@firebase/util — Greenflagged

_NOTE: This is specifically tailored for Firebase JS SDK usage, if you are not a member of the Firebase team, please avoid using this package_

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

firebase-opsfeiyang.chengoogle-wombotchholland

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
source-diff	large-new-source-files	AI (source-diff): Firebase SDK packages routinely add many source/dist files across versions as the SDK grows; this is expected behavior for @firebase/util in the Firebase monorepo.	ai	2026/04/23
publish-pattern	suspicious-version-number	AI (publish-pattern): EAP pre-release version strings are a documented Firebase practice for early access program releases; not a malware indicator for this publisher.	ai	2026/04/23
maintainer-change	maintainer-removed	AI (maintainer-change): Removal of individual Firebase engineer maintainers in favor of google-wombot automation account is a standard organizational transition for Firebase SDK packages, not a takeover signal.	ai	2026/04/22
provenance	publisher-changed	AI (provenance): google-wombot is the official Firebase/Google automation publishing account; transition from individual engineer accounts to this bot is a standard Google practice for Firebase SDK packages.	ai	2026/04/22
provenance	no-provenance	AI (provenance): Firebase packages published via google-wombot automation consistently lack Sigstore provenance; this is a known pattern for this publisher.	ai	2026/04/22
publish-pattern	dormant-publish	AI (publish-pattern): EAP/feature-branch pre-releases from the official Firebase publisher are expected to have irregular cadence; not indicative of account takeover.	ai	2026/04/22
phantom-deps	phantom-dep:tslib	AI (phantom-deps): tslib is a known implicit runtime dependency for Firebase packages compiled with TypeScript; stable false positive for this package.	ai	2026/04/22
install-scripts	install-script:postinstall	AI (install-scripts): Firebase's postinstall script (node ./postinstall.js) is a long-standing, documented part of the Firebase JS SDK build process; stable for this package.	ai	2026/04/22
typosquat	typosquat.levenshtein:uuid	AI (typosquat): @firebase/util is a scoped Google Firebase package with 3000+ days of history; Levenshtein match to 'uuid' is a clear false positive.	ai	2026/04/22

Versions (showing 37 of 37)

Show 63 prereleases

Version	Deps	Published
1.12.1	1 / 4	2025-06-30
1.11.3	1 / 4	2025-05-14
1.10.3	1 / 3	2025-01-16
1.10.2	1 / 3	2024-11-14
1.10.1	1 / 3	2024-10-21
1.10.0	1 / 3	2024-09-18
1.9.7	1 / 3	2024-07-03
1.9.6	1 / 3	2024-05-13
1.9.5	1 / 3	2024-03-28
1.9.4	1 / 3	2024-02-01
1.9.3	1 / 3	2023-03-02
1.9.2	1 / 3	2023-02-03
1.9.1	1 / 3	2023-02-02
1.9.0	1 / 3	2023-01-19
1.8.0	1 / 3	2022-12-08
1.7.3	1 / 3	2022-10-27
1.7.2	1 / 3	2022-10-12
1.7.1	1 / 3	2022-10-11
1.7.0	1 / 3	2022-10-06
1.6.3	1 / 3	2022-07-07
1.6.2	1 / 3	2022-06-23
1.6.1	1 / 3	2022-06-09
1.6.0	1 / 3	2022-05-06
1.5.2	1 / 3	2022-04-14
1.5.1	1 / 3	2022-03-24
1.5.0	1 / 3	2022-03-17
1.4.3	1 / 3	2022-01-07
1.4.2	1 / 3	2021-11-08
1.4.1	1 / 3	2021-11-04
1.4.0	1 / 3	2021-09-24
1.3.0	1 / 3	2021-08-19
1.2.0	1 / 3	2021-07-29
1.1.0	1 / 3	2021-05-05
1.0.0	1 / 3	2021-04-12
0.4.1	1 / 3	2021-03-31
0.4.0	1 / 3	2021-03-11
0.3.4	1 / 3	2020-11-05