@firebase/functions — Greenflagged

This is the Firebase Functions component of the Firebase JS SDK.

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

firebase-opsfeiyang.chengoogle-wombotchholland

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
maintainer-change	maintainer-removed	AI (maintainer-change): Firebase SDK undergoes routine team transitions; removal of prior maintainers alongside addition of Google Firebase team members is expected for this official Google package.	ai	2026/04/22
maintainer-change	maintainer-added	AI (maintainer-change): feiyang.chen and hiranya911 are established Firebase team members; maintainer additions reflect legitimate Firebase SDK team changes.	ai	2026/04/22
provenance	publisher-changed	AI (provenance): feiyang.chen is a known Firebase/Google team member with 49 published packages and long history; the 2018 publisher transition is a documented Firebase team change, not a compromise.	ai	2026/04/22
phantom-deps	phantom-dep:@firebase/messaging-types	AI (phantom-deps): Same @firebase org scope; used for type declarations in Firebase SDK monorepo packages, not a runtime import. Common pattern across Firebase packages.	ai	2026/04/22
publish-pattern	new-deps-added	AI (publish-pattern): undici is a legitimate, widely-used HTTP client replacing node-fetch; not a suspicious dependency injection pattern.	ai	2026/04/22
provenance	no-provenance	AI (provenance): Google-published Firebase SDK; provenance attestation is a future-state improvement, not a security defect for established publishers.	ai	2026/04/22
publish-pattern	dormant-publish	AI (publish-pattern): Long gaps between Firebase SDK releases are normal for monorepo cadence; publisher's 2589-day history and 3133 approved packages rule out account takeover.	ai	2026/04/22
dependencies	unvetted-dep:undici	AI (dependencies): undici 5.28.4 is Node.js's official HTTP client; widely used and maintained. Replacement for node-fetch is a standard modernization pattern.	ai	2026/04/22
phantom-deps	phantom-dep:tslib	AI (phantom-deps): tslib is a standard TypeScript runtime helper declared as a dependency; its use as an implicit runtime dep is a well-known pattern for TypeScript-compiled packages.	ai	2026/04/22
bogus-package	bogus-package	AI (bogus-package): False positive for scoped Firebase package; documentation is in monorepo, not individual package README.	ai	2026/04/22

Versions (showing 51 of 139)

Show 232 prereleases View all versions

Version	Deps	Published
0.13.4	6 / 5	2026-05-07
0.13.3	6 / 5	2026-03-19
0.13.2	6 / 5	2026-02-27
0.13.1	6 / 5	2025-08-28
0.13.0	6 / 5	2025-07-17
0.12.9	6 / 5	2025-06-30
0.12.8	6 / 5	2025-05-22
0.12.7	6 / 5	2025-05-20
0.12.6	6 / 5	2025-05-14
0.12.5	6 / 5	2025-05-14
0.12.4	6 / 5	2025-05-07
0.12.3	6 / 5	2025-02-27
0.12.2	6 / 5	2025-02-06
0.12.1	6 / 5	2025-01-16
0.12.0	6 / 5	2024-12-12
0.11.10	6 / 5	2024-11-14
0.11.9	6 / 5	2024-10-21
0.11.8	7 / 5	2024-09-18
0.11.7	7 / 5	2024-08-29
0.11.6	7 / 5	2024-07-03
0.11.5	7 / 5	2024-05-13
0.11.4	7 / 5	2024-04-11
0.11.3	7 / 5	2024-03-28
0.11.2	7 / 5	2024-02-28
0.11.1	7 / 5	2024-02-01
0.11.0	7 / 5	2023-11-27
0.10.0	7 / 5	2023-05-25
0.9.4	7 / 5	2023-03-02
0.9.3	7 / 5	2023-02-03
0.9.2	7 / 5	2023-02-02
0.9.1	7 / 5	2023-01-19
0.9.0	7 / 5	2022-12-08
0.8.8	7 / 5	2022-10-27
0.8.7	7 / 5	2022-10-12
0.8.6	7 / 5	2022-10-11
0.8.5	7 / 5	2022-10-06
0.8.4	7 / 5	2022-07-07
0.8.3	7 / 5	2022-06-23
0.8.2	7 / 5	2022-06-09
0.8.1	7 / 5	2022-05-06
0.8.0	7 / 5	2022-04-28
0.7.11	7 / 5	2022-04-14
0.7.10	7 / 5	2022-03-24
0.7.9	7 / 5	2022-03-17
0.7.8	7 / 5	2022-01-27
0.7.7	7 / 5	2022-01-07
0.7.6	7 / 5	2021-11-11
0.7.5	7 / 5	2021-11-08
0.7.4	7 / 5	2021-11-04
0.7.3	7 / 5	2021-10-14
0.7.2	7 / 5	2021-09-24