@google-cloud/storage@7.19.0 pulls vulnerable @tootallnate/once@2.0.0 via teeny-request@9

[ouzkilic]

Summary

@google-cloud/storage@7.19.0 (latest) transitively depends on the vulnerable
@tootallnate/once@2.0.0 package through the following dependency chain:

@google-cloud/storage@7.19.0
  → teeny-request@9.x
    → http-proxy-agent@5.x
      → @tootallnate/once@2.0.0

Vulnerability

@tootallnate/once versions prior to 3.0.1 are vulnerable to Incorrect Control
Flow Scoping (CWE-705). When AbortSignal is used, Promises remain permanently
pending after abort, causing stalled requests and degraded availability.

Suggested Fix

Update the teeny-request dependency from ^9.x to ^10.0.0. teeny-request@10
uses http-proxy-agent@7 which does not depend on @tootallnate/once at all:

teeny-request@10.x
  → http-proxy-agent@7.x (no @tootallnate/once dependency)

This is the same approach taken by @google-cloud/firestore@8.x (via google-gax@5
→ retry-request@8 → teeny-request@10), which successfully eliminates the
vulnerable transitive dependency.

Context

We discovered this while updating @google-cloud/firestore in firebase-admin-node
from ^7.11.0 to ^8.0.0 to resolve the same vulnerability. The firestore package
is fixed in v8, but storage still carries the vulnerable chain.