@firebase/polyfill
This is the a set of polyfills/shims used by the Firebase JS SDK. This package is completely standalone and can be loaded to standardize environments for use with the Firebase JS SDK.
45
Versions
Apache-2.0
License
No
Install Scripts
Missing
Provenance
Supply chain provenance
Status for the latest visible version.
No SLSA provenance
npm registry signatures
No source commit
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
chhollandfeiyang.chenfirebase-opsgoogle-wombothiranya911
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | source-size-dropped | AI (source-diff): Size drop reflects refactoring to delegate to declared dependencies (core-js, promise-polyfill, whatwg-fetch) rather than bundling inline; legitimate pattern for a polyfill package. | ai | |
| provenance | publisher-changed | AI (provenance): Publisher change reflects a legitimate Firebase/Google team rotation; google-wombot maintainer addition confirms Google organizational control. | ai | |
| maintainer-change | maintainer-removed | AI (maintainer-change): Removed maintainers are former Firebase contributors; removal alongside Google-affiliated additions is consistent with legitimate team transition. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): New maintainers include google-wombot (Google automation) and Firebase team members; consistent with internal Google team management. | ai | |
| dependencies | unvetted-dep:promise-polyfill | AI (dependencies): promise-polyfill is a well-known polyfill library; its presence in @firebase/polyfill is expected and appropriate across all versions. | ai | |
| dependencies | unvetted-dep:core-js | AI (dependencies): core-js is a well-known, widely-used polyfill library; its presence in @firebase/polyfill is expected and appropriate across all versions. | ai | |
| source-diff | net-exec-file:dist/index.esm.js | AI (source-diff): ESM build of the same polyfill bundle. Network + execution pattern is inherent to a fetch/Promise polyfill package, not a dropper. | ai | |
| source-diff | net-exec-file:dist/index.cjs.js | AI (source-diff): This is a polyfill package; the 'network calls' are the fetch polyfill and 'code execution' is Promise resolution logic. This is the intended functionality, not malware. | ai | |
| bogus-package | bogus-package | AI (bogus-package): This is a Firebase monorepo sub-package; minimal README and no keywords are expected for internal SDK components, not spam indicators. | ai | |
| phantom-deps | phantom-dep:promise-polyfill | AI (phantom-deps): Package uses rollup to bundle dependencies; promise-polyfill is consumed at build time rather than via direct import, making phantom-dep detection a false positive here. | ai |
Versions (showing 45 of 45)
| Version | Deps | Published |
|---|---|---|
| 0.3.36 | 3 / 2 | |
| 0.3.35 | 3 / 2 | |
| 0.3.34 | 3 / 2 | |
| 0.3.33 | 3 / 2 | |
| 0.3.32 | 3 / 2 | |
| 0.3.31 | 3 / 2 | |
| 0.3.30 | 3 / 2 | |
| 0.3.29 | 3 / 2 | |
| 0.3.28 | 3 / 2 | |
| 0.3.27 | 3 / 2 | |
| 0.3.26 | 3 / 2 | |
| 0.3.25 | 3 / 2 | |
| 0.3.24 | 3 / 2 | |
| 0.3.23 | 3 / 2 | |
| 0.3.22 | 3 / 2 | |
| 0.3.21 | 3 / 2 | |
| 0.3.20 | 3 / 2 | |
| 0.3.19 | 3 / 2 | |
| 0.3.18 | 3 / 2 | |
| 0.3.17 | 3 / 2 | |
| 0.3.16 | 3 / 2 | |
| 0.3.15 | 3 / 2 | |
| 0.3.14 | 3 / 2 | |
| 0.3.13 | 3 / 2 | |
| 0.3.12 | 3 / 2 | |
| 0.3.11 | 3 / 2 | |
| 0.3.10 | 3 / 2 | |
| 0.3.9 | 3 / 2 | |
| 0.3.8 | 3 / 2 | |
| 0.3.7 | 3 / 2 | |
| 0.3.6 | 3 / 2 | |
| 0.3.5 | 3 / 2 | |
| 0.3.4 | 3 / 2 | |
| 0.3.3 | 3 / 4 | |
| 0.3.2 | 3 / 4 | |
| 0.3.1 | 3 / 4 | |
| 0.3.0 | 3 / 2 | |
| 0.2.0 | 2 / 2 | |
| 0.1.6 | 2 / 2 | |
| 0.1.5 | 1 / 2 | |
| 0.1.4 | 1 / 2 | |
| 0.1.3 | 1 / 2 | |
| 0.1.2 | 1 / 2 | |
| 0.1.1 | 1 / 2 | |
| 0.1.0 | 1 / 2 |