@firebase/auth-compat — Greenflagged

FirebaseAuth compatibility package that uses API style compatible with Firebase@8 and prior versions

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

firebase-opsfeiyang.chengoogle-wombotchholland

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
source-diff	large-new-source-files	AI (source-diff): Firebase auth-compat is a large SDK compatibility package with multiple build output formats; adding source files across versions is normal for this package.	ai	2026/04/22
publish-pattern	new-deps-added	AI (publish-pattern): undici is a well-known Node.js HTTP client maintained by the Node.js team; this is a legitimate swap from node-fetch to undici, a common modernization pattern for Firebase SDK packages.	ai	2026/04/22
provenance	publisher-changed	AI (provenance): chholland is a long-standing Firebase/Google publisher (2677 days, 1044 approved packages). The transition from feiyang.chen reflects a legitimate internal Firebase team handoff, not a compromise.	ai	2026/04/22
phantom-deps	phantom-dep:selenium-webdriver	AI (phantom-deps): selenium-webdriver is used in webdriver integration tests within this monorepo package; its presence in dependencies is a packaging quirk, not a security concern.	ai	2026/04/22
dependencies	unvetted-dep:undici	AI (dependencies): undici is a well-known HTTP client used legitimately by Firebase Auth for Node.js HTTP operations; stable and expected dependency for this package.	ai	2026/04/22
provenance	no-provenance	AI (provenance): Firebase packages published via google-wombot do not currently include Sigstore provenance; this is consistent across the entire Firebase JS SDK release pipeline.	ai	2026/04/22
phantom-deps	phantom-dep:tslib	AI (phantom-deps): tslib is a standard TypeScript runtime helper; its use as an implicit dependency is a well-known pattern in Firebase/TypeScript packages.	ai	2026/04/22
bogus-package	bogus-package	AI (bogus-package): Firebase SDK sub-packages routinely lack keywords and detailed READMEs; documentation lives in the parent SDK. Not a spam indicator for this package.	ai	2026/04/22

Versions (showing 51 of 86)

Show 238 prereleases View all versions

Version	Deps	Published
0.6.6	5 / 7	2026-05-07
0.6.5	5 / 7	2026-04-09
0.6.4	5 / 7	2026-03-19
0.6.3	5 / 7	2026-02-27
0.6.2	5 / 7	2025-12-16
0.6.1	5 / 7	2025-10-30
0.6.0	5 / 7	2025-07-17
0.5.28	5 / 7	2025-06-30
0.5.27	5 / 7	2025-06-10
0.5.26	5 / 7	2025-05-22
0.5.25	5 / 7	2025-05-20
0.5.24	5 / 7	2025-05-14
0.5.23	5 / 7	2025-05-14
0.5.22	5 / 7	2025-05-07
0.5.21	5 / 7	2025-04-24
0.5.20	5 / 7	2025-03-31
0.5.19	5 / 7	2025-02-27
0.5.18	5 / 7	2025-02-06
0.5.17	5 / 7	2025-01-16
0.5.16	5 / 7	2024-11-14
0.5.15	5 / 7	2024-10-21
0.5.14	6 / 7	2024-09-18
0.5.13	6 / 7	2024-08-29
0.5.12	6 / 7	2024-08-15
0.5.11	6 / 7	2024-08-01
0.5.10	6 / 7	2024-07-03
0.5.9	6 / 7	2024-05-27
0.5.8	6 / 7	2024-05-13
0.5.7	6 / 7	2024-04-25
0.5.6	6 / 7	2024-04-11
0.5.5	6 / 7	2024-03-28
0.5.4	6 / 7	2024-03-14
0.5.3	6 / 7	2024-02-28
0.5.2	6 / 7	2024-02-01
0.5.1	6 / 7	2023-12-05
0.5.0	6 / 7	2023-11-27
0.4.9	6 / 7	2023-11-09
0.4.8	6 / 7	2023-10-27
0.4.7	6 / 7	2023-10-26
0.4.6	6 / 7	2023-08-22
0.4.5	6 / 7	2023-08-17
0.4.4	6 / 7	2023-07-20
0.4.3	6 / 7	2023-07-07
0.4.2	6 / 7	2023-05-12
0.4.1	6 / 7	2023-04-27
0.4.0	6 / 7	2023-04-18
0.3.7	6 / 7	2023-03-31
0.3.6	6 / 7	2023-03-30
0.3.5	6 / 7	2023-03-16
0.3.4	6 / 7	2023-03-02
0.3.3	6 / 7	2023-02-03