Skip to content

fix: prevent hosting deploy to site in wrong project#10380

Merged
bkendall merged 6 commits intonextfrom
jh-same-site-diff-project
Apr 17, 2026
Merged

fix: prevent hosting deploy to site in wrong project#10380
bkendall merged 6 commits intonextfrom
jh-same-site-diff-project

Conversation

@joehan
Copy link
Copy Markdown
Member

@joehan joehan commented Apr 17, 2026

Description

Prevent accidental deployments to a hosting site that does not belong to the active project.
The CLI now verifies that the site belongs to the project before creating a version.

Fixes #10376

Scenarios Tested

  • Verified that error is thrown when site does not belong to project.
  • Verified that deploy passes when site belongs to project.
  • Verified that check is skipped for demo projects.

Sample Commands

firebase deploy --project project-b (where site in firebase.json belongs to project-a) -> should fail.

@joehan
fix: prevent hosting deploy to site in wrong project
3e39d7c 
### Description
Prevent accidental deployments to a hosting site that does not belong to the active project.
The CLI now verifies that the site belongs to the project before creating a version.

Fixes #10376

### Scenarios Tested
- Verified that error is thrown when site does not belong to project.
- Verified that deploy passes when site belongs to project.
- Verified that check is skipped for demo projects.

### Sample Commands
`firebase deploy --project project-b` (where site in firebase.json belongs to project-a) -> should fail.
gemini-code-assist[bot]
gemini-code-assist Bot reviewed Apr 17, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@gemini-code-assist gemini-code-assist Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request introduces a validation check during the hosting deployment process to ensure that the target site belongs to the specified project, preventing cross-project publishing. The changes include logic in the preparation phase, updated unit tests, and a changelog entry. Review feedback points out that the manual string-prefix check on the site name is redundant and potentially fragile because the API client already scopes the request to the project ID; it is recommended to rely on the API's error response and update the unit tests to reflect this simplified approach.

Comment thread src/deploy/hosting/prepare.ts Outdated
Comment thread src/deploy/hosting/prepare.spec.ts Outdated
@joehan joehan requested a review from bkendall April 17, 2026 16:44
@bkendall bkendall merged commit 9864f27 into next Apr 17, 2026
118 of 121 checks passed
@bkendall bkendall deleted the jh-same-site-diff-project branch April 17, 2026 22:15
This was referenced Apr 21, 2026
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bkendall bkendall bkendall approved these changes

+1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@joehan @bkendall @cabljac