@firebase/auth
The Firebase Authenticaton component of the Firebase JS SDK.
51
Versions
Apache-2.0
License
No
Install Scripts
Missing
Provenance
Supply chain provenance
Status for the latest visible version.
No SLSA provenance
npm registry signatures
gitHead linked
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
firebase-opsfeiyang.chengoogle-wombotchholland
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:dist/cordova/popup_redirect-7bc16c1c.js | AI (source-diff): Firebase Auth ships minified/bundled dist files as standard build output. Long lines are from bundling, not malicious obfuscation. Apache license headers and readable code structure confirm legitimacy. | ai | |
| source-diff | obfuscated-file:dist/cordova/popup_redirect-3581c207.js | AI (source-diff): Firebase Auth ships bundled distribution files with long lines; the sample shows readable, licensed Firebase SDK code — not obfuscation. This is expected build output for this package. | ai | |
| source-diff | obfuscated-file:dist/cordova/popup_redirect-66d06902.js | AI (source-diff): File is a standard rollup bundle output with readable code and Apache 2.0 license headers. Long lines are from bundling, not obfuscation. Normal for Firebase's build pipeline. | ai | |
| source-diff | obfuscated-file:dist/cordova/popup_redirect-c7dbd691.js | AI (source-diff): Firebase Auth ships bundled dist files across multiple targets; long lines are standard Rollup output, not obfuscation. Sample shows readable, Apache-licensed Firebase code. | ai | |
| source-diff | obfuscated-file:dist/cordova/popup_redirect-24cd0788.js | AI (source-diff): Firebase Auth ships bundled/minified dist files as part of its standard build pipeline. Long lines are from rollup bundling, not obfuscation. Code sample shows clean, readable JS with Apache 2.0 license headers. | ai | |
| source-diff | obfuscated-file:dist/cordova/popup_redirect-da2684c2.js | AI (source-diff): Firebase SDK ships bundled/minified build artifacts as standard practice; the sample shows clean, readable Apache-licensed code — not obfuscation. False positive for this package. | ai | |
| source-diff | obfuscated-file:dist/cordova/popup_redirect-9a353981.js | AI (source-diff): Firebase auth ships bundled/minified dist files as standard build output. Long lines are from Rollup bundling, not obfuscation — Apache license headers and readable Firebase imports confirm legitimacy. | ai | |
| source-diff | obfuscated-file:dist/cordova/popup_redirect-c2571546.js | AI (source-diff): Firebase Auth ships bundled/minified dist files across multiple targets as part of its standard build pipeline. The sample shows legitimate Apache-licensed Firebase code, not malicious obfuscation. | ai | |
| source-diff | obfuscated-file:dist/cordova/popup_redirect-ad7fe4fc.js | AI (source-diff): Firebase Auth ships bundled/minified dist files as standard build artifacts. Long lines are from Rollup bundling, not obfuscation. Source maps confirm legitimate build pipeline. | ai | |
| source-diff | obfuscated-file:dist/cordova/popup_redirect-46f10f36.js | AI (source-diff): Firebase SDK dist files are bundled/minified build artifacts with source maps; the sample shows clean, readable Apache-2.0-licensed code. Long lines are from bundling, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/cordova/popup_redirect-093ef9d6.js | AI (source-diff): Firebase dist files are standard Rollup bundles with long lines; the sample shows readable Apache-licensed Firebase code, not obfuscation. This is a stable false positive for Firebase's build pipeline. | ai | |
| source-diff | obfuscated-file:dist/cordova/popup_redirect-03dca108.js | AI (source-diff): Standard rollup/webpack bundled output for Firebase Auth's Cordova build target. Long lines are minified bundle artifacts, not malicious obfuscation. Consistent with all prior Firebase Auth releases. | ai | |
| source-diff | obfuscated-file:dist/cordova/popup_redirect-263a374a.js | AI (source-diff): Standard rollup/esbuild bundled output for Firebase SDK dist files; long lines are minified bundles, not malicious obfuscation. Expected for this package's build process. | ai | |
| source-diff | obfuscated-file:dist/cordova/popup_redirect-3118bd62.js | AI (source-diff): Standard rollup/webpack bundle output for Firebase SDK dist files; long lines are from bundling, not malicious obfuscation. Readable license headers and Firebase imports confirm legitimacy. | ai | |
| source-diff | obfuscated-file:dist/cordova/popup_redirect-2447574a.js | AI (source-diff): Firebase Auth ships bundled/minified dist files as part of its standard build pipeline. Long lines are from rollup bundling, not obfuscation. Content shows legitimate Firebase SDK code with Apache 2.0 headers. | ai | |
| source-diff | obfuscated-file:dist/cordova/popup_redirect-186630dc.js | AI (source-diff): Firebase dist files are standard rollup/esbuild bundles with long lines; sample shows readable, Apache-licensed Firebase source code — not obfuscated. Expected build artifact for this package. | ai | |
