@firebase/installations
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:coverage/browser/HeadlessChrome 80.0.3987 (Linux 0.0.0)/prettify.js | AI (source-diff): This is google-code-prettify bundled inside a Karma/Istanbul test coverage HTML report artifact. Standard syntax highlighter, not malicious code. Packaging hygiene issue only. | ai | |
| dependencies | unvetted-dep:@firebase/util | AI (dependencies): @firebase/util is an official Firebase SDK internal dependency published by the same google-wombot publisher; not a suspicious third-party package. | ai | |
| source-diff | obfuscated-file:coverage/browser/Chrome Headless 84.0.4147.125 (Linux x86_64)/prettify.js | AI (source-diff): This is Google Code Prettify bundled into Karma's HTML coverage report output. The path clearly identifies it as a test coverage artifact, not malicious code. Stable false positive for this package. | ai | |
| source-diff | large-new-source-files | AI (source-diff): The 36 new files are Karma test coverage report artifacts (HTML/JS). Packaging hygiene issue but not a security concern for this established Firebase SDK. | ai | |
| source-diff | obfuscated-file:coverage/browser/HeadlessChrome 78.0.3904 (Linux 0.0.0)/prettify.js | AI (source-diff): This is the well-known google-code-prettify syntax highlighter, minified, bundled inside a Karma/Istanbul browser coverage report. Not malicious — a packaging hygiene issue only. | ai | |
| source-diff | obfuscated-file:coverage/browser/HeadlessChrome 75.0.3770 (Linux 0.0.0)/prettify.js | AI (source-diff): File is the standard Google Code Prettify syntax highlighter bundled by Istanbul/Karma coverage reporters. Minified format is expected; this is a coverage report artifact, not malicious code. | ai | |
| source-diff | obfuscated-file:coverage/browser/HeadlessChrome 76.0.3809 (Linux 0.0.0)/prettify.js | AI (source-diff): This is the well-known Google Code Prettify syntax highlighter, minified, bundled as part of karma/Istanbul coverage HTML report output accidentally included in the npm publish. No security risk. | ai | |
| source-diff | obfuscated-file:coverage/browser/HeadlessChrome 77.0.3865 (Linux 0.0.0)/prettify.js | AI (source-diff): This is the well-known Google Code Prettify syntax highlighter, minified, inside a Karma/Istanbul coverage report artifact accidentally included in the package. Benign packaging sloppiness, not obfuscated malware. | ai | |
| provenance | no-provenance | AI (provenance): Google's Firebase SDK packages are published via google-wombot without Sigstore provenance; this is consistent across all Firebase SDK releases and not a risk indicator. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): tslib is a canonical Microsoft TypeScript runtime helpers library; adding it is standard practice for TypeScript-compiled Firebase SDK packages. | ai | |
| provenance | publisher-changed | AI (provenance): Firebase/Google routinely rotates internal publisher accounts across their SDK monorepo; chholland is a long-standing, high-approval publisher with no malicious history. | ai | |
| bogus-package | bogus-package | AI (bogus-package): Missing metadata signals are false positives for @firebase/* scoped packages; the author field and Apache-2.0 license clearly identify this as an official Firebase SDK package. | ai | |
| phantom-deps | phantom-dep:tslib | AI (phantom-deps): tslib is a declared direct dependency in package.json used as a bundled TypeScript runtime helper; phantom-dep finding is a stable false positive for this package. | ai | |
| npm-metadata | no-description | AI (npm-metadata): Omitting description is consistent across Firebase SDK monorepo sub-packages; not a malware indicator for this well-established publisher. | ai |
Versions (showing 51 of 99)
| Version | Deps | Published |
|---|---|---|
| 0.6.22 | 4 / 8 | |
| 0.6.21 | 4 / 8 | |
| 0.6.20 | 4 / 8 | |
| 0.6.19 | 4 / 8 | |
| 0.6.18 | 4 / 8 | |
| 0.6.17 | 4 / 8 | |
| 0.6.16 | 4 / 8 | |
| 0.6.15 | 4 / 8 | |
| 0.6.14 | 4 / 8 | |
| 0.6.13 | 4 / 8 | |
| 0.6.12 | 4 / 8 | |
| 0.6.11 | 4 / 8 | |
| 0.6.10 | 4 / 8 | |
| 0.6.9 | 4 / 8 | |
| 0.6.8 | 4 / 8 | |
| 0.6.7 | 4 / 8 | |
| 0.6.6 | 4 / 8 | |
| 0.6.5 | 4 / 8 | |
| 0.6.4 | 4 / 8 | |
| 0.6.3 | 4 / 8 | |
| 0.6.2 | 4 / 8 | |
| 0.6.1 | 4 / 8 | |
| 0.6.0 | 4 / 8 | |
| 0.5.16 | 4 / 8 | |
| 0.5.15 | 4 / 8 | |
| 0.5.14 | 4 / 8 | |
| 0.5.13 | 4 / 8 | |
| 0.5.12 | 4 / 8 | |
| 0.5.11 | 4 / 8 | |
| 0.5.10 | 4 / 8 | |
| 0.5.9 | 4 / 8 | |
| 0.5.8 | 3 / 8 | |
| 0.5.7 | 3 / 8 | |
| 0.5.6 | 3 / 8 | |
| 0.5.5 | 4 / 8 | |
| 0.5.4 | 4 / 8 | |
| 0.5.3 | 4 / 8 | |
