← Home

@angular/fire

npm Repository Homepage

Angular + Firebase = ❤️

8
Versions
MIT
License
No
Install Scripts
Missing
Provenance

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures No source commit

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

angularangularfire2

Keywords

angularfirebaserxjsangularfireangularfire2

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
semgrep semgrep:dynamic-require AI (semgrep): Dynamic require in schematics/firebaseTools.js resolves firebase-tools from global npm root — a standard Angular schematic pattern, not arbitrary code loading. ai
phantom-deps phantom-dep:node-fetch AI (phantom-deps): node-fetch is referenced in config files but not directly imported; minor packaging artifact with no security implication for this established package. ai
semgrep semgrep:child-process-spawn AI (semgrep): child_process.spawn in @angular/fire deploy schematics is a documented, legitimate pattern for invoking Firebase CLI during Angular deployments. ai
semgrep semgrep:child-process-import AI (semgrep): @angular/fire schematics legitimately use child_process to run deployment CLI commands (e.g., firebase deploy). This is expected behavior in Angular deployment schematics. ai
phantom-deps phantom-dep:tslib AI (phantom-deps): tslib is a standard TypeScript runtime helper used implicitly by Angular libraries compiled with importHelpers. This is a well-known pattern, not a risk. ai
typosquat typosquat.levenshtein:vite AI (typosquat): @angular/fire is a scoped Angular package with no relation to 'vite'. The Levenshtein match is a false positive; the @angular namespace and 2786-day history confirm legitimacy. ai
dependencies unvetted-dep:rxfire AI (dependencies): rxfire is the official RxJS wrapper for Firebase, maintained by the Firebase team and a natural, expected dependency of @angular/fire. ai

Versions (showing 8 of 8)

Show 1 prerelease
Version Deps Published
20.0.1 5 / 0
20.0.0 5 / 0
19.2.0 5 / 0
19.1.0 5 / 0
19.0.0 5 / 0
18.0.1 16 / 0
18.0.0 16 / 0
17.1.0 16 / 0

v20.0.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v19.2.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v19.1.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v19.0.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v18.0.1

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v18.0.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v17.1.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.