@aws-amplify/analytics
Analytics category of aws-amplify
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| provenance | missing-githead | AI (provenance): aws-amplify-ops is a well-established publisher with 566 approved packages; missing gitHead likely reflects a CI/CD pipeline change in this large monorepo, not a supply chain compromise. | ai | |
| dependencies | unvetted-dep:aws-sdk | AI (dependencies): aws-sdk is a core dependency for AWS service integration; expected and legitimate for this analytics package. | ai | |
| source-diff | source-size-tripled | AI (source-diff): 3.6x size increase corresponds to new AWS SDK integrations and analytics features; no injected payloads detected. | ai | |
| source-diff | large-new-source-files | AI (source-diff): 68 new source files reflect normal development activity for a mature package; no evidence of bundled/injected code. | ai | |
| provenance | publisher-changed | AI (provenance): Publisher transition (mlabieniec → aws-amplify-ops) in 2019 reflects AWS's official adoption of Amplify; stable for this package. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): New dependencies are all official AWS SDK packages for analytics integrations; legitimate feature expansion, not attack vector. | ai | |
| dependencies | unvetted-dep:@aws-sdk/client-kinesis-browser | AI (dependencies): AWS SDK browser client; legitimate dependency for analytics package. Stable for this package. | ai | |
| dependencies | unvetted-dep:@aws-amplify/cache | AI (dependencies): Internal AWS Amplify monorepo dependency with pinned constraint; stable for this package. | ai | |
| dependencies | unvetted-dep:@aws-sdk/client-firehose | AI (dependencies): Official AWS SDK; appropriate for analytics service integration. | ai | |
| dependencies | unvetted-dep:@aws-sdk/client-personalize-events | AI (dependencies): Official AWS SDK; appropriate for analytics service integration. | ai | |
| bogus-package | bogus-package | AI (bogus-package): Signals are weak for an established scoped package from a known organization; mass production signal applies to different publisher (elorzafe). | ai | |
| dependencies | unvetted-dep:@aws-sdk/client-kinesis | AI (dependencies): Official AWS SDK; appropriate for analytics service integration. | ai | |
| provenance | no-provenance | AI (provenance): Package predates Sigstore adoption; no provenance is expected for established packages from this era. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): AWS Amplify maintainer transitions are documented organizational changes; stable for this package. | ai | |
| maintainer-change | maintainer-removed | AI (maintainer-change): Maintainer removal in context of AWS Amplify's scale is expected; no takeover indicators present. | ai | |
| dependencies | unvetted-dep:@aws-amplify/core | AI (dependencies): Internal Amplify dependency from same trusted publisher; unvetted status is expected for monorepo packages. | ai | |
| dependencies | unvetted-dep:@aws-sdk/client-personalize-events-browser | AI (dependencies): Official AWS SDK preview package from Amazon; unvetted status reflects early preview versioning, not a security concern. | ai | |
| dependencies | unvetted-dep:@aws-sdk/client-pinpoint-browser | AI (dependencies): Official AWS SDK preview package from Amazon; unvetted status reflects early preview versioning, not a security concern. | ai |
Versions (showing 44 of 145)
| Version | Deps | Published |
|---|---|---|
| 2.2.1 | 3 / 0 | |
| 2.2.0 | 3 / 0 | |
| 2.1.0 | 3 / 0 | |
| 1.4.3 | 3 / 0 | |
| 1.4.0 | 6 / 0 | |
| 1.3.4 | 3 / 0 | |
| 1.3.3 | 3 / 0 | |
| 1.3.2 | 3 / 19 | |
| 1.2.25 | 3 / 19 | |
| 1.2.23 | 3 / 19 | |
| 1.2.22 | 3 / 19 | |
| 1.2.21 | 3 / 19 | |
| 1.2.20 | 3 / 19 | |
| 1.2.18 | 3 / 21 | |
| 1.2.17 | 4 / 21 | |
| 1.2.16 | 3 / 21 | |
| 1.2.15 | 3 / 21 | |
| 1.2.14 | 3 / 21 | |
| 1.2.13 | 3 / 21 | |
| 1.2.12 | 3 / 21 | |
| 1.2.11 | 3 / 21 | |
| 1.2.10 | 3 / 21 | |
| 1.2.9 | 3 / 21 | |
| 1.2.8 | 3 / 21 | |
| 1.2.7 | 3 / 21 | |
| 1.2.6 | 3 / 21 | |
| 1.2.5 | 3 / 21 | |
| 1.2.4 | 3 / 21 | |
| 1.2.3 | 4 / 21 | |
| 1.2.2 | 4 / 21 | |
| 1.2.1 | 4 / 21 | |
| 1.2.0 | 4 / 21 | |
| 1.1.1 | 4 / 21 | |
| 1.1.0 | 4 / 21 | |
| 1.0.9 | 4 / 21 | |
| 1.0.8 | 4 / 21 | |
| 1.0.7 | 4 / 21 | |
| 1.0.6 | 4 / 21 | |
| 1.0.5 | 4 / 21 | |
| 1.0.4 | 4 / 21 | |
| 1.0.3 | 4 / 21 | |
| 1.0.2 | 4 / 21 | |
| 1.0.1 | 4 / 21 | |
| 1.0.0 | 4 / 21 |
v2.1.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.2.17
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.2.12
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.2.10
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.2.9
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.2.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.2.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.2.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.2.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.1.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.