigInt conversions (7.x) (#2258) (f769242)

protobufjs: v7.5.9

7.5.9 (2026-05-17)

Bug Fixes

• Backport bundler-safe optional module lookups (#2254) (0853a62)

protobufjs: v7.5.8

7.5.8 (2026-05-12)

Bug Fixes

• Backport parser hardening to 7.x (#2245) (54b593f)

protobufjs: v7.5.7

7.5.7 (2026-05-09)

Bug Fixes

• Restore first-match namespace lookup (#2236) (cc7d595)

protobufjs: v7.5.6

7.5.6 (2026-04-27)

Bug Fixes

• Backport input hardening and CLI fixes to 7.x (#2173) (75392ea)

v7.5.5

This release backports two reported security issues to 7.x branch.

• fix: do not allow setting __proto__ in Message constructor (#2126)
• fix: filter invalid characters from the type name (#2127)

Full Changelog: protobufjs/protobuf.js@protobufjs-v7.5.4...protobufjs-v7.5.5

protobufjs: v7.5.4

7.5.4 (2025-08-15)

... (truncated)

Changelog

Sourced from protobufjs's changelog.

7.6.0 (2026-05-18)

Features

• Support BigInt conversions (7.x) (#2258) (f769242)

7.5.9 (2026-05-17)

Bug Fixes

• Backport bundler-safe optional module lookups (#2254) (0853a62)

7.5.8 (2026-05-12)

Bug Fixes

• Backport parser hardening to 7.x (#2245) (54b593f)

7.5.7 (2026-05-09)

Bug Fixes

• Restore first-match namespace lookup (#2236) (cc7d595)

7.5.6 (2026-04-27)

Bug Fixes

• Backport input hardening and CLI fixes to 7.x (#2173) (75392ea)

7.5.4 (2025-08-15)

Bug Fixes

• invalid syntax in descriptor.proto (#2092) (5a3769a)

7.5.3 (2025-05-28)

Bug Fixes

• descriptor extensions handling post-editions (#2075) (6e255d4)

7.5.2 (2025-05-14)

... (truncated)

Commits

• e30c334 chore: release protobufjs-v7.x (#2260)
• f769242 feat: Support BigInt conversions (7.x) (#2258)
• ab3862d chore: release protobufjs-v7.x (#2255)
• 0853a62 fix: Backport bundler-safe optional module lookups (#2254)
• d7035f9 chore: release protobufjs-v7.x (#2248)
• 54b593f fix: Backport parser hardening to 7.x (#2245)
• e88fcea chore: release protobufjs-v7.x (#2239)
• cc7d595 fix: Restore first-match namespace lookup (#2236)
• 3abc9b5 chore: release protobufjs-v7.x (#2190)
• a0bf2df fix: Update CLI peer dependency (7.x) (#2189)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for protobufjs since your current version.

Install script changes

This version modifies prepublish script that runs during installation. Review the package contents before updating.

Updates @google-cloud/firestore from 6.4.3 to 7.11.6

Release notes

Sourced from @​google-cloud/firestore's releases.

speech: v7.3.1

7.3.1 (2026-05-01)

Bug Fixes

• Change the copyright year for files in the packages folder (#8109) (c1a03fe)
• Do not publish the protos to npm (#8079) (816216b)
• Revert "fix: Do not publish the protos to npm" (#8096) (ac0fbb6)

gaxios: v7.1.5

7.1.5 (2026-05-11)

Bug Fixes

• Bump all node submodules (#8178) (9fd76ef)

talent: v7.1.2

7.1.2 (2026-05-01)

Bug Fixes

• Change the copyright year for files in the packages folder (#8109) (c1a03fe)
• Do not publish the protos to npm (#8079) (816216b)
• Revert "fix: Do not publish the protos to npm" (#8096) (ac0fbb6)

security-private-ca: v7.0.2

7.0.2 (2026-05-01)

Bug Fixes

• Change the copyright year for files in the packages folder (#8109) (c1a03fe)
• Do not publish the protos to npm (#8079) (816216b)
• Revert "fix: Do not publish the protos to npm" (#8096) (ac0fbb6)

compute: v6.11.0

6.11.0 (2026-05-14)

Features

• [compute] Update Compute Engine v1beta API to revision 20260422 (#1192) (#8248) (33fbecc)

compute: v6.10.0

6.10.0 (2026-05-12)

... (truncated)

Changelog

Sourced from @​google-cloud/firestore's changelog.

