← Home

@firebase/installations

npm Repository Homepage
100
Versions
Apache-2.0
License
No
Install Scripts
Missing
Provenance

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

firebase-opsfeiyang.chengoogle-wombotchholland

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
source-diff obfuscated-file:coverage/browser/HeadlessChrome 80.0.3987 (Linux 0.0.0)/prettify.js AI (source-diff): This is google-code-prettify bundled inside a Karma/Istanbul test coverage HTML report artifact. Standard syntax highlighter, not malicious code. Packaging hygiene issue only. ai
dependencies unvetted-dep:@firebase/util AI (dependencies): @firebase/util is an official Firebase SDK internal dependency published by the same google-wombot publisher; not a suspicious third-party package. ai
source-diff obfuscated-file:coverage/browser/Chrome Headless 84.0.4147.125 (Linux x86_64)/prettify.js AI (source-diff): This is Google Code Prettify bundled into Karma's HTML coverage report output. The path clearly identifies it as a test coverage artifact, not malicious code. Stable false positive for this package. ai
source-diff large-new-source-files AI (source-diff): The 36 new files are Karma test coverage report artifacts (HTML/JS). Packaging hygiene issue but not a security concern for this established Firebase SDK. ai
source-diff obfuscated-file:coverage/browser/HeadlessChrome 78.0.3904 (Linux 0.0.0)/prettify.js AI (source-diff): This is the well-known google-code-prettify syntax highlighter, minified, bundled inside a Karma/Istanbul browser coverage report. Not malicious — a packaging hygiene issue only. ai
source-diff obfuscated-file:coverage/browser/HeadlessChrome 75.0.3770 (Linux 0.0.0)/prettify.js AI (source-diff): File is the standard Google Code Prettify syntax highlighter bundled by Istanbul/Karma coverage reporters. Minified format is expected; this is a coverage report artifact, not malicious code. ai
source-diff obfuscated-file:coverage/browser/HeadlessChrome 76.0.3809 (Linux 0.0.0)/prettify.js AI (source-diff): This is the well-known Google Code Prettify syntax highlighter, minified, bundled as part of karma/Istanbul coverage HTML report output accidentally included in the npm publish. No security risk. ai
source-diff obfuscated-file:coverage/browser/HeadlessChrome 77.0.3865 (Linux 0.0.0)/prettify.js AI (source-diff): This is the well-known Google Code Prettify syntax highlighter, minified, inside a Karma/Istanbul coverage report artifact accidentally included in the package. Benign packaging sloppiness, not obfuscated malware. ai
provenance no-provenance AI (provenance): Google's Firebase SDK packages are published via google-wombot without Sigstore provenance; this is consistent across all Firebase SDK releases and not a risk indicator. ai
publish-pattern new-deps-added AI (publish-pattern): tslib is a canonical Microsoft TypeScript runtime helpers library; adding it is standard practice for TypeScript-compiled Firebase SDK packages. ai
provenance publisher-changed AI (provenance): Firebase/Google routinely rotates internal publisher accounts across their SDK monorepo; chholland is a long-standing, high-approval publisher with no malicious history. ai
bogus-package bogus-package AI (bogus-package): Missing metadata signals are false positives for @firebase/* scoped packages; the author field and Apache-2.0 license clearly identify this as an official Firebase SDK package. ai
phantom-deps phantom-dep:tslib AI (phantom-deps): tslib is a declared direct dependency in package.json used as a bundled TypeScript runtime helper; phantom-dep finding is a stable false positive for this package. ai
npm-metadata no-description AI (npm-metadata): Omitting description is consistent across Firebase SDK monorepo sub-packages; not a malware indicator for this well-established publisher. ai

Versions (showing 100 of 328)

Hide prereleases
Version Deps Published
0.6.22 4 / 8
0.6.21 4 / 8
0.6.20 4 / 8
0.6.19 4 / 8
0.6.18 4 / 8
0.6.17 4 / 8
0.6.16 4 / 8
0.6.15 4 / 8
0.6.14 4 / 8
0.6.13 4 / 8
0.6.12 4 / 8
0.6.11 4 / 8
0.6.10 4 / 8
0.6.9 4 / 8
0.6.8 4 / 8
0.6.7 4 / 8
0.6.6 4 / 8
0.6.5 4 / 8
0.6.4 4 / 8
0.6.3 4 / 8
0.6.2 4 / 8
0.6.1 4 / 8
0.6.0 4 / 8
0.5.16 4 / 8
0.5.15 4 / 8
0.5.14 4 / 8
0.5.13 4 / 8
0.5.12 4 / 8
0.5.11 4 / 8
0.5.10 4 / 8
0.5.9 4 / 8
0.5.8 3 / 8
0.5.7 3 / 8
0.5.6 3 / 8
0.5.5 4 / 8
0.5.4 4 / 8
0.5.3 4 / 8
0.5.2 4 / 8
0.5.1 4 / 8
0.5.0 4 / 8
0.4.32 5 / 8
0.4.31 5 / 8
0.4.30 5 / 8
0.4.29 5 / 8
0.4.28 5 / 8
0.4.27 5 / 8
0.4.26 5 / 8
0.4.25 5 / 8
0.4.24 5 / 8
0.4.23 5 / 8
0.4.22 5 / 8
0.4.21 5 / 8
0.4.20 5 / 8
0.4.19 5 / 8
0.4.18 5 / 8
0.4.17 5 / 8
0.4.16 5 / 7
0.4.15 5 / 7
0.4.14 5 / 7
0.4.13 5 / 7
0.4.12 5 / 7
0.4.11 5 / 7
0.4.10 5 / 7
0.4.9 5 / 7
0.4.8 5 / 7
0.4.7 5 / 7
0.4.6 5 / 7
0.4.5 5 / 7
0.4.4 5 / 7
0.4.3 5 / 7
0.4.2 5 / 7
0.4.1 5 / 7
0.4.0 5 / 7
0.3.9 5 / 7
0.3.8 5 / 7
0.3.7 5 / 7
0.3.6 4 / 24
0.3.5 4 / 24
0.3.4 4 / 24
0.3.3 4 / 24
0.3.2 4 / 24
0.3.1 4 / 24
0.3.0 4 / 24
0.2.7 4 / 24
0.2.6 4 / 24
0.2.5 4 / 24
0.2.4 4 / 24
0.2.3 4 / 24
0.2.2 4 / 24
0.2.1 4 / 24
0.2.0 4 / 24
0.1.7 4 / 24
0.1.6 4 / 22
0.1.5 4 / 22
0.1.4 4 / 22
0.1.3 4 / 22
0.1.2 4 / 22
0.1.1 3 / 22
0.1.0 3 / 22
0.6.21-canary.f4e0086e3 4 / 8
Showing 100 of 328 Next page →

v0.6.22

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.6.21-canary.f4e0086e3

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.