| source-diff | obfuscated-file:dist/cordova/popup_redirect-da1ac2cd.js | AI (source-diff): Firebase Auth ships minified/bundled dist files as standard build artifacts. The sample shows readable Apache-licensed Firebase source code — long lines are from bundler output, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/cordova/popup_redirect-4d64d618.js | AI (source-diff): Standard Rollup bundle output for Firebase Auth's Cordova build; long lines are bundler artifacts, not obfuscation. Pattern is consistent across all Firebase Auth dist files. | ai | |
| source-diff | obfuscated-file:dist/cordova/popup_redirect-fdb6df2b.js | AI (source-diff): Firebase SDK ships bundled/minified dist files as standard build output; long lines are from Rollup bundling, not obfuscation. Code is readable and imports from known Firebase packages. | ai | |
| source-diff | obfuscated-file:dist/cordova/popup_redirect-f1b168d0.js | AI (source-diff): Firebase SDK ships bundled Rollup output with long lines; sample shows readable, licensed JS with standard Firebase imports — not actual obfuscation. Pattern is stable across Firebase build pipeline releases. | ai | |
| source-diff | obfuscated-file:dist/cordova/popup_redirect-42f843dc.js | AI (source-diff): Firebase SDK dist files are standard bundled/minified build artifacts. Long lines are from bundling, not obfuscation. Sample shows readable imports and Apache license headers — no malicious content. | ai | |
| source-diff | obfuscated-file:dist/cordova/popup_redirect-1ecf8655.js | AI (source-diff): Long lines are standard bundler/minifier output for Firebase SDK dist artifacts, not obfuscation. Sample confirms readable licensed code with normal ES module imports. | ai | |
| source-diff | obfuscated-file:dist/cordova/popup_redirect-34bd4ded.js | AI (source-diff): File is standard minified build output from Firebase SDK bundling pipeline, not actual obfuscation. Long lines are expected for bundled/minified JS artifacts in this package. | ai | |
| source-diff | obfuscated-file:dist/cordova/popup_redirect-6ecc1633.js | AI (source-diff): Firebase SDK ships bundled/minified build artifacts with long lines as standard practice; the sample shows clean, readable, Apache-licensed code — not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/cordova/popup_redirect-7bac3e01.js | AI (source-diff): Firebase Auth ships bundled Rollup output as dist files; long lines are standard bundler output, not obfuscation. Sample shows readable Apache-licensed Firebase code. | ai | |
| source-diff | obfuscated-file:dist/cordova/popup_redirect-1fa0f78f.js | AI (source-diff): Firebase dist files are standard bundler output (Rollup), not obfuscated. Long lines are from module concatenation; code is clearly readable Apache-licensed Firebase source. | ai | |
| source-diff | obfuscated-file:dist/cordova/popup_redirect-c0f5766f.js | AI (source-diff): Firebase Auth ships minified/bundled JS as standard build output. The flagged file contains readable license headers and Firebase imports — it is minified, not maliciously obfuscated. | ai | |
| source-diff | obfuscated-file:dist/cordova/popup_redirect-d59664de.js | AI (source-diff): Firebase build artifacts are bundled/minified by design; the sample shows readable, licensed JS code — not obfuscation. This pattern is stable across all Firebase auth versions. | ai | |
| source-diff | obfuscated-file:dist/cordova/popup_redirect-dfa72af2.js | AI (source-diff): File is standard Rollup bundle output with readable code and Apache 2.0 license headers; long lines are from bundling, not obfuscation. Source maps are included, confirming legitimate build artifact. | ai | |
| source-diff | obfuscated-file:dist/cordova/popup_redirect-0de58d29.js | AI (source-diff): Firebase SDK ships bundled/minified dist files as standard practice; long lines are rollup bundle output with Apache license headers, not obfuscation. Stable pattern for this package. | ai | |
| source-diff | obfuscated-file:dist/cordova/popup_redirect-ba57bff2.js | AI (source-diff): Firebase SDK ships bundled/minified dist files as standard practice; long lines are rollup bundle output, not obfuscation. Sample confirms readable, licensed Firebase code. | ai | |
| source-diff | obfuscated-file:dist/cordova/popup_redirect-a5c908c8.js | AI (source-diff): Firebase Auth ships minified/bundled dist files as standard build artifacts. The sample confirms readable Apache-licensed source code bundled by a build tool, not malicious obfuscation. This pattern is stable across all Firebase SDK releases. | ai | |
| source-diff | obfuscated-file:dist/cordova/popup_redirect-423bc907.js | AI (source-diff): Firebase Auth dist files are bundled build artifacts with long lines; the sample shows clean, readable, Apache-licensed JS — not obfuscation. Standard for Firebase SDK canary releases. | ai | |
| source-diff | obfuscated-file:dist/cordova/popup_redirect-f4e53414.js | AI (source-diff): Firebase Auth ships minified/bundled dist files as standard build artifacts. Long lines are rollup output, not obfuscation. This pattern is stable across all Firebase Auth versions. | ai | |
