Skip to content

feat(firestore): Add setGrpcFlowControlWindow setting and set 256KB default#8309

Closed
dlarocque wants to merge 169 commits into
dl/large-docsfrom
dl/flow-control
Closed

feat(firestore): Add setGrpcFlowControlWindow setting and set 256KB default#8309
dlarocque wants to merge 169 commits into
dl/large-docsfrom
dl/flow-control

Conversation

@dlarocque

Copy link
Copy Markdown
Contributor

No description provided.

dconeybe and others added 30 commits May 6, 2026 12:58
…ask (#8115)

The `check` task no longer implicitly depends on `integrationTest` for
the `firebase-appdistribution-gradle` module.

Unit test, unlike integration tests, block submission of PRs, and the
test has been failing frequently.

Integration tests can still be run explicitly via `./gradlew
:firebase-appdistribution-gradle:integrationTest`.
…8120)

Gradle can sometimes to patch updates for older gradle versions, which
breaks the assumption in our integration tests that the last released
gradle version is the latest. Update this logic to actually retrieve the
latest stable gradle version.
…o presubmit (#8121)

Removes integration tests from general PR presubmits, preventing
appdistro bugs and issues from blocking other products.
Updated the actions/upload-artifact GitHub Action version to v7.0.1
across all CI workflow files to ensure consistent and updated artifact
management.
…to backend deduplication of "subscribe" requests (#8131)
Auto-generated PR for cleaning up release m180

NO_RELEASE_CHANGE

Co-authored-by: rlazo <368578+rlazo@users.noreply.github.com>
Co-authored-by: Rodrigo Lazo <rlazo@users.noreply.github.com>
…rors due to Kotlin upgrade. (#8125)

**Context**

#7896 updated
Kotlin version, which broke Crashlytics functional test building since
these were using a hardcoded version of Gradle.
…ch (#8148)

Add target-branch parameter to checkout specific branches while
retaining release name for PR metadata.
The AI Logic endpoints return citation indices based on UTF-8 bytes, but
Java and Kotlin use UTF-16 natively. This means that the provided
indices are often offset from actual content and can even point out of
bounds, making them very difficult to use.

Applies both to citation metadata and grounding.

Testing was added for all validation to ensure that grounding indices
match completely with what is provided, currently passing all extant
testing. Further testing was added to force grounding with citation
using strings which will differ in length in UTF-8 and UTF-16 (the
degree symbol and accented letters are multi-byte unicode characters).

Manual testing was done for accurate indices in practice, exhaustive
testing is difficult, as citation is generally rarer. Grounding is easy
to force and test.
…s/src/androidTest/backend/functions/functions (#8149)

