@firebase/app-types — Greenflagged

@firebase/app Types

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

firebase-opsfeiyang.chengoogle-wombotchholland

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
dependencies	unvetted-dep:@firebase/logger	AI (dependencies): @firebase/logger is an official Firebase SDK package published by the same Google/Firebase publisher ecosystem; its inclusion as a dependency is expected and benign for this package.	ai	2026/04/22
provenance	publisher-changed	AI (provenance): Publisher change reflects a legitimate Firebase/Google team transition; chholland is a well-established publisher with a long track record and many approved packages.	ai	2026/04/22
maintainer-change	maintainer-added	AI (maintainer-change): New maintainers (chholland, feiyang.chen, google-wombot, hiranya911) are consistent with Firebase SDK team members and Google automation; legitimate team rotation.	ai	2026/04/22
maintainer-change	maintainer-removed	AI (maintainer-change): Removal of prior maintainers is consistent with the documented Firebase team transition; no malicious indicators present.	ai	2026/04/22
bogus-package	bogus-package	AI (bogus-package): Types-only package from Google's Firebase SDK monorepo; short README and no keywords are expected for internal type definition packages, not spam indicators.	ai	2026/04/22
provenance	no-provenance	AI (provenance): Published by Google's official Firebase bot; lack of Sigstore provenance is acceptable given the publisher's established identity and ecosystem trust.	ai	2026/04/22

Versions (showing 42 of 42)

Show 218 prereleases

Version	Deps	Published
0.9.5	1 / 1	2026-05-07
0.9.4	1 / 1	2026-04-09
0.9.3	0 / 1	2024-11-14
0.9.2	0 / 1	2024-05-13
0.9.1	0 / 1	2024-03-28
0.9.0	0 / 1	2022-12-08
0.8.1	0 / 1	2022-10-27
0.8.0	0 / 1	2022-10-06
0.7.0	0 / 1	2021-08-25
0.6.3	0 / 1	2021-07-29
0.6.2	0 / 1	2021-04-08
0.6.1	0 / 1	2020-05-21
0.6.0	0 / 1	2020-03-19
0.5.3	0 / 1	2020-03-13
0.5.2	0 / 1	2020-02-28
0.5.1	0 / 1	2020-02-06
0.5.0	0 / 1	2019-12-12
0.4.9	0 / 1	2019-12-06
0.4.8	0 / 1	2019-11-21
0.4.7	0 / 1	2019-10-31
0.4.6	0 / 1	2019-10-16
0.4.5	0 / 1	2019-10-10
0.4.4	0 / 1	2019-09-25
0.4.3	0 / 1	2019-08-01
0.4.2	0 / 1	2019-07-25
0.4.1	0 / 1	2019-07-19
0.4.0	0 / 1	2019-05-07
0.3.10	0 / 1	2019-04-30
0.3.9	0 / 1	2019-04-18
0.3.8	0 / 1	2019-04-11
0.3.7	0 / 1	2019-03-21
0.3.6	0 / 1	2019-03-14
0.3.5	0 / 1	2019-03-02
0.3.4	0 / 1	2019-02-14
0.3.3	0 / 1	2019-01-24
0.3.2	0 / 1	2018-05-24
0.3.1	0 / 1	2018-05-10
0.3.0	0 / 0	2018-05-08
0.2.0	0 / 0	2018-04-19
0.1.2	0 / 1	2018-02-22
0.1.1	0 / 1	2018-01-11
0.1.0	0 / 1	2017-12-19

v0.9.5

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.