| 0.5.2 | 4 / 8 | |
| 0.5.1 | 4 / 8 | |
| 0.5.0 | 4 / 8 | |
| 0.4.32 | 5 / 8 | |
| 0.4.31 | 5 / 8 | |
| 0.4.30 | 5 / 8 | |
| 0.4.29 | 5 / 8 | |
| 0.4.28 | 5 / 8 | |
| 0.4.27 | 5 / 8 | |
| 0.4.26 | 5 / 8 | |
| 0.4.25 | 5 / 8 | |
| 0.4.24 | 5 / 8 | |
| 0.4.23 | 5 / 8 | |
| 0.4.22 | 5 / 8 |
v0.6.22
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.21
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.20
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.6.19
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.6.18
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.17
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.16
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.15
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.14
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.6.13
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.12
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.6.11
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.6.10
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.9
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.8
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.6.7
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.6.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.4
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2023-03-02. This could indicate a legitimate maintainer transition or an account compromise.
v0.6.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.5.16
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-10-27. This could indicate a legitimate maintainer transition or an account compromise.
v0.5.15
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.5.14
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.5.13
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.5.12
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-07-07. This could indicate a legitimate maintainer transition or an account compromise.
v0.5.11
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.5.10
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-06-09. This could indicate a legitimate maintainer transition or an account compromise.
v0.5.9
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.5.8
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-04-14. This could indicate a legitimate maintainer transition or an account compromise.
v0.5.7
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.5.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.5.5
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-01-07. This could indicate a legitimate maintainer transition or an account compromise.
v0.5.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.5.3
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2021-11-04. This could indicate a legitimate maintainer transition or an account compromise.
v0.5.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.5.1
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2021-09-24. This could indicate a legitimate maintainer transition or an account compromise.
v0.5.0
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2021-08-25. This could indicate a legitimate maintainer transition or an account compromise.
v0.4.32
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2021-08-19. This could indicate a legitimate maintainer transition or an account compromise.
v0.4.31
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2021-07-29. This could indicate a legitimate maintainer transition or an account compromise.
v0.4.30
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.29
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.28
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2021-06-10. This could indicate a legitimate maintainer transition or an account compromise.
v0.4.27
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2021-06-03. This could indicate a legitimate maintainer transition or an account compromise.
v0.4.26
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.25
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2021-04-12. This could indicate a legitimate maintainer transition or an account compromise.
v0.4.24
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2021-04-08. This could indicate a legitimate maintainer transition or an account compromise.
v0.4.23
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2021-03-31. This could indicate a legitimate maintainer transition or an account compromise.
v0.4.22
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2021-03-18. This could indicate a legitimate maintainer transition or an account compromise.