Bumps [@protobufjs/utf8](https://github.com/dcodeIO/protobuf.js) from
1.1.0 to 1.1.1.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/dcodeIO/protobuf.js/releases">@​protobufjs/utf8's
releases</a>.</em></p>
<blockquote>
<h2>protobufjs-cli: v1.1.1</h2>
<h2><a
href="https://github.com/protobufjs/protobuf.js/compare/protobufjs-cli-v1.1.0...protobufjs-cli-v1.1.1">1.1.1</a>
(2023-02-02)</h2>
<h3>Bug Fixes</h3>
<ul>
<li><strong>cli:</strong> fix relative path to Google pb files (<a
href="https://redirect.github.com/protobufjs/protobuf.js/issues/1859">#1859</a>)
(<a
href="https://github.com/protobufjs/protobuf.js/commit/e42eea4868b11f4a07934804a56683321ed191e2">e42eea4</a>)</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/protobufjs/protobuf.js/commit/644d588c0495da6a570344248e1b5af901bc3b0c"><code>644d588</code></a>
chore: release master (<a
href="https://redirect.github.com/dcodeIO/protobuf.js/issues/1865">#1865</a>)</li>
<li><a
href="https://github.com/protobufjs/protobuf.js/commit/e42eea4868b11f4a07934804a56683321ed191e2"><code>e42eea4</code></a>
fix(cli): fix relative path to Google pb files (<a
href="https://redirect.github.com/dcodeIO/protobuf.js/issues/1859">#1859</a>)</li>
<li><a
href="https://github.com/protobufjs/protobuf.js/commit/dce9a2ef92d363752e40b295b0da9bd178f82e83"><code>dce9a2e</code></a>
fix: use bundled filename to fix common pb includes (<a
href="https://redirect.github.com/dcodeIO/protobuf.js/issues/1860">#1860</a>)</li>
<li><a
href="https://github.com/protobufjs/protobuf.js/commit/64e8936ad9f73c68b3fa1e57857dd38323b5a745"><code>64e8936</code></a>
fix: use ES5 style function syntax (<a
href="https://redirect.github.com/dcodeIO/protobuf.js/issues/1830">#1830</a>)</li>
<li><a
href="https://github.com/protobufjs/protobuf.js/commit/4489fa771464bcb49b57149760e9cc4131e8077e"><code>4489fa7</code></a>
Revert &quot;fix: error should be thrown (<a
href="https://redirect.github.com/dcodeIO/protobuf.js/issues/1817">#1817</a>)&quot;
(<a
href="https://redirect.github.com/dcodeIO/protobuf.js/issues/1864">#1864</a>)</li>
<li>See full diff in <a
href="https://github.com/dcodeIO/protobuf.js/compare/protobufjs-cli-v1.1.0...protobufjs-cli-v1.1.1">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=@protobufjs/utf8&package-manager=npm_and_yarn&previous-version=1.1.0&new-version=1.1.1)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/firebase/firebase-android-sdk/network/alerts).

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…/src/androidTest/backend/functions/functions (#8059)

