@firebase/app — Greenflagged

The primary entrypoint to the Firebase JS SDK

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

firebase-opsfeiyang.chengoogle-wombotchholland

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
bogus-package	bogus-package	AI (bogus-package): Official Firebase SDK sub-package; short README and no keywords are typical for SDK sub-packages that rely on the main firebase package documentation.	ai	2026/04/22
provenance	publisher-changed	AI (provenance): google-wombot is Google's official Firebase publishing bot; transition from firebase-ops to google-wombot is a documented infrastructure change across all Firebase packages.	ai	2026/04/22
maintainer-change	maintainer-added	AI (maintainer-change): New maintainers are Firebase/Google team members; google-wombot is Google's automated publishing account. Legitimate team transition.	ai	2026/04/22
maintainer-change	maintainer-removed	AI (maintainer-change): Removed maintainers are former Firebase team members. Combined with addition of google-wombot, this reflects a legitimate organizational transition.	ai	2026/04/22
publish-pattern	dormant-publish	AI (publish-pattern): Dormancy is an artifact of comparing against a very old canary version; the package has 3716 versions and has been actively maintained throughout.	ai	2026/04/22
typosquat	typosquat.levenshtein:hapi	AI (typosquat): @firebase/app is the official Firebase JS SDK; levenshtein match against 'hapi' is a false positive for this scoped package.	ai	2026/04/21
typosquat	typosquat.levenshtein:pg	AI (typosquat): @firebase/app is the official Firebase JS SDK; levenshtein match against 'pg' is a false positive for this scoped package.	ai	2026/04/21
typosquat	typosquat.levenshtein:yup	AI (typosquat): @firebase/app is the official Firebase JS SDK; levenshtein match against 'yup' is a false positive for this scoped package.	ai	2026/04/21
typosquat	typosquat.levenshtein:ajv	AI (typosquat): @firebase/app is the official Firebase JS SDK; levenshtein match against 'ajv' is a false positive for this scoped package.	ai	2026/04/21
phantom-deps	phantom-dep:tslib	AI (phantom-deps): tslib is a standard TypeScript runtime helper; implicit usage in compiled TS packages is expected and stable for this package.	ai	2026/04/21

Versions (showing 51 of 208)

Show 230 prereleases View all versions

Version	Deps	Published
0.14.12	5 / 6	2026-05-07
0.14.11	5 / 6	2026-04-09
0.14.10	5 / 6	2026-03-19
0.14.9	5 / 6	2026-02-27
0.14.8	5 / 6	2026-02-05
0.14.7	5 / 6	2026-01-14
0.14.6	5 / 6	2025-11-13
0.14.5	5 / 6	2025-10-30
0.14.4	5 / 6	2025-10-09
0.14.3	5 / 6	2025-09-18
0.14.2	5 / 6	2025-08-28
0.14.1	5 / 6	2025-08-07
0.14.0	5 / 6	2025-07-17
0.13.2	5 / 6	2025-06-30
0.13.1	5 / 6	2025-06-05
0.13.0	5 / 6	2025-05-20
0.12.3	5 / 6	2025-05-14
0.12.2	5 / 6	2025-05-14
0.12.1	5 / 6	2025-05-07
0.12.0	5 / 6	2025-05-07
0.11.5	5 / 6	2025-04-24
0.11.4	5 / 6	2025-03-31
0.11.3	5 / 6	2025-03-20
0.11.2	5 / 6	2025-02-27
0.11.1	5 / 6	2025-02-11
0.11.0	5 / 6	2025-02-06
0.10.18	5 / 6	2025-01-16
0.10.17	5 / 6	2024-12-12
0.10.16	5 / 6	2024-11-14
0.10.15	5 / 6	2024-10-22
0.10.14	5 / 6	2024-10-21
0.10.13	5 / 6	2024-10-10
0.10.12	5 / 6	2024-09-30
0.10.11	5 / 6	2024-09-18
0.10.10	5 / 6	2024-08-29
0.10.9	5 / 6	2024-08-15
0.10.8	5 / 6	2024-08-01
0.10.7	5 / 6	2024-07-19
0.10.6	5 / 6	2024-07-03
0.10.5	5 / 6	2024-05-27
0.10.4	5 / 6	2024-05-20
0.10.3	5 / 6	2024-05-13
0.10.2	5 / 6	2024-04-25
0.10.1	5 / 6	2024-04-11
0.10.0	5 / 6	2024-03-28
0.9.29	5 / 6	2024-03-14
0.9.28	5 / 6	2024-02-28
0.9.27	5 / 6	2024-02-01
0.9.26	5 / 6	2024-01-18
0.9.25	5 / 6	2023-12-05
0.9.24	5 / 6	2023-11-27