firebase-tools — Greenflagged

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

firebase-opsfeiyang.chengoogle-wombotchholland

Keywords

cdnclisslcloudhostingfirebaserealtimewebsocketssynchronization

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
source-diff	large-new-source-files	AI (source-diff): firebase-tools is a large CLI tool that regularly adds many source files per release; this pattern is expected and not indicative of injected code.	ai	2026/04/24
publish-pattern	new-deps-added	AI (publish-pattern): firebase-tools regularly adds new dependencies as the CLI evolves; tar is a well-known, legitimate npm package appropriate for a CLI tool of this scope.	ai	2026/04/24
phantom-deps	phantom-dep:@apphosting/common	AI (phantom-deps): Phantom dependency referenced in config; legitimate for Firebase App Hosting feature.	ai	2026/04/24
phantom-deps	phantom-dep:pglite-2	AI (phantom-deps): Phantom dependency referenced in config; legitimate for Firebase feature integration.	ai	2026/04/24
phantom-deps	phantom-dep:gaxios	AI (phantom-deps): Phantom dependency referenced in config; legitimate for CLI tool managing multiple Firebase services.	ai	2026/04/24
phantom-deps	phantom-dep:@electric-sql/pglite-tools	AI (phantom-deps): Phantom dependency referenced in config; legitimate for Firebase database feature.	ai	2026/04/24
phantom-deps	phantom-dep:universal-analytics	AI (phantom-deps): Phantom dependency referenced in config; legitimate for Firebase analytics integration.	ai	2026/04/24
dependencies	unvetted-dep:pglite-2	AI (dependencies): pglite-2 is a legitimate dependency for firebase-tools' local emulator functionality; expected for this package.	ai	2026/04/24
dependencies	unvetted-dep:pg-gateway	AI (dependencies): pg-gateway is a legitimate dependency for firebase-tools' emulator/dataconnect functionality; expected for this package.	ai	2026/04/24
dependencies	unvetted-dep:@google-cloud/cloud-sql-connector	AI (dependencies): Official Google Cloud connector package, consistent with Firebase tooling ecosystem. Expected dependency for firebase-tools.	ai	2026/04/24
dependencies	unvetted-dep:@apphosting/build	AI (dependencies): Google App Hosting build package, consistent with Firebase App Hosting feature development in firebase-tools.	ai	2026/04/24
phantom-deps	phantom-dep:mime	AI (phantom-deps): Phantom deps are common in monorepos and packages with indirect transitive usage; not a security issue.	ai	2026/04/24
phantom-deps	phantom-dep:deep-equal-in-any-order	AI (phantom-deps): Phantom deps are common in monorepos and packages with indirect transitive usage; not a security issue.	ai	2026/04/24
dependencies	unvetted-dep:@google-cloud/pubsub	AI (dependencies): Google's own Pub/Sub client library; expected dependency for a Google Firebase CLI tool.	ai	2026/04/24
dependencies	unvetted-dep:exegesis	AI (dependencies): exegesis is a legitimate OpenAPI middleware library; appropriate dependency for firebase-tools.	ai	2026/04/24
dependencies	unvetted-dep:stream-json	AI (dependencies): stream-json is a well-known streaming JSON parser; appropriate for firebase-tools data handling.	ai	2026/04/24
dependencies	unvetted-dep:superstatic	AI (dependencies): superstatic is the Firebase static file server used by firebase-tools for local hosting emulation.	ai	2026/04/24
dependencies	unvetted-dep:exegesis-express	AI (dependencies): exegesis-express is a legitimate Express middleware for OpenAPI; appropriate for firebase-tools.	ai	2026/04/24
dependencies	unvetted-dep:update-notifier-cjs	AI (dependencies): update-notifier-cjs is a CJS fork of update-notifier; standard CLI update notification pattern.	ai	2026/04/24
dependencies	unvetted-dep:deep-equal-in-any-order	AI (dependencies): Test utility library; low risk, appropriate for firebase-tools.	ai	2026/04/24
provenance	no-provenance	AI (provenance): firebase-tools is a high-trust Google package with 4400+ days of history; lack of Sigstore provenance is not a disqualifier here.	ai	2026/04/24
semgrep	semgrep:eval-usage	AI (semgrep): eval('require') is a bundler workaround for dynamic imports; standard pattern in Node.js tooling.	ai	2026/04/24
semgrep	semgrep:new-function-constructor	AI (semgrep): Standard ESM dynamic import shim in CJS context; not malicious code generation.	ai	2026/04/24
semgrep	semgrep:shady-links-raw-ip	AI (semgrep): Connects to 127.0.0.1 (localhost) for local emulator discovery; completely benign.	ai	2026/04/24
semgrep	semgrep:base64-decode	AI (semgrep): Base64 validation in account import functionality; expected for Firebase auth tooling.	ai	2026/04/24
semgrep	semgrep:dynamic-require	AI (semgrep): Standard CLI command-loader pattern: require(`./${name}`) from known commands directory.	ai	2026/04/24
semgrep	semgrep:child-process-spawn	AI (semgrep): CLI tool spawning processes for lifecycle hooks is core functionality.	ai	2026/04/24
semgrep	semgrep:child-process-import	AI (semgrep): Firebase CLI necessarily spawns child processes for builds, deployments, and emulators.	ai	2026/04/24
semgrep	semgrep:env-spread	AI (semgrep): CLI tool saves/restores process.env during local builds; standard behavior for build orchestration, not secret exfiltration.	ai	2026/04/24