Bumps
[fast-xml-parser](https://github.com/NaturalIntelligence/fast-xml-parser)
from 5.5.9 to 5.7.1.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/NaturalIntelligence/fast-xml-parser/releases">fast-xml-parser's
releases</a>.</em></p>
<blockquote>
<h2>upgrade <code>@​nodable/entities</code> and FXB</h2>
<ul>
<li>Use <code>@nodable/entities</code> v2.1.0
<ul>
<li>breaking changes
<ul>
<li>single entity scan. You're not allowed to use entity value to form
another entity name.</li>
<li>you cant add numeric external entity</li>
<li>entity error message when expantion limit is crossed might
change</li>
</ul>
</li>
<li>typings are updated for new options related to process entity</li>
<li>please follow documentation of <code>@nodable/entities</code> for
more detail.</li>
<li>performance
<ul>
<li>if processEntities is false, then there should not be impact on
performance.</li>
<li>if processEntities is true, but you dont pass entity decoder
separately then performance may degrade by approx 8-10%</li>
<li>if processEntities is true, and you pass entity decoder separately
<ul>
<li>if no entity then performance should be same as before</li>
<li>if there are entities then performance should be increased from past
versions</li>
</ul>
</li>
</ul>
</li>
<li>ignoreAttributes is not required to be set to set xml version for
NCR entity value</li>
</ul>
</li>
<li>update 'fast-xml-builder' to sanitize malicious CDATA and comment's
content</li>
</ul>
<h2>use <code>@​nodable/entities</code> to replace entities</h2>
<ul>
<li>No API change</li>
<li>No change in performance for basic usage</li>
<li>No typing change</li>
<li>No config change</li>
<li>new dependency</li>
<li>breaking: error messages for entities might have been changed.</li>
<li></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/NaturalIntelligence/fast-xml-parser/compare/v5.5.12...v5.6.0">https://github.com/NaturalIntelligence/fast-xml-parser/compare/v5.5.12...v5.6.0</a></p>
<h2>performance improvment, increase entity expansion default limit</h2>
<ul>
<li>increase default entity explansion limit as many projects demand for
that</li>
</ul>
<pre><code>maxEntitySize: 10000,
maxExpansionDepth: 10000,
maxTotalExpansions: Infinity,
maxExpandedLength: 100000,
maxEntityCount: 1000,
</code></pre>
<ul>
<li>performance improvement
<ul>
<li>reduce calls to toString</li>
<li>early return when entities are not present</li>
<li>prepare rawAttrsForMatcher only if user sets <code>jPath:
false</code></li>
</ul>
</li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/NaturalIntelligence/fast-xml-parser/compare/v5.5.9...v5.5.10">https://github.com/NaturalIntelligence/fast-xml-parser/compare/v5.5.9...v5.5.10</a></p>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/NaturalIntelligence/fast-xml-parser/blob/master/CHANGELOG.md">fast-xml-parser's
changelog</a>.</em></p>
<blockquote>
<p><!-- raw HTML omitted -->Note: If you find missing information about
particular minor version, that version must have been changed without
any functional change in this library.<!-- raw HTML omitted --></p>
<p>Note: Due to some last quick changes on v4, detail of v4.5.3 &amp;
v4.5.4 are not updated here. v4.5.4x is the last tag of v4 in github
repository. I'm extremely sorry for the confusion</p>
<p><strong>5.7.1 / 2026-04-20</strong></p>
<ul>
<li>fix <a
href="https://redirect.github.com/NaturalIntelligence/fast-xml-parser/issues/705">#705</a>:
attributesGroupName working with preserveOrder</li>
<li>fix <a
href="https://redirect.github.com/NaturalIntelligence/fast-xml-parser/issues/817">#817</a>:
stackoverflow when tag expression is very long</li>
</ul>
<p><strong>5.7.0 / 2026-04-17</strong></p>
<ul>
<li>Use <code>@nodable/entities</code> v2.1.0
<ul>
<li>breaking changes
<ul>
<li>single entity scan. You're not allowed to user entity value to form
another entity name.</li>
<li>you cant add numeric external entity</li>
<li>entity error message when expantion limit is crossed might
change</li>
</ul>
</li>
<li>typings are updated for new options related to process entity</li>
