fix: upgrade @google-cloud/storage@7.19.0

[lahirumaramba]

Description

This PR bumps the optional dependency @google-cloud/storage to address a known security vulnerability in its underlying dependency, fast-xml-parser. As part of this update, TypeScript has been bumped in a minor version bump (breaking change exception) to support newer compilation requirements.

Changes Included:

• Security Fix: Upgrades the optional @google-cloud/storage dependency from ^7.14.0 to ^7.19.0 to resolve a vulnerability in fast-xml-parser. Fixes: UPDATE fast-xml-parser to fix CVE-2026-25128 #3060
• TypeScript Update:
  • Bumps the dev dependency typescript from 5.5.4 to ^5.7.3. (this will result in future typescript upgrades in minor version bumps).
  • Refactors the options.headers non-null assertion (!) to an explicit type assertion (as http.OutgoingHttpHeaders) in src/utils/api-request.ts to satisfy stricter type-checking requirements introduced by the newer TypeScript version.

Type of change

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Security Fix / Dependency Update
• (❗ exception) Breaking change (fix or feature that would cause existing functionality to not work as expected)

Testing

• All existing automated tests pass
• Project successfully builds without TypeScript errors

[gemini-code-assist]

Summary of Changes

Hello @lahirumaramba, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request focuses on enhancing the project's security posture and maintaining compatibility with modern development standards. It primarily addresses a known security vulnerability by updating a key optional dependency and simultaneously upgrades the TypeScript version, necessitating minor code adjustments to conform to stricter type-checking rules. These changes ensure the project remains secure and aligned with current best practices.

Highlights

• Security Fix: Upgraded the optional @google-cloud/storage dependency from ^7.14.0 to ^7.19.0 to mitigate a security vulnerability found in its underlying dependency, fast-xml-parser.
• TypeScript Update: Bumped the typescript dev dependency from 5.5.4 to ^5.7.3 to support newer compilation requirements. This also involved refactoring type assertions in src/utils/api-request.ts to satisfy stricter type-checking.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Changelog

• package-lock.json
  • Updated firebase-admin to version 13.7.0.
  • Updated typescript dev dependency to 5.9.3.
  • Updated @google-cloud/storage optional dependency to 7.19.0.
  • Updated fast-xml-parser to 5.3.5.
  • Updated strnum to 2.1.2.
  • Adjusted the dependency range for @google-cloud/promisify within @google-cloud/storage.
  • Removed PayPal funding URL for fast-xml-parser.
  • Added GitHub funding URL for strnum.
• package.json
  • Updated firebase-admin to version 13.7.0.
  • Updated @google-cloud/storage optional dependency to ^7.19.0.
  • Updated typescript dev dependency to ^5.7.3.
• src/utils/api-request.ts
  • Refactored non-null assertions for this.options.headers to explicit type assertions (as http.OutgoingHttpHeaders) in AsyncHttpCall and AsyncHttp2Call classes.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request correctly upgrades @google-cloud/storage to resolve a security vulnerability and updates TypeScript to a newer version. The corresponding code changes in src/utils/api-request.ts are functional. However, I've provided suggestions to replace the type assertions with type guards. This is a safer and more robust approach that improves code clarity and prevents potential type-related issues in the future.

[gemini-code-assist]

While using as http.OutgoingHttpHeaders works, it's a type assertion that tells the compiler to trust you, which can hide potential bugs if the type assumptions are wrong. A safer and clearer approach is to use a type guard. This ensures this.options.headers is always an object, making the code more robust against future changes and satisfying the compiler without forcing a type.

      if (!this.options.headers) {
        this.options.headers = {};
      }
      this.entity = this.httpConfigImpl.buildEntity(this.options.headers);

[gemini-code-assist]

Similar to the previous comment, using a type assertion with as can suppress potential type errors. A safer and clearer approach is to use a type guard. This ensures this.options.headers is always an object, making the code more robust against future changes and satisfying the compiler without forcing a type.

      if (!this.options.headers) {
        this.options.headers = {};
      }
      this.entity = this.http2ConfigImpl.buildEntity(this.options.headers);

[jonathanedey]

LGTM with one comment!

[lahirumaramba]

/gemini review

[gemini-code-assist]

Code Review

This pull request primarily upgrades dependencies to address a security vulnerability, which also necessitated an update to TypeScript and related ESLint configurations. The code changes in src/utils/api-request.ts correctly replace non-null assertions with safer checks to accommodate stricter type-checking. I've provided a couple of suggestions to make this new code even more concise using modern TypeScript features. Overall, the changes are solid and improve the project's security and code quality.

[lahirumaramba]

Adding these notes on the eslint changes for future reference:

1. @typescript-eslint/no-require-imports: 0
   Why it triggered: The repo still supports namespaces (deprecated) and uses require()

2. @typescript-eslint/no-unused-expressions: 0
   This rule flags code like expect(foo).to.be.true;. In the test files (and possibly some source files using similar patterns), these look like unused property accesses to the linter, even though they trigger assertions in libraries like Chai. Disabling this globally is safe if the project mostly uses it for assertions. However, it does risk masking real bugs (e.g., typing a == b when you meant a = b).
   In the future, we could enable this rule but exclude test files, or configure it to allow tagged template literals and specific patterns.

3. @typescript-eslint/no-unused-vars: ['error', { 'varsIgnorePattern': '^_', ... }]
   The previous setting was just ['error']. I relaxed it to allow variables starting with _ to be unused.
   It allows us to deliberately ignore variables (e.g., in function arguments) by prefixing them with an underscore, which is better than disabling the rule entirely for a line.