firebase
Firebase JavaScript library for web and Node.js
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:firebase-vertexai-preview.js | AI (source-diff): Standard minified Firebase ESM bundle for the Vertex AI preview module; imports from Google CDN, defines standard Firebase classes. Expected for this package. | ai | |
| source-diff | obfuscated-file:firebase-vertexai.js | AI (source-diff): Minified JavaScript is standard for production SDK bundles; sample shows legitimate Firebase code, not obfuscation for concealment. | ai | |
| source-diff | obfuscated-file:firebase-data-connect.js | AI (source-diff): Minified ES6 module code from Firebase's build process; standard for SDK distribution. Code is readable as legitimate Firebase logic. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): New @firebase/ai dependency is a legitimate first-party Google Firebase sub-package for the Firebase AI Logic feature, consistent with Google's documented SDK roadmap. | ai | |
| source-diff | obfuscated-file:firebase-firestore-pipelines.js | AI (source-diff): Minified Firestore pipeline code; standard for production builds. No malicious patterns detected. | ai | |
| source-diff | large-new-source-files | AI (source-diff): Firebase SDK regularly adds new modules/features across minor versions; large file counts are normal for this umbrella package. | ai | |
| source-diff | obfuscated-file:firebase-firestore-lite-pipelines.js | AI (source-diff): Minified Firestore Lite pipeline code; standard for production builds. No malicious patterns detected. | ai | |
| source-diff | obfuscated-file:firebase-ai.js | AI (source-diff): Minified Firebase AI module code; standard for production builds. No malicious patterns detected. | ai | |
| dependencies | unvetted-dep:@firebase/app-check-compat | AI (dependencies): Firebase internal dependency; Google-controlled monorepo component, stable across versions. | ai | |
| dependencies | unvetted-dep:@firebase/firestore-compat | AI (dependencies): Firebase internal dependency; Google-controlled monorepo component, stable across versions. | ai | |
| dependencies | unvetted-dep:@firebase/functions-compat | AI (dependencies): Firebase internal dependency; Google-controlled monorepo component, stable across versions. | ai | |
| dependencies | unvetted-dep:@firebase/remote-config-compat | AI (dependencies): Firebase internal dependency; Google-controlled monorepo component, stable across versions. | ai | |
| dependencies | unvetted-dep:@firebase/analytics-compat | AI (dependencies): Firebase internal dependency; Google-controlled monorepo component, stable across versions. | ai | |
| dependencies | unvetted-dep:@firebase/auth-compat | AI (dependencies): Firebase internal dependency; Google-controlled monorepo component, stable across versions. | ai | |
| dependencies | unvetted-dep:@firebase/installations | AI (dependencies): Firebase internal dependency; Google-controlled monorepo component, stable across versions. | ai | |
| dependencies | unvetted-dep:@firebase/storage-compat | AI (dependencies): Firebase internal dependency; Google-controlled monorepo component, stable across versions. | ai | |
| dependencies | unvetted-dep:@firebase/messaging-compat | AI (dependencies): Firebase internal dependency; Google-controlled monorepo component, stable across versions. | ai | |
| dependencies | unvetted-dep:@firebase/util | AI (dependencies): Firebase internal dependency; Google-controlled monorepo component, stable across versions. | ai | |
| dependencies | unvetted-dep:@firebase/storage | AI (dependencies): Firebase internal dependency; Google-controlled monorepo component, stable across versions. | ai | |
| dependencies | unvetted-dep:@firebase/database | AI (dependencies): Firebase internal dependency; Google-controlled monorepo component, stable across versions. | ai | |
| dependencies | unvetted-dep:@firebase/app-types | AI (dependencies): Firebase internal dependency; Google-controlled monorepo component, stable across versions. | ai | |
| dependencies | unvetted-dep:@firebase/functions | AI (dependencies): Firebase internal dependency; Google-controlled monorepo component, stable across versions. | ai | |
| dependencies | unvetted-dep:@firebase/messaging | AI (dependencies): Firebase internal dependency; Google-controlled monorepo component, stable across versions. | ai | |
| dependencies | unvetted-dep:@firebase/app-compat | AI (dependencies): Firebase internal dependency; Google-controlled monorepo component, stable across versions. | ai | |
| provenance | no-provenance | AI (provenance): Firebase SDK published by Google's bot account; lack of Sigstore provenance is not a risk signal for this publisher. | ai | |
| phantom-deps | phantom-dep:@firebase/app-types | AI (phantom-deps): Internal Firebase dependency referenced in config; expected for modular architecture. | ai | |
| phantom-deps | phantom-dep:@firebase/util | AI (phantom-deps): Internal Firebase dependency referenced in config; expected for modular architecture. | ai | |
| semgrep | semgrep:toplevel-fetch | AI (semgrep): Firebase SDK legitimately uses fetch() to communicate with Firebase services. All 56 hits are in bundled compat modules; expected for this package. | ai |
Versions (showing 100 of 185)
v12.14.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v12.13.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v12.12.1-20260420210850
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v12.12.0-20260409172004
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v12.12.0-20260408221811
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v12.12.0-20260408201731
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v12.11.0-canary.f4e0086e3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v12.11.0-canary.bfb9accdc
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v12.11.0-canary.ba0bc39bb
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v12.11.0-canary.742e17a8e
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v12.11.0-canary.44ad4cc2e
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v12.11.0-20260317152345
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v12.10.0-canary.d7b182645
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v12.10.0-canary.891a0c9d4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v12.10.0-canary.843a8d789
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v12.10.0-canary.792c61671
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v12.10.0-canary.78384d32c
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v12.10.0-canary.22476e1bc
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v12.10.0-20260224183151
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v12.9.0-canary.f0b0398eb
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v12.9.0-canary.e4b2890fd
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v12.9.0-canary.d7c311a4b
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v12.9.0-canary.d4b22a872
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v12.9.0-canary.c48b47674
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v12.9.0-canary.9ced4281d
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v12.9.0-canary.93eeffcb3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v12.9.0-canary.920624ade
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v12.9.0-canary.7b1e6ec79
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v12.9.0-canary.4d2ab8507
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v12.9.0-canary.47f85219d
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v12.9.0-canary.46fa57f9e
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v12.9.0-canary.35b284af4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v12.9.0-canary.2bd48a604
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v12.9.0-20260203132428
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v12.8.0-canary.f9aaeca46
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v12.8.0-canary.f9254b6d2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v12.8.0-canary.d818df4e8
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v12.8.0-canary.c4a3a5643
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v12.8.0-canary.b10a296fa
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v12.8.0-canary.817151ee9
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v12.8.0-canary.8123231a1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v12.8.0-canary.691a506ec
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v12.8.0-canary.65a553baf
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v12.8.0-canary.58ddd6e54
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v12.8.0-canary.2e7432986
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v12.8.0-canary.08e3acdf0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v12.8.0-20260114192924
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v12.8.0-20260114160934
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v12.7.0-canary.efc0117ae
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v12.7.0-canary.d5ff5a4b1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.