@firebase/installations-compat

This is a compatability layer for the Firebase Installations SDK

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

firebase-opsfeiyang.chengoogle-wombotchholland

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
publish-pattern	dormant-publish	AI (publish-pattern): google-wombot is the established Firebase/Google automated publisher; dormancy in compat-layer packages is expected as the SDK evolves. No other risk signals present.	ai	2026/04/22
provenance	no-provenance	AI (provenance): Firebase SDK packages historically published without Sigstore provenance; this is a known pattern for this package family.	ai	2026/04/22
provenance	publisher-changed	AI (provenance): google-wombot is Firebase/Google's official automated publishing bot; transitions from individual Firebase team members to this bot are routine across the Firebase JS SDK monorepo.	ai	2026/04/22
maintainer-change	maintainer-removed	AI (maintainer-change): Removal of individual maintainers in favor of google-wombot bot publishing is a known Firebase organizational pattern, not a takeover signal.	ai	2026/04/22
phantom-deps	phantom-dep:idb	AI (phantom-deps): idb is a declared dependency used transitively via @firebase/installations; phantom detection is a false positive for this Firebase monorepo package.	ai	2026/04/22
dependencies	unvetted-dep:@firebase/installations-types	AI (dependencies): First-party Firebase types package from the same org; expected for this compat wrapper.	ai	2026/04/22
dependencies	unvetted-dep:@firebase/util	AI (dependencies): First-party Firebase dependency from the same org scope; expected for this package.	ai	2026/04/22
dependencies	unvetted-dep:@firebase/installations	AI (dependencies): First-party Firebase dependency; this compat wrapper directly wraps @firebase/installations.	ai	2026/04/22
bogus-package	bogus-package	AI (bogus-package): Firebase monorepo packages consistently lack standalone README code blocks and keywords; not indicative of spam.	ai	2026/04/21
phantom-deps	phantom-dep:@firebase/util	AI (phantom-deps): Same-org Firebase dependency used indirectly via @firebase/installations; expected pattern across all Firebase SDK packages.	ai	2026/04/21
phantom-deps	phantom-dep:tslib	AI (phantom-deps): tslib is a standard TypeScript runtime helper; indirect import pattern is normal and stable for this package.	ai	2026/04/21

Versions (showing 40 of 40)

Show 229 prereleases

Version	Deps	Published
0.2.22	5 / 8	2026-05-07
0.2.21	5 / 8	2026-03-19
0.2.20	5 / 8	2026-02-27
0.2.19	5 / 8	2025-07-17
0.2.18	5 / 8	2025-06-30
0.2.17	5 / 8	2025-05-20
0.2.16	5 / 8	2025-05-14
0.2.15	5 / 8	2025-05-14
0.2.14	5 / 8	2025-05-07
0.2.13	5 / 8	2025-02-27
0.2.12	5 / 8	2025-01-16
0.2.11	5 / 8	2024-11-14
0.2.10	5 / 8	2024-10-21
0.2.9	5 / 8	2024-09-18
0.2.8	5 / 8	2024-07-03
0.2.7	5 / 8	2024-05-13
0.2.6	5 / 8	2024-03-28
0.2.5	5 / 8	2024-02-01
0.2.4	5 / 8	2023-03-02
0.2.3	5 / 8	2023-02-03
0.2.2	5 / 8	2023-02-02
0.2.1	5 / 8	2023-01-19
0.2.0	5 / 8	2022-12-08
0.1.16	5 / 8	2022-10-27
0.1.15	5 / 8	2022-10-12
0.1.14	5 / 8	2022-10-11
0.1.13	5 / 8	2022-10-06
0.1.12	5 / 8	2022-07-07
0.1.11	5 / 8	2022-06-23
0.1.10	5 / 8	2022-06-09
0.1.9	5 / 8	2022-05-06
0.1.8	5 / 8	2022-04-14
0.1.7	5 / 8	2022-03-24
0.1.6	5 / 8	2022-03-17
0.1.5	6 / 8	2022-01-07
0.1.4	6 / 8	2021-11-08
0.1.3	6 / 8	2021-11-04
0.1.2	6 / 8	2021-10-14
0.1.1	6 / 8	2021-09-24
0.1.0	6 / 8	2021-08-25

v0.2.22

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.2.21

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.2.20

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.2.19

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.2.18

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.2.17

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.2.16

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.2.15

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.2.14

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.2.13

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.2.12

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.2.11

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.2.10

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.2.9

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.2.8

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.2.7

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.2.6

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.2.5

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.2.4

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.2.3

2 findings

HIGH Publisher changed: feiyang.chen → google-wombot (on 2023-02-03) provenance

This version was published by a different npm account than previous versions on 2023-02-03. This could indicate a legitimate maintainer transition or an account compromise.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.2.2

