@firebase/storage
This is the Cloud Storage component of the Firebase JS SDK.
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | source-size-tripled | AI (source-diff): Size increase from 417KB to 1MB is explained by Firebase's v9 modular SDK architecture expansion, adding exp/dist targets and compat layers — a documented major refactor, not injected payload. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): Undici is a legitimate, established HTTP client replacing node-fetch; standard maintenance update for Firebase SDK. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): feiyang.chen and hiranya911 are known Firebase/Google engineers added during a legitimate team reorganization in 2018. | ai | |
| source-diff | large-new-source-files | AI (source-diff): 46 new source files reflect SDK restructuring during early Firebase modular SDK development, not injected code. No suspicious content detected. | ai | |
| provenance | publisher-changed | AI (provenance): Publisher change from jshcrowthe to feiyang.chen in Nov 2018 reflects a documented Firebase/Google team transition. feiyang.chen is a known Firebase engineer with long npm history. | ai | |
| publish-pattern | dormant-publish | AI (publish-pattern): Long dormancy is consistent with monorepo release cycles; publisher is established and legitimate. | ai | |
| provenance | no-provenance | AI (provenance): google-wombot is an established Google automation account; lack of Sigstore provenance is consistent across all Firebase SDK packages and is not a meaningful risk signal. | ai | |
| dependencies | unvetted-dep:undici | AI (dependencies): Undici is a well-maintained Node.js HTTP client by the Node.js foundation; stable dependency for Firebase SDK. | ai | |
| bogus-package | bogus-package | AI (bogus-package): Low README quality and missing keywords are typical for scoped monorepo packages; not indicative of spam. | ai | |
| phantom-deps | phantom-dep:tslib | AI (phantom-deps): tslib is a standard TypeScript runtime helper commonly used as an implicit dependency in compiled TypeScript packages; stable pattern for this package. | ai |
Versions (showing 100 of 376)
| Version | Deps | Published |
|---|---|---|
| 0.14.3 | 3 / 7 | |
| 0.14.2 | 3 / 7 | |
| 0.14.1 | 3 / 7 | |
| 0.14.0 | 3 / 7 | |
| 0.13.14 | 3 / 7 | |
| 0.13.13 | 3 / 7 | |
| 0.13.12 | 3 / 7 | |
| 0.13.11 | 3 / 7 | |
| 0.13.10 | 3 / 7 | |
| 0.13.9 | 3 / 7 | |
| 0.13.8 | 3 / 7 | |
| 0.13.7 | 3 / 7 | |
| 0.13.6 | 3 / 7 | |
| 0.13.5 | 3 / 7 | |
| 0.13.4 | 3 / 7 | |
| 0.13.3 | 3 / 7 | |
| 0.13.2 | 4 / 7 | |
| 0.13.1 | 4 / 7 | |
| 0.13.0 | 4 / 7 | |
| 0.12.6 | 4 / 7 | |
| 0.12.5 | 4 / 7 | |
| 0.12.4 | 4 / 7 | |
| 0.12.3 | 4 / 7 | |
| 0.12.2 | 4 / 7 | |
| 0.12.1 | 4 / 7 | |
| 0.12.0 | 4 / 7 | |
| 0.11.2 | 4 / 7 | |
| 0.11.1 | 4 / 7 | |
| 0.11.0 | 4 / 7 | |
| 0.10.1 | 4 / 7 | |
| 0.10.0 | 4 / 7 | |
| 0.9.14 | 4 / 7 | |
| 0.9.13 | 4 / 7 | |
| 0.9.12 | 4 / 7 | |
| 0.9.11 | 4 / 7 | |
| 0.9.10 | 4 / 7 | |
| 0.9.9 | 4 / 7 | |
| 0.9.8 | 4 / 7 | |
| 0.9.7 | 4 / 7 | |
| 0.9.6 | 4 / 7 | |
| 0.9.5 | 4 / 7 | |
| 0.9.4 | 4 / 7 | |
| 0.9.3 | 4 / 7 | |
| 0.9.2 | 4 / 7 | |
| 0.9.1 | 4 / 7 | |
| 0.9.0 | 4 / 7 | |
| 0.8.7 | 4 / 7 | |
| 0.8.6 | 4 / 7 | |
| 0.8.5 | 4 / 7 | |
| 0.8.4 | 4 / 7 | |
| 0.8.3 | 4 / 7 | |
| 0.8.2 | 4 / 7 | |
| 0.8.1 | 4 / 7 | |
| 0.8.0 | 4 / 7 | |
| 0.7.1 | 5 / 7 | |
| 0.7.0 | 5 / 7 | |
| 0.6.2 | 5 / 7 | |
| 0.6.1 | 5 / 7 | |
| 0.6.0 | 5 / 7 | |
| 0.5.6 | 5 / 7 | |
| 0.5.5 | 4 / 6 | |
| 0.5.4 | 4 / 6 | |
| 0.5.3 | 4 / 6 | |
| 0.5.2 | 4 / 6 | |
| 0.5.1 | 4 / 6 | |
| 0.5.0 | 4 / 6 | |
| 0.4.7 | 4 / 6 | |
| 0.4.6 | 4 / 6 | |
| 0.4.5 | 4 / 6 | |
| 0.4.4 | 4 / 6 | |
| 0.4.3 | 4 / 6 | |
| 0.4.2 | 4 / 6 | |
| 0.4.1 | 4 / 5 | |
| 0.4.0 | 4 / 5 | |
| 0.3.43 | 4 / 5 | |
| 0.3.42 | 4 / 4 | |
| 0.3.41 | 4 / 4 | |
| 0.3.40 | 4 / 4 | |
| 0.3.39 | 4 / 3 | |
| 0.3.38 | 4 / 3 | |
| 0.3.37 | 4 / 3 | |
| 0.3.36 | 4 / 3 | |
| 0.3.35 | 4 / 3 | |
| 0.3.34 | 4 / 3 | |
| 0.3.33 | 4 / 3 | |
| 0.3.32 | 4 / 3 | |
| 0.3.31 | 4 / 3 | |
| 0.3.30 | 4 / 3 | |
| 0.3.29 | 4 / 3 | |
| 0.3.28 | 4 / 3 | |
| 0.3.27 | 4 / 3 | |
| 0.3.26 | 4 / 3 | |
| 0.3.25 | 4 / 3 | |
| 0.3.24 | 4 / 3 | |
| 0.3.23 | 4 / 3 | |
| 0.3.22 | 4 / 3 | |
| 0.3.21 | 4 / 3 | |
| 0.3.20 | 3 / 25 | |
| 0.3.19 | 3 / 25 | |
| 0.3.18 | 3 / 25 |
v0.14.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.13.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.13.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.13.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.12.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.12.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.12.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.12.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.12.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.