@aws-amplify/amplify-app

Amplify CLI

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

amzn-ossaws-amplify-opsamplify-studio-uibuilderamplify-codegenamplify-data-dev-npmaws-amplify-data-runtime

Keywords

amplifyaws

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
phantom-deps	phantom-dep:yargs	AI (phantom-deps): yargs is declared in dependencies and used via CLI bin; phantom-dep heuristic false positive.	ai	2026/05/25
phantom-deps	phantom-dep:rimraf	AI (phantom-deps): rimraf is used in the clean script; phantom-dep heuristic false positive.	ai	2026/05/25
semgrep	semgrep:child-process-import	AI (semgrep): CLI tool legitimately spawns subprocesses for project scaffolding; stable pattern across versions.	ai	2026/05/20
semgrep	semgrep:dynamic-require	AI (semgrep): Dynamic require loads declared @aws-amplify frontend plugin deps by key; documented plugin-loader pattern.	ai	2026/05/20
phantom-deps	phantom-dep:@aws-amplify/amplify-frontend-ios	AI (phantom-deps): Same-org dep loaded dynamically via plugin pattern; phantom-dep heuristic is a false positive here.	ai	2026/05/20
phantom-deps	phantom-dep:@aws-amplify/amplify-frontend-android	AI (phantom-deps): Same-org dep loaded dynamically via plugin pattern; phantom-dep heuristic is a false positive here.	ai	2026/05/20

Versions (showing 6 of 6)

Version	Deps	Published
5.0.48	16 / 1	2026-05-14
5.0.47	16 / 1	2026-05-01
5.0.46	16 / 1	2026-03-20
5.0.45	16 / 1	2025-10-31
5.0.44	16 / 1	2025-10-08
5.0.43	16 / 1	2025-07-01