7.11.6 (2025-09-26)

Bug Fixes

• Pool.ts: add even more logging (c508d1b)

7.11.5 (2025-09-22)

Bug Fixes

• Pool.ts: add more detailed logging for client garbage collection (#2420) (1bbca46)

7.11.4 (2025-09-16)

Bug Fixes

• Improve debug logging for the internal client pool. Added client IDs to debug log statements for client management. (99918f1)

7.11.3 (2025-07-09)

Bug Fixes

• Improve performance of the UTF-8 string comparison logic (#2380) (bc6a03e)

7.11.2 (2025-06-19)

Bug Fixes

• Firestore Client caching stub in bad state issue (#2365) (04ad0a4)

7.11.1 (2025-05-02)

Bug Fixes

• Aggregate query readtime bug (#2331) (9ac0394)
• Bump default deadline on CreateDatabase and RestoreDatabase to 2 minutes (#2274) (d559080)
• Close default BulkWriter upon terminate. (#2276) (1e714a8)
• Correctly escape field paths with multiple backslashes or backticks (#2259) (#2261) (7056ba7)
• Do not send page size with auto-paginate. Fixes warnings in listCollections and listDocuments. (#2336) (844b4ca)
• Finalize fixing typings for headers in generator (#2287) (c6c85b6)
• Prevent crashes if an inactive stream receives an error. (#2283) (f58fe79)
• Remove unused "long" dependency from firestore proto (#2324) (5937b93)
• Sort document reference by long type id (#2257) (3fd0de9)
• Sort strings in UTF-8 encoded byte order (#2275) (a2950e0)

... (truncated)

Commits

• See full diff in compare view

Updates firebase from 9.17.1 to 12.13.0

Release notes

Sourced from firebase's releases.

firebase@12.13.0

For more detailed release notes, see Firebase JavaScript SDK Release Notes.

What's Changed

@​firebase/ai@​2.12.0

Minor Changes

• ffa39f6 #9795 - Added LiveSession.resumeSession() to allow resuming a previous LiveSession. Also added contextWindowCompression feature.

• 86dc0db #9819 - Added support for ImageConfig (aspect ratio and size). Expanded FinishReason values to include all currently available values provided by the models.

• 345c5f6 #9458 - AI Logic : Feature : Added support for Grounding with Google Maps.

Patch Changes

• 8e384c9 #9883 - Updated dependencies.

• Updated dependencies [8e384c9]:

• @​firebase/app-check-interop-types@​0.3.4

• @​firebase/component@​0.7.3

• @​firebase/logger@​0.5.1

• @​firebase/util@​1.15.1

@​firebase/data-connect@​0.7.0

Minor Changes

• 714b41d #9905 - Hardened the Firebase SQL Connect streaming transport with intelligent reconnection, query de-duplication, and resume optimizations.

Patch Changes

• 8e384c9 #9883 - Updated dependencies.

• Updated dependencies [8e384c9]:

• @​firebase/auth-interop-types@​0.2.5

• @​firebase/component@​0.7.3

• @​firebase/logger@​0.5.1

• @​firebase/util@​1.15.1

firebase@12.13.0

Minor Changes

• ffa39f6 #9795 - Added LiveSession.resumeSession() to allow resuming a previous LiveSession. Also added contextWindowCompression feature.

• 714b41d #9905 - Hardened the Firebase SQL Connect streaming transport with intelligent reconnection, query de-duplication, and resume optimizations.

