Migrate from archived `@google-cloud/storage` to `@googleapis/storage`

[pawojciechowski]

Summary

The @google-cloud/storage package (currently ^7.19.0 in @reflag/node-sdk) pulls in a vulnerable transitive dependency via the chain:

@reflag/node-sdk → @google-cloud/storage@^7.19.0
  → teeny-request@^9.0.0
    → http-proxy-agent@^5.0.0
      → @tootallnate/once@2.0.0  ← vulnerable (<3.0.1)

Advisory: GHSA-vpq2-c234-7xj6 — Incorrect Control Flow Scoping in @tootallnate/once

The upstream repo googleapis/nodejs-storage is archived (read-only as of March 2026) and will not release a fix. The @google-cloud/storage package is effectively end-of-life.

Proposed fix

Google's actively maintained successor is @googleapis/storage (currently v21.2.0). It does not depend on teeny-request and resolves the advisory.

Impact on consumers

As long as @reflag/node-sdk depends on @google-cloud/storage, any project running npm audit / yarn npm audit will see this advisory with no actionable fix available. The only workaround is a resolutions override, which is fragile and has to be maintained manually.

Would you be open to migrating to @googleapis/storage in an upcoming release?

[roncohen]

hey @pawojciechowski. Thanks for reporting. Let me switch it 👍