| source-diff | obfuscated-file:dist/cordova/popup_redirect-6707eac2.js | AI (source-diff): Firebase Auth ships bundled/minified build artifacts with long lines as standard practice; the sample shows readable, licensed JS code — not obfuscation. This pattern is stable across all Firebase Auth versions. | ai | |
| source-diff | obfuscated-file:dist/cordova/popup_redirect-691f85bf.js | AI (source-diff): File is standard rollup/esbuild bundled output for Firebase Auth SDK dist artifacts; long lines are minified JS, not malicious obfuscation. Expected for this package's build process. | ai | |
| source-diff | obfuscated-file:dist/cordova/popup_redirect-52c1bf24.js | AI (source-diff): Firebase SDK dist files are standard rollup/esbuild bundles with long lines; not obfuscated malicious code. This pattern is stable across all Firebase auth dist artifacts. | ai | |
| source-diff | obfuscated-file:dist/cordova/popup_redirect-97844797.js | AI (source-diff): Firebase Auth dist/ files are standard rollup/esbuild minified bundles with long lines; this is expected build output, not obfuscation. Stable false positive for this package. | ai | |
| source-diff | obfuscated-file:dist/cordova/popup_redirect-35c4e633.js | AI (source-diff): Firebase SDK dist files are bundled/minified build artifacts with long lines; the sample shows standard readable Firebase Auth code with Apache 2.0 license headers, not actual obfuscation. | ai | |
| source-diff | obfuscated-file:dist/cordova/popup_redirect-0835a991.js | AI (source-diff): Firebase build artifacts are bundled/minified by Rollup, producing long lines that trigger this rule. Sample shows readable Apache-licensed Firebase code with proper source maps included — not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/cordova/popup_redirect-7c22185a.js | AI (source-diff): Flagged file is a standard rollup bundle with long lines from minification, not actual obfuscation. Apache 2.0 headers and readable code visible in sample. Expected artifact for Firebase SDK dist output. | ai | |
| source-diff | obfuscated-file:dist/cordova/popup_redirect-43eb3094.js | AI (source-diff): Firebase Auth ships bundled/minified JS as standard build output. Long lines are rollup bundle artifacts with readable code and Apache license headers, not malicious obfuscation. | ai | |
| source-diff | obfuscated-file:dist/cordova/popup_redirect-d37d0e09.js | AI (source-diff): Firebase Auth ships bundled/minified dist files as part of its standard build pipeline. Long lines are Rollup bundle output, not obfuscation. Stable pattern for this package. | ai | |
| source-diff | obfuscated-file:dist/cordova/popup_redirect-52339421.js | AI (source-diff): Firebase Auth dist files are standard rollup bundles with long lines from concatenation, not obfuscation. Apache 2.0 headers and readable code visible in sample; source maps confirm legitimate build artifacts. | ai | |
| source-diff | obfuscated-file:dist/cordova/popup_redirect-1da6d3b9.js | AI (source-diff): Firebase dist files are standard Rollup bundles with long lines; the sample shows readable licensed code, not actual obfuscation. This pattern is stable for Firebase's build pipeline. | ai | |
| source-diff | obfuscated-file:dist/cordova/popup_redirect-f91dc916.js | AI (source-diff): This is a standard rollup/webpack bundle with readable imports and Apache license headers. Long lines are from minification of Firebase SDK source, not obfuscation. Expected for Firebase dist artifacts. | ai | |
| source-diff | obfuscated-file:dist/cordova/popup_redirect-95cb7247.js | AI (source-diff): Firebase SDK ships minified/bundled dist files as standard practice; the sample shows legitimate Firebase Auth code with Apache 2.0 license headers, not malicious obfuscation. | ai | |
| source-diff | obfuscated-file:dist/cordova/popup_redirect-e3bbb02d.js | AI (source-diff): Firebase build pipeline produces content-hashed bundles with long lines from bundling, not obfuscation. Source maps are present. This pattern is stable for Firebase Auth dist files. | ai | |
| source-diff | obfuscated-file:dist/cordova/popup_redirect-bc231497.js | AI (source-diff): Firebase SDK dist artifacts are minified bundles; long lines are from bundling, not obfuscation. Sample shows readable Apache-licensed Firebase code. This pattern is stable across all Firebase auth releases. | ai | |
| source-diff | obfuscated-file:dist/cordova/popup_redirect-8da1a88a.js | AI (source-diff): Firebase Auth ships bundled Rollup output with long lines; the sample shows readable, licensed JS code — not actual obfuscation. Standard build artifact for this package. | ai | |
| source-diff | obfuscated-file:dist/cordova/popup_redirect-b592d67f.js | AI (source-diff): Firebase Auth ships minified/bundled dist files for each platform target; long lines are standard build output, not obfuscation. Sample confirms legitimate Apache-licensed Firebase code. | ai | |
| source-diff | obfuscated-file:dist/cordova/popup_redirect-d5425cae.js | AI (source-diff): Firebase Auth ships bundled dist files with long lines across all targets; the sample shows standard readable Apache-licensed Firebase code, not actual obfuscation. This pattern is stable for this package. | ai | |