... (truncated)

Commits

• 1adfd64 Version Packages (#9923)
• 50d5b6a Merge main into release
• 714b41d feat(data-connect): add de-duplication, resume, and intelligent reconnection ...
• f80895f Merge main into release
• 330a387 chore: migrate test functions to v2 (#9910)
• 3b87134 build(deps): bump axios from 1.13.5 to 1.15.2 (#9860)
• 402b1f0 fix(firestore): Assertion ID: ca9 (pendingResponses less than 0) caused by ta...
• 86dc0db feat(ai): ImageConfig and FinishReasons (#9819)
• 62ae2e2 chore: Update picomatch and rollup-plugin-typescript2 (#9892)
• 96e81ff feat(firestore): Added search stage support for languageCode, offset, limit, ...
• Additional commits viewable in compare view

Updates firebase-admin from 11.5.0 to 13.10.0

Release notes

Sourced from firebase-admin's releases.

Firebase Admin Node.js SDK v13.10.0

New Features

• feat(appcheck): Add support for minting limited-use tokens and custom JTI (#3027)

Bug Fixes

• fix: Replace node-forge with native crypto for private key validation (#3051)

Miscellaneous

• [chore] Release 13.10.0 (#3146)
• add node prefix to crypto imports (#3144)
• chore: remove uuid dependency (#3130)
• build(deps): bump fast-xml-builder from 1.1.5 to 1.2.0 (#3134)
• build(deps): bump protobufjs from 7.5.5 to 7.5.8 (#3141)
• build(deps): bump fast-uri from 3.1.0 to 3.1.2 (#3135)

Firebase Admin Node.js SDK v13.9.0

New Features

• feat(remote-config): add optional exposurePercent field to ExperimentValue (#3096)

Miscellaneous

• [chore] Release 13.9.0 (#3129)
• chore: Deprecate support for Node.js 20 (#3128)
• build(deps-dev): bump @​typescript-eslint/parser from 8.57.2 to 8.59.1 (#3114)
• build(deps): bump follow-redirects in /.github/actions/send-email (#3113)
• build(deps): bump protobufjs from 7.5.4 to 7.5.5 (#3119)
• build(deps): bump uuid and @​actions/core in /.github/actions/send-email (#3120)
• build(deps): bump axios in /.github/actions/send-email (#3123)
• build(deps): bump fast-xml-parser from 5.5.9 to 5.7.1 (#3122)

Firebase Admin Node.js SDK v13.8.0

New Features

• feat(pnv): Add support for Phone Number Verification (#3101)
• feat(fcm): Add bandwidthConstrainedOk and restrictedSatelliteOk (#2994)

Miscellaneous

• [chore] Release 13.8.0 (#3109)
• chore(deps): bump node-forge to 1.4.0 (#3108)
• build(deps-dev): bump @​types/node from 25.3.0 to 25.3.3 (#3090)
• build(deps-dev): bump lodash and @​microsoft/api-extractor (#3106)
• build(deps): bump fast-xml-parser from 5.5.6 to 5.5.7 (#3095)

... (truncated)

Commits

• e0a2177 [chore] Release 13.10.0 (#3146)
• 67d6d82 add node prefix to crypto imports (#3144)
• 2c8d215 chore: remove uuid dependency (#3130)
• da2141a build(deps): bump fast-xml-builder from 1.1.5 to 1.2.0 (#3134)
• fcedf6b feat(appcheck): Add support for minting limited-use tokens and custom JTI (#3...
• 48d5212 build(deps): bump protobufjs from 7.5.5 to 7.5.8 (#3141)
• 16e6c33 fix: Replace node-forge with native crypto for private key validation (#3051)
• 6c81c7e build(deps): bump fast-uri from 3.1.0 to 3.1.2 (#3135)
• 0efb21f [chore] Release 13.9.0 (#3129)
• 363a302 chore: Deprecate support for Node.js 20 (#3128)
• Additional commits viewable in compare view

Updates firebase-tools from 11.24.0 to 15.18.0

Release notes

Sourced from firebase-tools's releases.

