@aws-amplify/amplify-category-api
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| dependencies | unvetted-dep:@aws-amplify/graphql-transformer-migrator | AI (dependencies): AWS Amplify ecosystem dependency; stable for this package. | ai | |
| dependencies | unvetted-dep:@aws-amplify/graphql-schema-generator | AI (dependencies): AWS Amplify ecosystem dependency; stable for this package. | ai | |
| dependencies | unvetted-dep:@aws-amplify/graphql-transformer-core | AI (dependencies): AWS Amplify ecosystem dependency; stable for this package. | ai | |
| dependencies | unvetted-dep:graphql-relational-schema-transformer | AI (dependencies): AWS Amplify ecosystem dependency; stable for this package. | ai | |
| dependencies | unvetted-dep:graphql-key-transformer | AI (dependencies): AWS Amplify ecosystem dependency; stable for this package. | ai | |
| dependencies | unvetted-dep:graphql-auth-transformer | AI (dependencies): AWS Amplify ecosystem dependency; stable for this package. | ai | |
| dependencies | unvetted-dep:graphql-http-transformer | AI (dependencies): AWS Amplify ecosystem dependency; stable for this package. | ai | |
| dependencies | unvetted-dep:graphql-transformer-core | AI (dependencies): AWS Amplify ecosystem dependency; stable for this package. | ai | |
| dependencies | unvetted-dep:graphql-transformer-common | AI (dependencies): AWS Amplify ecosystem dependency; stable for this package. | ai | |
| dependencies | unvetted-dep:graphql-dynamodb-transformer | AI (dependencies): AWS Amplify ecosystem dependency; stable for this package. | ai | |
| dependencies | unvetted-dep:graphql-function-transformer | AI (dependencies): AWS Amplify ecosystem dependency; stable for this package. | ai | |
| dependencies | unvetted-dep:graphql-versioned-transformer | AI (dependencies): AWS Amplify ecosystem dependency; stable for this package. | ai | |
| dependencies | unvetted-dep:graphql-connection-transformer | AI (dependencies): AWS Amplify ecosystem dependency; stable for this package. | ai | |
| dependencies | unvetted-dep:@aws-cdk/aws-apigatewayv2-alpha | AI (dependencies): AWS CDK alpha package; expected dependency for this package. | ai | |
| dependencies | unvetted-dep:graphql-predictions-transformer | AI (dependencies): AWS Amplify ecosystem dependency; stable for this package. | ai | |
| dependencies | unvetted-dep:@aws-amplify/graphql-transformer | AI (dependencies): AWS Amplify ecosystem dependency; stable for this package. | ai | |
| dependencies | unvetted-dep:graphql-elasticsearch-transformer | AI (dependencies): AWS Amplify ecosystem dependency; stable for this package. | ai | |
| dependencies | unvetted-dep:@aws-amplify/graphql-auth-transformer | AI (dependencies): AWS Amplify ecosystem dependency; stable for this package. | ai | |
| provenance | no-provenance | AI (provenance): Amplify CLI packages historically published without Sigstore provenance; not a risk signal for this package. | ai | |
| semgrep | semgrep:base64-decode | AI (semgrep): Standard JWT body parsing in bundled Express template; not a malicious payload. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): Plugin-loader pattern in AWS Amplify CLI tooling; stable across versions. | ai |
Versions (showing 5 of 5)
| Version | Deps | Published |
|---|---|---|
| 5.15.5 | 41 / 7 | |
| 5.15.4 | 41 / 7 | |
| 5.15.3 | 41 / 7 | |
| 5.15.2 | 41 / 7 | |
| 5.15.1 | 39 / 7 |
v5.15.5
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.15.4
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.15.3
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.15.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.15.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.