@firebase/storage — Greenflagged

This is the Cloud Storage component of the Firebase JS SDK.

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

firebase-opsfeiyang.chengoogle-wombotchholland

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
source-diff	source-size-tripled	AI (source-diff): Size increase from 417KB to 1MB is explained by Firebase's v9 modular SDK architecture expansion, adding exp/dist targets and compat layers — a documented major refactor, not injected payload.	ai	2026/04/22
publish-pattern	new-deps-added	AI (publish-pattern): Undici is a legitimate, established HTTP client replacing node-fetch; standard maintenance update for Firebase SDK.	ai	2026/04/22
maintainer-change	maintainer-added	AI (maintainer-change): feiyang.chen and hiranya911 are known Firebase/Google engineers added during a legitimate team reorganization in 2018.	ai	2026/04/22
source-diff	large-new-source-files	AI (source-diff): 46 new source files reflect SDK restructuring during early Firebase modular SDK development, not injected code. No suspicious content detected.	ai	2026/04/22
provenance	publisher-changed	AI (provenance): Publisher change from jshcrowthe to feiyang.chen in Nov 2018 reflects a documented Firebase/Google team transition. feiyang.chen is a known Firebase engineer with long npm history.	ai	2026/04/22
publish-pattern	dormant-publish	AI (publish-pattern): Long dormancy is consistent with monorepo release cycles; publisher is established and legitimate.	ai	2026/04/22
provenance	no-provenance	AI (provenance): google-wombot is an established Google automation account; lack of Sigstore provenance is consistent across all Firebase SDK packages and is not a meaningful risk signal.	ai	2026/04/22
dependencies	unvetted-dep:undici	AI (dependencies): Undici is a well-maintained Node.js HTTP client by the Node.js foundation; stable dependency for Firebase SDK.	ai	2026/04/22
bogus-package	bogus-package	AI (bogus-package): Low README quality and missing keywords are typical for scoped monorepo packages; not indicative of spam.	ai	2026/04/22
phantom-deps	phantom-dep:tslib	AI (phantom-deps): tslib is a standard TypeScript runtime helper commonly used as an implicit dependency in compiled TypeScript packages; stable pattern for this package.	ai	2026/04/22

Versions (showing 51 of 144)

Show 232 prereleases View all versions

Version	Deps	Published
0.14.3	3 / 7	2026-05-07
0.14.2	3 / 7	2026-03-19
0.14.1	3 / 7	2026-02-27
0.14.0	3 / 7	2025-07-17
0.13.14	3 / 7	2025-06-30
0.13.13	3 / 7	2025-06-10
0.13.12	3 / 7	2025-05-22
0.13.11	3 / 7	2025-05-20
0.13.10	3 / 7	2025-05-14
0.13.9	3 / 7	2025-05-14
0.13.8	3 / 7	2025-05-07
0.13.7	3 / 7	2025-02-27
0.13.6	3 / 7	2025-02-06
0.13.5	3 / 7	2025-01-16
0.13.4	3 / 7	2024-11-14
0.13.3	3 / 7	2024-10-21
0.13.2	4 / 7	2024-09-18
0.13.1	4 / 7	2024-08-29
0.13.0	4 / 7	2024-08-15
0.12.6	4 / 7	2024-07-03
0.12.5	4 / 7	2024-05-13
0.12.4	4 / 7	2024-04-11
0.12.3	4 / 7	2024-03-28
0.12.2	4 / 7	2024-02-28
0.12.1	4 / 7	2024-02-01
0.12.0	4 / 7	2023-11-27
0.11.2	4 / 7	2023-03-02
0.11.1	4 / 7	2023-02-03
0.11.0	4 / 7	2023-02-02
0.10.1	4 / 7	2023-01-19
0.10.0	4 / 7	2022-12-08
0.9.14	4 / 7	2022-11-10
0.9.13	4 / 7	2022-10-27
0.9.12	4 / 7	2022-10-12
0.9.11	4 / 7	2022-10-11
0.9.10	4 / 7	2022-10-06
0.9.9	4 / 7	2022-07-07
0.9.8	4 / 7	2022-06-23
0.9.7	4 / 7	2022-06-09
0.9.6	4 / 7	2022-05-06
0.9.5	4 / 7	2022-04-14
0.9.4	4 / 7	2022-03-24
0.9.3	4 / 7	2022-03-17
0.9.2	4 / 7	2022-01-27
0.9.1	4 / 7	2022-01-07
0.9.0	4 / 7	2021-11-19
0.8.7	4 / 7	2021-11-11
0.8.6	4 / 7	2021-11-08
0.8.5	4 / 7	2021-11-04
0.8.4	4 / 7	2021-10-14
0.8.3	4 / 7	2021-09-24