| source-diff | obfuscated-file:dist/cordova/popup_redirect-d1537c3d.js | AI (source-diff): Firebase Auth ships minified/bundled dist files as standard build artifacts. The sample shows clean Apache-licensed Firebase source code; long lines are from rollup bundling, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/cordova/popup_redirect-964b0546.js | AI (source-diff): Firebase dist/ files are standard rollup/webpack bundles with long lines; the sample shows readable Apache-licensed Firebase code, not malicious obfuscation. Expected for this package's build pipeline. | ai | |
| source-diff | obfuscated-file:dist/cordova/popup_redirect-4b0b0fdb.js | AI (source-diff): This is a standard bundled/minified build artifact for Firebase Auth's Cordova target. The sample shows clean Apache-licensed Firebase source code; long lines are from bundling, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/cordova/popup_redirect-33b3f70d.js | AI (source-diff): Firebase SDK ships bundled/minified dist files by design; long lines are rollup output, not malicious obfuscation. Code is clearly readable Firebase Auth logic with Apache 2.0 headers. | ai | |
| source-diff | obfuscated-file:dist/cordova/popup_redirect-e5452eec.js | AI (source-diff): Firebase SDK ships bundled/minified build artifacts as standard practice; long lines are rollup output, not obfuscation. Sample confirms readable Firebase code with Apache 2.0 license headers. | ai | |
| source-diff | obfuscated-file:dist/cordova/popup_redirect-030fa9f7.js | AI (source-diff): Firebase Auth ships bundled/minified dist files as part of its standard build pipeline. Long lines are rollup output, not obfuscation — code is readable Apache-licensed Firebase JS. | ai | |
| source-diff | obfuscated-file:dist/cordova/popup_redirect-fe4d893d.js | AI (source-diff): Firebase SDK ships bundled/minified dist files with long lines; this is standard build output, not obfuscation. Pattern is stable across all Firebase auth releases. | ai | |
| source-diff | obfuscated-file:dist/cordova/popup_redirect-0332b506.js | AI (source-diff): Firebase Auth ships minified/bundled dist files as standard build artifacts. Long lines are from bundling, not obfuscation. Content is clearly legitimate Firebase SDK code with Apache 2.0 license headers. | ai | |
| publish-pattern | suspicious-version-number | AI (publish-pattern): Firebase EAP pre-release versions follow this naming convention (eap-<feature>.<N>.<commithash>); this is google-wombot's established release pattern, not a malicious version string. | ai | |
| source-diff | obfuscated-file:dist/cordova/popup_redirect-0fa08286.js | AI (source-diff): Firebase Auth ships minified rollup bundle chunks with content-hash filenames as standard build artifacts; long lines are minification, not obfuscation. Source maps are included. | ai | |
| source-diff | obfuscated-file:dist/cordova/popup_redirect-e11cd170.js | AI (source-diff): Standard bundled/minified build artifact for Firebase Auth Cordova distribution. Long lines are from rollup bundling, not obfuscation. Code is clearly readable Firebase Auth source with Apache 2.0 license headers. | ai | |
| source-diff | obfuscated-file:dist/cordova/popup_redirect-8d67604d.js | AI (source-diff): Firebase Auth ships bundled/minified dist files as standard build output. Long lines are rollup bundle artifacts, not obfuscation. Imports are all legitimate Firebase packages with readable license headers. | ai | |
| source-diff | obfuscated-file:dist/cordova/popup_redirect-ce95b188.js | AI (source-diff): Firebase SDK dist files are bundled rollup output with long lines; the sample shows readable, licensed JS code — not obfuscation. This pattern is stable across all Firebase auth releases. | ai | |
| source-diff | obfuscated-file:dist/cordova/popup_redirect-a5c57db9.js | AI (source-diff): Firebase SDK dist files are minified build artifacts with long lines; the sample shows legitimate Firebase Auth code with Apache license headers, not actual obfuscation or malicious content. | ai | |
| source-diff | obfuscated-file:dist/cordova/popup_redirect-c7bb68cd.js | AI (source-diff): Firebase Auth ships bundled Rollup/Vite dist files across multiple targets; long lines are standard bundler output, not obfuscation. Source maps are present confirming legitimate build artifacts. | ai | |
| source-diff | obfuscated-file:dist/cordova/popup_redirect-6f961ec9.js | AI (source-diff): Firebase dist files are bundled build artifacts with long lines; sample shows clean, Apache-licensed, readable source code — not obfuscation. Standard for this SDK's build pipeline. | ai | |
| source-diff | obfuscated-file:dist/cordova/popup_redirect-1337d4d9.js | AI (source-diff): Firebase SDK dist files are standard Rollup bundles with long lines triggering the obfuscation heuristic; the sample shows readable, licensed Firebase code — not actual obfuscation. | ai | |
| source-diff | obfuscated-file:dist/cordova/popup_redirect-e9672475.js | AI (source-diff): Standard rollup/webpack bundle output for Firebase SDK distribution; long lines are minified JS, not malicious obfuscation. Expected artifact for this package. | ai | |