2 findings

HIGH Publisher changed: feiyang.chen → google-wombot (on 2023-02-02) provenance

This version was published by a different npm account than previous versions on 2023-02-02. This could indicate a legitimate maintainer transition or an account compromise.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.2.1

2 findings

HIGH Publisher changed: feiyang.chen → google-wombot (on 2023-01-19) provenance

This version was published by a different npm account than previous versions on 2023-01-19. This could indicate a legitimate maintainer transition or an account compromise.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.2.0

2 findings

HIGH Publisher changed: feiyang.chen → google-wombot (on 2022-12-08) provenance

This version was published by a different npm account than previous versions on 2022-12-08. This could indicate a legitimate maintainer transition or an account compromise.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.1.16

2 findings

HIGH Publisher changed: feiyang.chen → google-wombot (on 2022-10-27) provenance

This version was published by a different npm account than previous versions on 2022-10-27. This could indicate a legitimate maintainer transition or an account compromise.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.1.15

2 findings

HIGH Publisher changed: feiyang.chen → google-wombot (on 2022-10-12) provenance

This version was published by a different npm account than previous versions on 2022-10-12. This could indicate a legitimate maintainer transition or an account compromise.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.1.14

2 findings

HIGH Publisher changed: feiyang.chen → google-wombot (on 2022-10-11) provenance

This version was published by a different npm account than previous versions on 2022-10-11. This could indicate a legitimate maintainer transition or an account compromise.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.1.13

2 findings

HIGH Publisher changed: feiyang.chen → google-wombot (on 2022-10-06) provenance

This version was published by a different npm account than previous versions on 2022-10-06. This could indicate a legitimate maintainer transition or an account compromise.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.1.12

2 findings

HIGH Publisher changed: feiyang.chen → google-wombot (on 2022-07-07) provenance

This version was published by a different npm account than previous versions on 2022-07-07. This could indicate a legitimate maintainer transition or an account compromise.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.1.11

2 findings

HIGH Publisher changed: feiyang.chen → google-wombot (on 2022-06-23) provenance

This version was published by a different npm account than previous versions on 2022-06-23. This could indicate a legitimate maintainer transition or an account compromise.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.1.10

2 findings

HIGH Publisher changed: feiyang.chen → google-wombot (on 2022-06-09) provenance

This version was published by a different npm account than previous versions on 2022-06-09. This could indicate a legitimate maintainer transition or an account compromise.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.1.9

2 findings

HIGH Publisher changed: feiyang.chen → chholland (on 2022-05-06) provenance

This version was published by a different npm account than previous versions on 2022-05-06. This could indicate a legitimate maintainer transition or an account compromise.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.1.8

2 findings

HIGH Publisher changed: feiyang.chen → chholland (on 2022-04-14) provenance

This version was published by a different npm account than previous versions on 2022-04-14. This could indicate a legitimate maintainer transition or an account compromise.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.1.7

2 findings

HIGH Publisher changed: feiyang.chen → chholland (on 2022-03-24) provenance

This version was published by a different npm account than previous versions on 2022-03-24. This could indicate a legitimate maintainer transition or an account compromise.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.1.6

2 findings

HIGH Publisher changed: feiyang.chen → chholland (on 2022-03-17) provenance

This version was published by a different npm account than previous versions on 2022-03-17. This could indicate a legitimate maintainer transition or an account compromise.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.1.5

2 findings

HIGH Publisher changed: feiyang.chen → chholland (on 2022-01-07) provenance

This version was published by a different npm account than previous versions on 2022-01-07. This could indicate a legitimate maintainer transition or an account compromise.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.1.4

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.1.3

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.1.2

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.1.1

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.1.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.