<li>please follow documentation of <code>@nodable/entities</code> for
more detail.</li>
<li>performance
<ul>
<li>if processEntities is false, then there should not be impact on
performance.</li>
<li>if processEntities is true, but you dont pass entity decoder
separately then performance may degrade by approx 8-10%</li>
<li>if processEntities is true, and you pass entity decoder separately
<ul>
<li>if no entity then performance should be same as before</li>
<li>if there are entities then performance should be increased from past
versions</li>
</ul>
</li>
</ul>
</li>
<li>ignoreAttributes is not required to be set to set xml version for
NCR entity value</li>
</ul>
</li>
<li>update 'fast-xml-builder' to sanitize malicious CDATA and comment's
content</li>
</ul>
<p><strong>5.6.0 / 2026-04-15</strong></p>
<ul>
<li>fix: entity replacement for numeric entities</li>
<li>use <code>@​nodable/entities</code> to replace entities
<ul>
<li>this may change some error messages related to entities expansion
limit or inavlid use</li>
<li>post check would be exposed in future version</li>
</ul>
</li>
</ul>
<p><strong>5.5.12 / 2026-04-13</strong></p>
<ul>
<li>Performance Improvement: update path-expression-matcher
<ul>
<li>use proxy pattern than Proxy class</li>
</ul>
</li>
</ul>
<p><strong>5.5.11 / 2026-04-08</strong></p>
<ul>
<li>Performance Improvement
<ul>
<li>integrate ExpressionSet for stopNodes</li>
</ul>
</li>
</ul>
<p><strong>5.5.10 / 2026-04-03</strong></p>
<ul>
<li>increase default entity explansion limit as many projects demand for
that</li>
<li>performance improvement
<ul>
<li>reduce calls to toString</li>
<li>early return when entities are not present</li>
<li>prepare rawAttrsForMatcher only if user sets <code>jPath:
false</code></li>
</ul>
</li>
</ul>
<p><strong>5.5.9 / 2026-03-23</strong></p>
<ul>
<li>combine typing files</li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/NaturalIntelligence/fast-xml-parser/commit/0f08303189d541b08401d15a7137dc238a815fa7"><code>0f08303</code></a>
fix typo</li>
<li><a
href="https://github.com/NaturalIntelligence/fast-xml-parser/commit/f529642d760ef53bb9115ad4798af5dc77ac22c4"><code>f529642</code></a>
update to release v5.7.0</li>
<li><a
href="https://github.com/NaturalIntelligence/fast-xml-parser/commit/52a8583465d6a67ad19e86fe34714879a981c18e"><code>52a8583</code></a>
Revert &quot;improve performance of attributes reading&quot;</li>
<li><a
href="https://github.com/NaturalIntelligence/fast-xml-parser/commit/8d187f9abaf42ebdd85623a9ae942b08e8ae5d0c"><code>8d187f9</code></a>
update builder</li>
<li><a
href="https://github.com/NaturalIntelligence/fast-xml-parser/commit/e174168a72a65a8fccad2c42bde329d2167edf27"><code>e174168</code></a>
improve performance of attributes reading</li>
<li><a
href="https://github.com/NaturalIntelligence/fast-xml-parser/commit/79a8dde50cebaeeda75cc1ad5b97c328da106316"><code>79a8dde</code></a>
update docs</li>
<li><a
href="https://github.com/NaturalIntelligence/fast-xml-parser/commit/f5cd5a595f313ed7b0820cabfa82ebdaa08651f7"><code>f5cd5a5</code></a>
set xml version to decoder even if attributes are ignored</li>
<li><a
href="https://github.com/NaturalIntelligence/fast-xml-parser/commit/f44b9236f4bee07bba75f0549fe86c981b1aeeef"><code>f44b923</code></a>
remove unwanted tests</li>
<li><a
href="https://github.com/NaturalIntelligence/fast-xml-parser/commit/869ec8b3588304a3a6aa9f22e38445e06d4547c8"><code>869ec8b</code></a>
Use <code>@​nodable/entities</code> v2.1.0</li>
<li><a
href="https://github.com/NaturalIntelligence/fast-xml-parser/commit/7cb49e51cd060caecf296fbf718a98d8c044c8c5"><code>7cb49e5</code></a>
update release detail</li>
<li>Additional commits viewable in <a
href="https://github.com/NaturalIntelligence/fast-xml-parser/compare/v5.5.9...v5.7.1">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=fast-xml-parser&package-manager=npm_and_yarn&previous-version=5.5.9&new-version=5.7.1)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/firebase/firebase-android-sdk/network/alerts).