| source-diff | obfuscated-file:dist/cordova/popup_redirect-4e1b3303.js | AI (source-diff): Firebase Auth ships bundled/minified dist files as part of its standard build pipeline. Long lines are expected in bundled SDK output, not malicious obfuscation. Stable for this package. | ai | |
| source-diff | obfuscated-file:dist/cordova/popup_redirect-0f39d821.js | AI (source-diff): Firebase SDK ships bundled/minified build artifacts for Cordova target; long lines are rollup output, not obfuscation. Source maps confirm legitimate build provenance. | ai | |
| source-diff | obfuscated-file:dist/cordova/popup_redirect-b4b5a188.js | AI (source-diff): Firebase SDK ships bundled/minified dist files with long lines as standard build output. Sample shows readable Apache-licensed TypeScript-compiled code, not actual obfuscation. This pattern is stable for this package. | ai | |
| source-diff | obfuscated-file:dist/cordova/popup_redirect-58faecee.js | AI (source-diff): Firebase Auth ships minified/bundled dist files as standard build output; long lines in dist/ are expected and the sample shows legitimate Firebase SDK code with Apache 2.0 license headers. | ai | |
| source-diff | obfuscated-file:dist/cordova/popup_redirect-73b8b0b9.js | AI (source-diff): Standard rollup-bundled/minified dist output for Firebase Auth SDK. Sample shows readable Apache-licensed Firebase code, not actual obfuscation. Expected artifact for this package. | ai | |
| source-diff | obfuscated-file:dist/cordova/popup_redirect-7b3cfc5b.js | AI (source-diff): Firebase SDK ships minified/bundled dist artifacts with long lines; the sample shows readable, licensed TypeScript-compiled code — not obfuscation. This pattern is stable for this package. | ai | |
| source-diff | obfuscated-file:dist/cordova/popup_redirect-176dbc3d.js | AI (source-diff): Firebase Auth ships bundled/minified dist files across multiple targets as part of its standard build pipeline. Long lines are rollup bundle output, not obfuscation. Stable pattern for this package. | ai | |
| source-diff | obfuscated-file:dist/cordova/popup_redirect-106f885f.js | AI (source-diff): Firebase SDK ships Rollup-bundled build artifacts with long lines; this is standard build output with Apache 2.0 headers and readable Firebase imports, not obfuscation. | ai | |
| dependencies | unvetted-dep:node-fetch | AI (dependencies): node-fetch 2.6.5 is a stable, widely-used polyfill for Node.js; appropriate for Firebase SDK's Node runtime support. | ai | |
| phantom-deps | phantom-dep:selenium-webdriver | AI (phantom-deps): Selenium-webdriver is a test/build dependency referenced in config, not shipped code; standard for SDK test infrastructure. | ai | |
| source-diff | obfuscated-file:dist/cordova/popup_redirect-11318c74.js | AI (source-diff): Minified distribution bundle with standard TypeScript transpilation helpers and Firebase imports; expected for compiled SDK artifacts. | ai | |
| source-diff | obfuscated-file:dist/cordova/popup_redirect-c351c83e.js | AI (source-diff): Firebase SDK ships bundled/minified dist files with long lines as standard practice. Sample shows legitimate Apache-licensed Firebase code, not obfuscation or malware. | ai | |
| source-diff | obfuscated-file:dist/cordova/popup_redirect-8d08f578.js | AI (source-diff): Firebase SDK ships bundled/minified dist files as standard build artifacts; long lines are from bundling, not obfuscation. Code is readable and contains Apache 2.0 license headers. | ai | |
| source-diff | obfuscated-file:dist/cordova/popup_redirect-31aa6bae.js | AI (source-diff): Firebase SDK ships minified/bundled JS as standard build output. The sample shows readable, licensed TypeScript-compiled code — not obfuscation. Long lines are expected in bundled artifacts. | ai | |
| source-diff | obfuscated-file:dist/cordova/popup_redirect-064215a6.js | AI (source-diff): Firebase SDK ships bundled/minified JS with long lines as standard build output. Sample shows readable Apache-licensed Firebase code, not actual obfuscation. This pattern is stable for this package. | ai | |
| source-diff | obfuscated-file:dist/cordova/popup_redirect-e795474a.js | AI (source-diff): Firebase ships bundled dist files with long lines as standard build artifacts. The sample shows readable, licensed JS code — not obfuscation. This pattern is stable for this package. | ai | |
| source-diff | obfuscated-file:dist/cordova/popup_redirect-6fcd583a.js | AI (source-diff): Firebase ships minified/bundled dist files as standard practice. The sample shows readable, Apache-licensed Firebase code — not obfuscation. Long lines are from bundling, not malicious intent. | ai | |
| source-diff | obfuscated-file:dist/cordova/popup_redirect-a8611c3f.js | AI (source-diff): Firebase Auth ships bundled/minified dist files with long lines as standard build artifacts. The sample shows readable, licensed TypeScript-compiled code importing from known Firebase packages — not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/cordova/popup_redirect-abcbab4c.js | AI (source-diff): Minified/obfuscated files are standard for Firebase SDK distributions across multiple build targets; sample shows TypeScript transpilation artifacts, not malicious code. | ai | |
