firebase-admin
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| provenance | no-provenance | AI (provenance): Google's official SDK; provenance absence is common and not indicative of compromise for high-trust publishers. | ai | |
| dependencies | unvetted-dep:jwks-rsa | AI (dependencies): jwks-rsa is a standard JWKS client library appropriate for Firebase Admin SDK's JWT/auth functionality. | ai | |
| dependencies | unvetted-dep:farmhash-modern | AI (dependencies): farmhash-modern is a legitimate hashing library used by firebase-admin; no security concern. | ai | |
| semgrep | semgrep:base64-decode | AI (semgrep): Base64 decoding in firebase-admin is used to decode server-returned config file contents (Android app config). This is documented, transparent behavior with input validation — not a malicious payload. | ai | |
| phantom-deps | phantom-dep:@types/node | AI (phantom-deps): @types/node is a TypeScript type package legitimately declared as a dependency in this SDK for Node.js type support; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:farmhash-modern | AI (phantom-deps): farmhash-modern is referenced in config files for optional hashing functionality; its indirect usage pattern is expected for this package. | ai |
Versions (showing 24 of 24)
| Version | Deps | Published |
|---|---|---|
| 13.10.0 | 8 / 50 | |
| 13.9.0 | 10 / 51 | |
| 13.8.0 | 10 / 51 | |
| 13.7.0 | 10 / 51 | |
| 13.6.1 | 11 / 50 | |
| 13.6.0 | 11 / 50 | |
| 13.5.0 | 11 / 50 | |
| 13.4.0 | 10 / 50 | |
| 13.3.0 | 10 / 50 | |
| 13.2.0 | 10 / 50 | |
| 13.1.0 | 10 / 50 | |
| 13.0.2 | 10 / 50 | |
| 13.0.1 | 10 / 50 | |
| 13.0.0 | 10 / 50 | |
| 12.7.0 | 11 / 50 | |
| 12.6.0 | 11 / 50 | |
| 12.5.0 | 11 / 50 | |
| 12.4.0 | 11 / 50 | |
| 12.3.1 | 11 / 50 | |
| 12.3.0 | 11 / 50 | |
| 12.2.0 | 12 / 50 | |
| 12.1.1 | 12 / 50 | |
| 12.1.0 | 12 / 50 | |
| 12.0.0 | 10 / 50 |
v13.10.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v13.9.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v13.8.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v13.7.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v13.6.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v13.6.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v13.5.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v13.4.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v13.3.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v13.2.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v13.1.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v13.0.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v13.0.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v13.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v12.7.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v12.6.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v12.5.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v12.4.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v12.3.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v12.3.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v12.2.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v12.1.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v12.1.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v12.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.