@firebase/messaging-compat

This is the compat package that recreates the v8 APIs.

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

firebase-opsfeiyang.chengoogle-wombotchholland

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
dependencies	unvetted-dep:@firebase/util	AI (dependencies): Sibling package from the official firebase-js-sdk monorepo; not a third-party unvetted dependency.	ai	2026/04/22
provenance	no-provenance	AI (provenance): Official Firebase SDK package published by Google automation account; lack of Sigstore provenance is expected for this established package family.	ai	2026/04/22
dependencies	unvetted-dep:@firebase/messaging	AI (dependencies): Sibling package from the official firebase-js-sdk monorepo; not a third-party unvetted dependency.	ai	2026/04/22
maintainer-change	maintainer-removed	AI (maintainer-change): Maintainer removal is consistent with consolidation under google-wombot automated publishing; stable pattern across Firebase packages.	ai	2026/04/22
provenance	publisher-changed	AI (provenance): google-wombot is Google's official Firebase publishing bot; transition from named engineer to bot account is standard Google/Firebase practice, not a takeover signal.	ai	2026/04/22
bogus-package	bogus-package	AI (bogus-package): This is a Firebase SDK monorepo sub-package; short README and no keywords are expected for internal scoped packages, not spam indicators.	ai	2026/04/22
phantom-deps	phantom-dep:tslib	AI (phantom-deps): tslib is declared as a direct dependency in package.json; phantom-dep flag is a false positive for this TypeScript-compiled package.	ai	2026/04/22

Versions (showing 49 of 49)

Show 229 prereleases

Version	Deps	Published
0.2.26	4 / 5	2026-05-07
0.2.25	4 / 5	2026-03-19
0.2.24	4 / 5	2026-02-27
0.2.23	4 / 5	2025-07-17
0.2.22	4 / 5	2025-06-30
0.2.21	4 / 5	2025-05-20
0.2.20	4 / 5	2025-05-14
0.2.19	4 / 5	2025-05-14
0.2.18	4 / 5	2025-05-07
0.2.17	4 / 5	2025-02-27
0.2.16	4 / 5	2025-01-16
0.2.15	4 / 5	2024-12-12
0.2.14	4 / 5	2024-11-14
0.2.13	4 / 5	2024-10-21
0.2.12	4 / 5	2024-10-10
0.2.11	4 / 5	2024-09-18
0.2.10	4 / 5	2024-07-03
0.2.9	4 / 5	2024-05-13
0.2.8	4 / 5	2024-04-11
0.2.7	4 / 5	2024-03-28
0.2.6	4 / 5	2024-02-01
0.2.5	4 / 5	2023-11-27
0.2.4	4 / 5	2023-03-02
0.2.3	4 / 5	2023-02-03
0.2.2	4 / 5	2023-02-02
0.2.1	4 / 5	2023-01-19
0.2.0	4 / 5	2022-12-08
0.1.21	4 / 5	2022-11-10
0.1.20	4 / 5	2022-10-27
0.1.19	4 / 5	2022-10-12
0.1.18	4 / 5	2022-10-11
0.1.17	4 / 5	2022-10-06
0.1.16	4 / 5	2022-07-07
0.1.15	4 / 5	2022-06-23
0.1.14	4 / 5	2022-06-09
0.1.13	4 / 5	2022-05-06
0.1.12	4 / 5	2022-04-14
0.1.11	4 / 5	2022-03-24
0.1.10	4 / 5	2022-03-17
0.1.9	4 / 5	2022-03-04
0.1.8	4 / 5	2022-02-03
0.1.7	4 / 5	2022-01-20
0.1.6	4 / 5	2022-01-13
0.1.5	4 / 5	2022-01-07
0.1.4	4 / 5	2021-11-08
0.1.3	4 / 5	2021-11-04
0.1.2	4 / 5	2021-10-14
0.1.1	4 / 5	2021-09-24
0.1.0	4 / 5	2021-08-25

v0.2.26

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.