| source-diff | obfuscated-file:dist/cordova/popup_redirect-428532f6.js | AI (source-diff): Firebase Auth ships bundled/minified dist files as standard build artifacts; long lines are from bundling, not obfuscation. Sample shows readable Apache-licensed Firebase SDK code. | ai | |
| source-diff | obfuscated-file:dist/cordova/popup_redirect-d69259ab.js | AI (source-diff): Minified/transpiled TypeScript output from Firebase's build process; standard for compiled JS SDKs, not malicious obfuscation. | ai | |
| source-diff | obfuscated-file:dist/cordova/popup_redirect-29a29390.js | AI (source-diff): Firebase Auth ships bundled dist files with long lines as standard build output. Sample shows readable Apache-licensed code with named imports — not obfuscation. Source maps are included confirming legitimate build artifacts. | ai | |
| source-diff | obfuscated-file:dist/cordova/popup_redirect-1c4453e0.js | AI (source-diff): Firebase Auth ships minified/bundled dist files as standard build artifacts. The sample shows readable ES module imports and Apache license headers — long lines are from bundling, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/cordova/popup_redirect-0008fafa.js | AI (source-diff): Firebase Auth ships bundled rollup output with long lines across multiple dist targets; this is standard build pipeline output, not obfuscation. Stable pattern for this package. | ai | |
| dependencies | unvetted-dep:@firebase/util | AI (dependencies): @firebase/util is a first-party Google Firebase utility package published by the same team; unvetted status is a pipeline gap, not a real risk for this package. | ai | |
| dependencies | unvetted-dep:undici | AI (dependencies): undici is a standard Node.js HTTP client; low-risk dependency for Firebase SDK. | ai | |
| source-diff | obfuscated-file:dist/cordova/popup_redirect-5323ec00.js | AI (source-diff): File is standard Firebase bundled output with readable code and Apache 2.0 license headers — long lines are from bundling, not obfuscation. False positive for this package's build pipeline. | ai | |
| source-diff | obfuscated-file:dist/cordova/popup_redirect-75bd0ca3.js | AI (source-diff): Firebase SDK ships bundled/minified JS as standard distribution artifacts. The sample shows readable, licensed code — long lines are from bundling, not obfuscation. This pattern is stable for this package. | ai | |
| source-diff | obfuscated-file:dist/cordova/popup_redirect-6806e8a5.js | AI (source-diff): Firebase Auth ships bundled/minified dist files across all build targets; long lines are standard bundler output, not obfuscation. Sample confirms readable Apache-licensed Firebase code. | ai | |
| source-diff | obfuscated-file:dist/cordova/popup_redirect-0b0348b1.js | AI (source-diff): Firebase Auth ships bundled/minified dist files with long lines as standard build artifacts. The sample shows readable Firebase SDK code with Apache 2.0 headers, not actual obfuscation. | ai | |
| source-diff | obfuscated-file:dist/cordova/popup_redirect-2822224b.js | AI (source-diff): Firebase SDK ships minified/bundled dist files with long lines; this is standard build output with readable license headers and Firebase imports, not actual obfuscation. | ai | |
| source-diff | obfuscated-file:dist/cordova/popup_redirect-c6b025ce.js | AI (source-diff): Firebase Auth ships bundled/minified dist files with long lines as standard build output. The sample shows readable, licensed Firebase SDK code — not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/cordova/popup_redirect-b1926ef8.js | AI (source-diff): Firebase SDK ships minified/bundled dist artifacts as standard build output. Long lines are from bundling, not obfuscation — code is readable Firebase SDK logic with Apache 2.0 license headers. | ai | |
| source-diff | obfuscated-file:dist/cordova/popup_redirect-830b8267.js | AI (source-diff): Firebase Auth ships minified/bundled dist files as standard build artifacts. Long lines are from bundling, not obfuscation — code is readable with license headers and named imports. | ai | |
| source-diff | obfuscated-file:dist/cordova/popup_redirect-262d190d.js | AI (source-diff): Firebase Auth dist files are bundled/minified build artifacts with long lines; the sample shows readable, licensed JS code. Source maps are included. This pattern is stable for this package. | ai | |
| source-diff | obfuscated-file:dist/cordova/popup_redirect-5ec7b405.js | AI (source-diff): Firebase SDK ships bundled/minified dist files as standard build artifacts; the sample shows readable, licensed JS code — not obfuscation. This pattern is stable across all Firebase Auth versions. | ai | |
| source-diff | obfuscated-file:dist/cordova/popup_redirect-29c7321e.js | AI (source-diff): Firebase Auth ships bundled Rollup output as dist files; long lines are standard minified bundle artifacts, not obfuscation. Sample shows readable imports and Apache 2.0 license headers. | ai | |
