@firebase/performance-compat

The compatibility package of Firebase Performance

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

firebase-opsfeiyang.chengoogle-wombotchholland

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
dependencies	unvetted-dep:@firebase/util	AI (dependencies): @firebase/util is a same-org Firebase dependency; already flagged as accepted risk in phantom-dep finding. No real concern for this package.	ai	2026/04/22
publish-pattern	dormant-publish	AI (publish-pattern): Package is published by Google's official Firebase bot (google-wombot) with a long established history. Dormancy likely reflects release cadence changes in the Firebase SDK monorepo, not account takeover.	ai	2026/04/22
provenance	publisher-changed	AI (provenance): google-wombot is Google's official Firebase automation bot; transition from individual Google engineer accounts to this bot is standard practice for Firebase SDK releases.	ai	2026/04/22
maintainer-change	maintainer-removed	AI (maintainer-change): hiranya911 is a known Firebase team member; removal reflects Google's consolidation of publishing under google-wombot service account, not a takeover.	ai	2026/04/22
phantom-deps	phantom-dep:tslib	AI (phantom-deps): tslib is a known implicit runtime dependency for TypeScript-compiled packages; phantom flag is a stable false positive for this package.	ai	2026/04/22
phantom-deps	phantom-dep:@firebase/util	AI (phantom-deps): First-party Firebase monorepo dependency used transitively in compat shim; not directly imported by design.	ai	2026/04/22
phantom-deps	phantom-dep:@firebase/logger	AI (phantom-deps): First-party Firebase monorepo dependency used transitively in compat shim; not directly imported by design.	ai	2026/04/22
bogus-package	bogus-package	AI (bogus-package): Firebase SDK monorepo sub-packages consistently lack keywords and detailed READMEs; this is a structural pattern, not a spam indicator.	ai	2026/04/21
provenance	no-provenance	AI (provenance): Published by google-wombot in 2021 era; Sigstore provenance was not yet standard practice for Firebase SDK canary releases.	ai	2026/04/21

Versions (showing 44 of 44)

Show 230 prereleases

Version	Deps	Published
0.2.25	6 / 6	2026-05-07
0.2.24	6 / 6	2026-03-19
0.2.23	6 / 6	2026-02-27
0.2.22	6 / 6	2025-08-07
0.2.21	6 / 6	2025-07-17
0.2.20	6 / 6	2025-06-30
0.2.19	6 / 6	2025-05-20
0.2.18	6 / 6	2025-05-14
0.2.17	6 / 6	2025-05-14
0.2.16	6 / 6	2025-05-07
0.2.15	6 / 6	2025-03-20
0.2.14	6 / 6	2025-02-27
0.2.13	6 / 6	2025-02-06
0.2.12	6 / 6	2025-01-16
0.2.11	6 / 6	2024-11-14
0.2.10	6 / 6	2024-10-21
0.2.9	6 / 6	2024-09-18
0.2.8	6 / 6	2024-07-03
0.2.7	6 / 6	2024-05-13
0.2.6	6 / 6	2024-03-28
0.2.5	6 / 6	2024-02-01
0.2.4	6 / 6	2023-03-02
0.2.3	6 / 6	2023-02-03
0.2.2	6 / 6	2023-02-02
0.2.1	6 / 6	2023-01-19
0.2.0	6 / 6	2022-12-08
0.1.17	6 / 6	2022-11-10
0.1.16	6 / 6	2022-10-27
0.1.15	6 / 6	2022-10-12
0.1.14	6 / 6	2022-10-11
0.1.13	6 / 6	2022-10-06
0.1.12	6 / 6	2022-07-07
0.1.11	6 / 6	2022-06-23
0.1.10	6 / 6	2022-06-09
0.1.9	6 / 6	2022-05-06
0.1.8	6 / 6	2022-04-14
0.1.7	6 / 6	2022-03-24
0.1.6	6 / 6	2022-03-17
0.1.5	6 / 6	2022-01-07
0.1.4	6 / 6	2021-11-08
0.1.3	6 / 6	2021-11-04
0.1.2	6 / 6	2021-10-14
0.1.1	6 / 6	2021-09-24
0.1.0	6 / 6	2021-08-25

v0.2.25

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.