@firebase/performance
Firebase performance for web
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| provenance | no-provenance | AI (provenance): Firebase SDK packages consistently lack Sigstore provenance; this is a known gap in their publishing pipeline, not a per-version risk signal. | ai | |
| provenance | publisher-changed | AI (provenance): google-wombot is Google's official Firebase SDK automation publisher; publisher transitions to this account are expected and legitimate for @firebase/* packages. | ai | |
| maintainer-change | maintainer-removed | AI (maintainer-change): Firebase SDK maintainer roster changes over time are expected for a long-lived Google project; removal of individual maintainers is not a takeover signal here. | ai | |
| publish-pattern | dormant-publish | AI (publish-pattern): Dormancy signal is an artifact of comparing against a very old approved version (v0.2.6); the package has 3087 versions in registry indicating continuous active development. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): web-vitals is Google's own Core Web Vitals library; @firebase/component is part of the Firebase SDK. Both are legitimate, well-established dependencies for a performance monitoring package. | ai | |
| bogus-package | bogus-package | AI (bogus-package): This is a legitimate Firebase SDK sub-package from Google's monorepo. Short README and missing keywords are typical for internal SDK packages, not spam indicators. | ai | |
| dependencies | unvetted-dep:@firebase/util | AI (dependencies): First-party Firebase SDK dependency from the same Google monorepo; not a third-party risk. | ai | |
| dependencies | unvetted-dep:@firebase/logger | AI (dependencies): First-party Firebase SDK dependency from the same Google monorepo; not a third-party risk. | ai | |
| dependencies | unvetted-dep:@firebase/installations | AI (dependencies): First-party Firebase SDK dependency from the same Google monorepo; not a third-party risk. | ai | |
| dependencies | unvetted-dep:@firebase/performance-types | AI (dependencies): First-party Firebase SDK dependency from the same Google monorepo; not a third-party risk. | ai |
Versions (showing 51 of 113)
| Version | Deps | Published |
|---|---|---|
| 0.7.12 | 6 / 5 | |
| 0.7.11 | 6 / 5 | |
| 0.7.10 | 6 / 5 | |
| 0.7.9 | 6 / 5 | |
| 0.7.8 | 6 / 5 | |
| 0.7.7 | 6 / 5 | |
| 0.7.6 | 6 / 5 | |
| 0.7.5 | 6 / 5 | |
| 0.7.4 | 6 / 5 | |
| 0.7.3 | 6 / 5 | |
| 0.7.2 | 6 / 5 | |
| 0.7.1 | 6 / 5 | |
| 0.7.0 | 6 / 5 | |
| 0.6.12 | 5 / 5 | |
| 0.6.11 | 5 / 5 | |
| 0.6.10 | 5 / 5 | |
| 0.6.9 | 5 / 5 | |
| 0.6.8 | 5 / 5 | |
| 0.6.7 | 5 / 5 | |
| 0.6.6 | 5 / 5 | |
| 0.6.5 | 5 / 5 | |
| 0.6.4 | 5 / 5 | |
| 0.6.3 | 5 / 5 | |
| 0.6.2 | 5 / 5 | |
| 0.6.1 | 5 / 5 | |
| 0.6.0 | 5 / 5 | |
| 0.5.17 | 5 / 5 | |
| 0.5.16 | 5 / 5 | |
| 0.5.15 | 5 / 5 | |
| 0.5.14 | 5 / 5 | |
| 0.5.13 | 5 / 5 | |
| 0.5.12 | 5 / 5 | |
| 0.5.11 | 5 / 5 | |
| 0.5.10 | 5 / 5 | |
| 0.5.9 | 5 / 5 | |
| 0.5.8 | 5 / 5 | |
| 0.5.7 | 5 / 5 | |
| 0.5.6 | 5 / 5 | |
| 0.5.5 | 5 / 5 | |
| 0.5.4 | 5 / 5 | |
| 0.5.3 | 5 / 5 | |
| 0.5.2 | 5 / 5 | |
| 0.5.1 | 5 / 5 | |
| 0.5.0 | 5 / 5 | |
| 0.4.18 | 6 / 5 | |
| 0.4.17 | 6 / 5 | |
| 0.4.16 | 6 / 5 | |
| 0.4.15 | 6 / 5 | |
| 0.4.14 | 6 / 5 | |
| 0.4.13 | 6 / 5 | |
| 0.4.12 | 6 / 5 |
v0.7.12
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.7.11
2 findingsThis version was published by a different npm account than previous versions on 2026-03-19. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.7.10
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.7.9
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.7.8
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.7.7
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.7.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.7.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.7.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.7.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.7.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.7.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.7.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.6.12
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.11
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.6.10
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.9
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.8
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.6.7
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.6.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.4
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2023-03-02. This could indicate a legitimate maintainer transition or an account compromise.
v0.6.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.5.17
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-11-10. This could indicate a legitimate maintainer transition or an account compromise.
v0.5.16
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.5.15
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.5.14
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.5.13
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.5.12
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-07-07. This could indicate a legitimate maintainer transition or an account compromise.
v0.5.11
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-06-23. This could indicate a legitimate maintainer transition or an account compromise.
v0.5.10
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-06-09. This could indicate a legitimate maintainer transition or an account compromise.
v0.5.9
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.5.8
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-04-14. This could indicate a legitimate maintainer transition or an account compromise.
v0.5.7
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.5.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.5.5
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-01-07. This could indicate a legitimate maintainer transition or an account compromise.
v0.5.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.5.3
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2021-11-04. This could indicate a legitimate maintainer transition or an account compromise.
v0.5.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.5.1
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2021-09-24. This could indicate a legitimate maintainer transition or an account compromise.
v0.5.0
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2021-08-25. This could indicate a legitimate maintainer transition or an account compromise.
v0.4.18
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2021-08-19. This could indicate a legitimate maintainer transition or an account compromise.
v0.4.17
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2021-07-29. This could indicate a legitimate maintainer transition or an account compromise.
v0.4.16
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2021-07-01. This could indicate a legitimate maintainer transition or an account compromise.
v0.4.15
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.14
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2021-06-10. This could indicate a legitimate maintainer transition or an account compromise.
v0.4.13
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2021-06-03. This could indicate a legitimate maintainer transition or an account compromise.
v0.4.12
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2021-05-05. This could indicate a legitimate maintainer transition or an account compromise.