| phantom-deps | phantom-dep:tslib | AI (phantom-deps): tslib is a well-known implicit dependency of TypeScript-compiled packages; not a security concern for this package. | ai | |
| source-diff | obfuscated-file:dist/cordova/popup_redirect-0aff4957.js | AI (source-diff): Firebase SDK ships minified/bundled dist files as standard practice; the sample shows readable, licensed code — not malicious obfuscation. This pattern is stable across Firebase Auth releases. | ai | |
| source-diff | obfuscated-file:dist/cordova/popup_redirect-560b27f4.js | AI (source-diff): File is standard minified Firebase SDK build output with Apache 2.0 license headers and recognizable Firebase imports — not malicious obfuscation. | ai | |
| provenance | publisher-changed | AI (provenance): Firebase SDK maintenance transitions are legitimate; publisher change aligns with Firebase team org changes, not account compromise. | ai | |
| source-diff | source-size-tripled | AI (source-diff): 16.9x size increase is explained by bundled platform-specific builds and source maps; no injected/obfuscated payloads detected. | ai | |
| publish-pattern | dormant-publish | AI (publish-pattern): 658-day gap is consistent with Firebase's release cadence; not indicative of account takeover for a major SDK. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): New deps (tslib, @firebase/util, @firebase/logger, @firebase/component) are all legitimate Firebase ecosystem packages; no malicious additions. | ai | |
| source-diff | large-new-source-files | AI (source-diff): 1904 new files reflect multi-platform SDK build outputs (esm5, esm2017, cordova, rn, node, webworker); expected for SDK version bump. | ai | |
| provenance | no-provenance | AI (provenance): Provenance attestation not yet standard for Firebase SDK releases; not a security blocker for established publishers. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): New maintainers are Google Firebase team members and the google-wombot automation account; consistent with normal team changes at Google. | ai | |
| maintainer-change | maintainer-removed | AI (maintainer-change): Maintainer consolidation to google-wombot is a documented internal Google transition, not a takeover. | ai | |
| bogus-package | bogus-package | AI (bogus-package): Firebase SDK canary packages routinely lack detailed READMEs and keywords; this is a pre-release internal package, not spam. | ai |
Versions (showing 51 of 169)
| Version | Deps | Published |
|---|---|---|
| 1.13.0 | 4 / 12 | |
| 1.12.2 | 4 / 12 | |
| 1.12.1 | 4 / 12 | |
| 1.12.0 | 4 / 12 | |
| 1.11.1 | 4 / 12 | |
| 1.11.0 | 4 / 12 | |
| 1.10.8 | 4 / 12 | |
| 1.10.7 | 4 / 12 | |
| 1.10.6 | 4 / 12 | |
| 1.10.5 | 4 / 12 | |
| 1.10.4 | 4 / 12 | |
| 1.10.3 | 4 / 12 | |
| 1.10.2 | 4 / 12 | |
| 1.10.1 | 4 / 12 | |
| 1.10.0 | 4 / 12 | |
| 1.9.1 | 4 / 11 | |
| 1.9.0 | 4 / 11 | |
| 1.8.2 | 4 / 11 | |
| 1.8.1 | 4 / 11 | |
| 1.8.0 | 4 / 11 | |
| 1.7.9 | 5 / 11 | |
| 1.7.8 | 5 / 11 | |
| 1.7.7 | 5 / 11 | |
| 1.7.6 | 5 / 11 | |
| 1.7.5 | 5 / 11 | |
| 1.7.4 | 5 / 11 | |
| 1.7.3 | 5 / 11 | |
| 1.7.2 | 5 / 11 | |
| 1.7.1 | 5 / 11 | |
| 1.7.0 | 5 / 11 | |
| 1.6.2 | 5 / 11 | |
| 1.6.1 | 5 / 11 | |
| 1.6.0 | 5 / 11 | |
| 1.5.1 | 5 / 11 | |
| 1.5.0 | 5 / 11 | |
| 1.4.0 | 5 / 11 | |
| 1.3.2 | 5 / 11 | |
| 1.3.1 | 5 / 11 | |
| 1.3.0 | 5 / 11 | |
| 1.2.0 | 6 / 11 | |
| 1.1.0 | 6 / 11 | |
| 1.0.0 | 6 / 11 | |
| 0.23.2 | 5 / 11 | |
| 0.23.1 | 5 / 11 | |
| 0.23.0 | 5 / 11 | |
| 0.22.0 | 5 / 11 | |
| 0.21.6 | 5 / 11 | |
| 0.21.5 | 5 / 10 | |
| 0.21.4 | 5 / 10 | |
| 0.21.3 | 5 / 10 | |
| 0.21.2 | 5 / 10 |
v1.13.0
1 finding
INFO
No provenance attestation
provenance
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.12.2
1 finding
INFO
No provenance attestation
provenance
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.12.1
1 finding
INFO
No provenance attestation
provenance
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.12.0
1 finding
INFO
No provenance attestation
provenance
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.11.1
1 finding
INFO
No provenance attestation
provenance
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.11.0
1 finding
INFO
No provenance attestation
provenance
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.10.8
1 finding
INFO
No provenance attestation
provenance
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.10.7
1 finding
INFO
No provenance attestation
provenance
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.10.6
1 finding
INFO
No provenance attestation
provenance
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.10.5
1 finding
INFO
No provenance attestation
provenance
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.10.4
1 finding
INFO
No provenance attestation
provenance
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.10.3
1 finding
INFO
No provenance attestation
provenance
[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.10.2
1 finding
INFO
No provenance attestation
provenance
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.10.1
1 finding
INFO
No provenance attestation
provenance
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.10.0
1 finding