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Originally #8123

Bumps
[fast-xml-builder](https://github.com/NaturalIntelligence/fast-xml-builder)
from 1.1.5 to 1.2.0.
-
[Changelog](https://github.com/NaturalIntelligence/fast-xml-builder/blob/main/CHANGELOG.md)
-
[Commits](NaturalIntelligence/fast-xml-builder@v1.1.5...v1.2.0)

---
updated-dependencies:
- dependency-name: fast-xml-builder dependency-version: 1.2.0
dependency-type: indirect ...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…t() to open a bidi streaming connection for realtime query updates (#8141)
dconeybe and others added 28 commits June 17, 2026 01:37
As the comment says, the model is prone to return "London" instead of
"New York". This is a reasonable test to keep around to base other tests
on in the future, but it's introducing noise into our daily testing so
we need to disable it.
Updated the Gradle distribution URL in gradle-wrapper.properties from
8.14.3 to 8.14.5 to utilize the latest improvements and bug fixes.
Updated the Android Gradle Plugin version to 8.13.2 across the root
configuration, apk-size health metrics, and smoke tests build files to
ensure consistency and access to the latest build improvements.
# firebase-perf: fix API 34+ background-start heuristic in AppStartTrace

Fixes #8103
(follow-up to b/339891952).

`AppStartTrace`'s background-start detection relied on the ordering of a
posted main-thread runnable vs the first `onActivityCreated`. On API 34+
the OS can drain the runnable before delivering the activity-launch
Binder transaction even on a genuine cold foreground launch — the gap on
real Pixel devices is ~200–300 ms, well above the previous 50 ms
tolerance. Every affected user lost their `_app_start` traces.

## Fix

On API 34+, `resolveIsStartedFromBackground` switches from the
timing-window heuristic to an OS-reported process start cause.
Pre-API-34 is unchanged.

```
API <34: legacy mainThreadRunnableTime check (unchanged).
API 34+: AppStartCause.cause
         FOREGROUND ⇒ log.
         UNKNOWN / null ⇒ suppress.
```

The new `AppStartCause` helper reads `RunningAppProcessInfo.importance`
via `ActivityManager.getMyMemoryState` once, at first capture inside
`AppStartTrace.registerActivityLifecycleCallbacks`.
`IMPORTANCE_FOREGROUND` ⇒ `FOREGROUND` (activity-driven start); anything
else ⇒ `UNKNOWN`. Pre-API-34 returns `UNKNOWN` so the legacy decision
stays in charge. `FirebasePerfEarly` stops scheduling
`StartFromBackgroundRunnable` on API 34+ since its output is no longer
consumed.

## Behavior matrix

| Scenario | API <34 | API 34+ |
|---|---|---|
| Foreground launcher tap | log (unchanged) | log via FOREGROUND cause |
| Background broadcast (no activity) | n/a | n/a |
| Warm start (broadcast → activity) | suppress (unchanged) | suppress
via UNKNOWN cause |

## Tests

`./gradlew :firebase-perf:spotlessApply
:firebase-perf:testReleaseUnitTest` — 0 failures. `AppStartTraceTest`
9/9 (`@Config(sdk = 33)` for the pre-API-34 path; FOREGROUND / UNKNOWN /
null for API 34+). `AppStartCauseTest` 6/6 (null-context, pre-API-34,
API 34 FOREGROUND / SERVICE / CACHED importance branches, constructor).
**Test project app:**
https://github.com/jrodiz/firebase-perf-e2e-for-issue8103

## Risks

- API 34+ behavior changes for every app: timing-window heuristic gone,
importance-based signal wired in. `_app_start` emission rate rises on
the previously-broken population — the intent.
- `RunningAppProcessInfo.importance` is stable public SDK and a single
Binder IPC; no reflection.
- Pre-API-34 path untouched.

---------

Co-authored-by: Tejas Deshpande <tdeshpande@google.com>
Upgrade JGit to version 7.3.0.202506031305-r and remove unused AutoValue
dependencies.
Auto-generated PR for cleaning up release m182

NO_RELEASE_CHANGE

---------

Co-authored-by: VinayGuthal <4609544+VinayGuthal@users.noreply.github.com>
Co-authored-by: Vinay Guthal <vguthal@google.com>
…ion of filename `update_versions_json.zsh` (was `update_versions_json.sh`) (#8337)
Added failure listeners to the reCAPTCHA token acquisition flow to log
errors when failing to obtain the reCAPTCHA client or exchange the
attestation for a token.
…ud:google-cloud-storage` to 2.69.0 and `io.github.z4kn4fein:semver` to 3.1.0 (#8335)
… and firebase-tools to 15.22.1 (was 15.20.0) (#8344)
The file is generated during CI and shouldn't be commited to the repo.
…ndroidTest/backend/functions/functions (#8331)

