Project https://github.com/firebase/firebase-tools has dependency on @google-cloud/pubsub package, which has a critical security vulnerability.

Severity: critical
Title: protobufjs Prototype Pollution vulnerability
Package: protobufjs
Patched in protobufjs version: >=7.2.5
Path: firebase-tools > @google-cloud/pubsub > google-gax > protobufjs
More info: https://www.npmjs.com/advisories/1096964

This issue has been fixed in the latest versions of @google-cloud/pubsub package. But firebase-tools project is still using @google-cloud/pubsub version 3.x.x even in its latest release.