INFO
No provenance attestation
provenance
[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.9.1
1 finding
INFO
No provenance attestation
provenance
[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.9.0
1 finding
INFO
No provenance attestation
provenance
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.8.2
1 finding
INFO
No provenance attestation
provenance
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.8.1
1 finding
INFO
No provenance attestation
provenance
[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.8.0
1 finding
INFO
No provenance attestation
provenance
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.7.9
1 finding
INFO
No provenance attestation
provenance
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.7.8
1 finding
INFO
No provenance attestation
provenance
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.7.7
1 finding
INFO
No provenance attestation
provenance
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.7.6
1 finding
INFO
No provenance attestation
provenance
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.7.5
1 finding
INFO
No provenance attestation
provenance
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.7.4
1 finding
INFO
No provenance attestation
provenance
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.7.3
1 finding
INFO
No provenance attestation
provenance
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.7.2
2 findings
HIGH
New obfuscated file: dist/cordova/popup_redirect-b4b5a188.js
source-diff
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
INFO
No provenance attestation
provenance
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.7.1
1 finding
INFO
No provenance attestation
provenance
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.7.0
2 findings
HIGH
New obfuscated file: dist/cordova/popup_redirect-0f39d821.js
source-diff
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
INFO
No provenance attestation
provenance
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.6.2
1 finding
INFO
No provenance attestation
provenance
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.6.1
1 finding
INFO
No provenance attestation
provenance
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.6.0
2 findings
HIGH
New obfuscated file: dist/cordova/popup_redirect-4e1b3303.js
source-diff
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
INFO
No provenance attestation
provenance
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.1
1 finding
INFO
No provenance attestation
provenance
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.0
1 finding
INFO
No provenance attestation
provenance
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.4.0
2 findings
HIGH
New obfuscated file: dist/cordova/popup_redirect-73b8b0b9.js
source-diff
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
INFO
No provenance attestation
provenance
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.3.2
1 finding
INFO
No provenance attestation
provenance
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.3.1
1 finding
INFO
No provenance attestation
provenance
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.3.0
1 finding
INFO
No provenance attestation
provenance
[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.2.0
1 finding
INFO
No provenance attestation
provenance
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.1.0
1 finding
INFO
No provenance attestation
provenance
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.0
1 finding
INFO
No provenance attestation
provenance
[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.23.2
1 finding
INFO
No provenance attestation
provenance
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.23.1
2 findings
INFO
No provenance attestation
provenance
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
INFO
Publisher changed: chholland → google-wombot (on 2023-04-27)
provenance
[Accepted risk] This version was published by a different npm account than previous versions on 2023-04-27. This could indicate a legitimate maintainer transition or an account compromise.
v0.23.0
1 finding
INFO
No provenance attestation
provenance
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.22.0
1 finding
INFO
No provenance attestation
provenance
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.21.6
1 finding
INFO
No provenance attestation
provenance
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.21.5
1 finding
INFO
No provenance attestation
provenance
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.21.4
2 findings
INFO
No provenance attestation
provenance
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
INFO
Publisher changed: chholland → google-wombot (on 2023-03-02)
provenance
[Accepted risk] This version was published by a different npm account than previous versions on 2023-03-02. This could indicate a legitimate maintainer transition or an account compromise.
v0.21.3
1 finding
INFO
No provenance attestation
provenance
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.21.2
1 finding
INFO
No provenance attestation
provenance
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.