Bumps [form-data](https://github.com/form-data/form-data) from 2.5.5 to
2.5.6.
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/form-data/form-data/blob/master/CHANGELOG.md">form-data's
changelog</a>.</em></p>
<blockquote>
<h2><a
href="https://github.com/form-data/form-data/compare/v2.5.5...v2.5.6">v2.5.6</a>
- 2026-06-12</h2>
<h3>Commits</h3>
<ul>
<li>[Fix] escape CR, LF, and <code>&quot;</code> in field names and
filenames <a
href="https://github.com/form-data/form-data/commit/b62031603c2d7c329b2a369b49466790f0ba6314"><code>b620316</code></a></li>
<li>[Dev Deps] update <code>@ljharb/eslint-config</code>,
<code>auto-changelog</code>, <code>eslint</code>, <code>tape</code> <a
href="https://github.com/form-data/form-data/commit/12be578e936fd77eee75e2e656955f5343c4b80f"><code>12be578</code></a></li>
<li>[Dev Deps] update <code>js-randomness-predictor</code> <a
href="https://github.com/form-data/form-data/commit/46cfd23bd40be14cfa0391e1c5357c4d74098f23"><code>46cfd23</code></a></li>
<li>[Tests] use <code>safe-buffer</code> so the header-injection test
runs on node &lt; 4 <a
href="https://github.com/form-data/form-data/commit/633044a57a7b19f41cec2271ffd24afa2f6280af"><code>633044a</code></a></li>
<li>[Deps] update <code>hasown</code> <a
href="https://github.com/form-data/form-data/commit/e3b96eef1661bca8ea4297de057b78bf2734e900"><code>e3b96ee</code></a></li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/form-data/form-data/commit/c7133499c2ee1b80c678e411244f4442bf902045"><code>c713349</code></a>
v2.5.6</li>
<li><a
href="https://github.com/form-data/form-data/commit/46cfd23bd40be14cfa0391e1c5357c4d74098f23"><code>46cfd23</code></a>
[Dev Deps] update <code>js-randomness-predictor</code></li>
<li><a
href="https://github.com/form-data/form-data/commit/633044a57a7b19f41cec2271ffd24afa2f6280af"><code>633044a</code></a>
[Tests] use <code>safe-buffer</code> so the header-injection test runs
on node &lt; 4</li>
<li><a
href="https://github.com/form-data/form-data/commit/e3b96eef1661bca8ea4297de057b78bf2734e900"><code>e3b96ee</code></a>
[Deps] update <code>hasown</code></li>
<li><a
href="https://github.com/form-data/form-data/commit/12be578e936fd77eee75e2e656955f5343c4b80f"><code>12be578</code></a>
[Dev Deps] update <code>@ljharb/eslint-config</code>,
<code>auto-changelog</code>, <code>eslint</code>, <code>tape</code></li>
<li><a
href="https://github.com/form-data/form-data/commit/b62031603c2d7c329b2a369b49466790f0ba6314"><code>b620316</code></a>
[Fix] escape CR, LF, and <code>&quot;</code> in field names and
filenames</li>
<li>See full diff in <a
href="https://github.com/form-data/form-data/compare/v2.5.5...v2.5.6">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=form-data&package-manager=npm_and_yarn&previous-version=2.5.5&new-version=2.5.6)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/firebase/firebase-android-sdk/network/alerts).

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Updated various Javadoc comments across FirebaseOptions,
SequentialExecutor, and Component classes to replace the abbreviation
e.g. with the more formal for example for improved readability.

NO_RELEASE_CHANGE
@wiz-9635d3485b

Copy link
Copy Markdown

Wiz Scan Summary

Scanner Findings
Vulnerability Finding Vulnerabilities 15 High 17 Medium 2 Low
Data Finding Sensitive Data -
Secret Finding Secrets -
IaC Misconfiguration IaC Misconfigurations -
SAST Finding SAST Findings -
Software Management Finding Software Management Findings -
Total 15 High 17 Medium 2 Low

View scan details in Wiz

To detect these findings earlier in the dev lifecycle, try using Wiz Code VS Code Extension.

@dlarocque dlarocque closed this Jun 25, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.