v15.18.0

• Updated Pub/Sub emulator to version 0.8.31
• Resolves undefined regions earlier, during the build to backend resolution phase (#10471)
• Updated the Firebase Data Connect local toolkit to v3.4.8, which includes the following changes:
  • Fixed an issue in Dart code generation where nullable BigInt was not handled correctly.
  • Added support for nested 1:Many relational batch inserts.
  • Updated the Golang dependency version to 1.25.10.
• Default timeout for Dart functions is now 60 seconds when not explicitly set (#10501)
• Support secret environment variables for Cloud Run functions (#10489)
• Set requiredProjectBindings in AI Logic services (#10503)

v15.17.0

• Added support for creating search indexes for Firestore. (#10431)
• Fixed an issue where some MCP tools would error with "Invalid input: expected record, received array". (#10437)
• Fixed an issue causing errors when multiple Firestore databases were configured in firebase.json (#8114)
• Updated the Firebase Data Connect local toolkit to v3.4.7, which includes the following changes: (#10461)
  • Fix emulator crash when using uuidv4() on operations.
  • Support for _Data input types as variables with @allow(fields, maxCount) to constraint the input JSON, enabling batch mutations in admin SDK. Client SDK support will come soon.
• Increase supported range for Next.js to version 16.0 (#9463)
• Updated Cloud Function default resource locations. This does not affect existing functions. (#10414)
• Added warning for cross-region event triggers (#10408)

v15.16.0

• Updated Firestore Emulator to v1.21.0, which adds support for subqueries and new stages like let(...), as well as allowing setting database-edition per-database.
• Suppressed the 'punycode' deprecation warning during firebase deploy on Node 22. (#10385)
• Fixed an issue where hosting deploy allowed publishing to a site in a different project. (#10376)
• Added SSE mode support to firebase mcp. To use it, run firebase mcp --mode=sse --port=3000, and connect your client on http://localhost:3000.
• Update the valid Python runtimes for functions. Default Python runtime is now Python 3.14.
• Fix CLI non-interactive mode for dataconnect init (#10401)
• Fixed issue where rules for non-default Firestore databases were not being deployed correctly.
• Suppress SSR warning for non-SSR Angular projects on init hosting (#10364)
• Updated the SQL Connect emulator to v3.4.6, including internal bug fixes (#10434)
• Fix an issue where deploying multi-codebase functions failed due to a shared source token scraper (#10428)

v15.15.0

• Add foundation for being smarter about where to place functions when the region is not specified (#10293)
• Updated Pub/Sub emulator to version 0.8.30
• Renamed Data Connect displayed text to SQL Connect (#10270)
• Added support for the experimental Cloud Functions for Firebase Dart SDK behind the dartfunctions flag
• Updated the SQL Connect emulator to v3.4.5, including internal bug fixes (#10336)

v15.14.0

• Added Enterprise Edition support to the Firestore emulator. Configure it by setting firebase.json#firestore.edition or firebase.json#emulators.firestore.edition.
• Fixed an issue where functions deployments would silently fail (#6989)
• Fixed issue where the CLI isn't able to correctly parse command arguments on PowerShell (#7506)
• Add support for Next.js 16 middleware (proxy.ts/proxy.js) (#9631)
• Updates the default region for new App Hosting backends to us-east4 (#10271)
• Fix Next.js image optimization detection in client components (#10228)
• Updates Firebase Data Connect emulator to v3.4.1 (#10290)
  • Upgraded Go runtime to 1.25.9.

... (truncated)

Commits

• 8af261a 15.18.0
• 0e759e4 Add missing changelog entries (#10514)
• 70e2771 fix: support secret environment variables for Cloud Run functions (#10489)
• dae4e46 update FDC local toolkit to v3.4.8 (#10506)
• 1a32765 Set requiredProjectBindings in AI Logic services (#10503)
• 26ccd63 remove legacy localbuild path and remove @​apphosting/build dependency (#10512)
• 6203955 Adding default timeout for dart functions (#10501)
• 0b59f18 support nested .gitignore files in source deploys (#10498)
• a605414 refactor: resolve function regions during build phase to fix VPC connectors (...
• 205b5f8 feat: update Pub/Sub emulator to 0.8.31 (#10485)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.