@aws-amplify/api — Greenflagged

Api category of aws-amplify

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

amzn-ossaws-amplify-opsamplify-studio-uibuilderamplify-codegenamplify-data-dev-npmaws-amplify-data-runtime

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
dependencies	unvetted-dep:@aws-amplify/auth	AI (dependencies): @aws-amplify/auth is a first-party AWS Amplify package from the same org scope; its use here is expected and stable across all versions of this package.	ai	2026/04/21
maintainer-change	maintainer-removed	AI (maintainer-change): Removal of richardzcode aligns with legitimate AWS team transitions; no compromise indicators present.	ai	2026/04/21
dependencies	unvetted-dep:zen-observable	AI (dependencies): zen-observable is a legitimate RxJS utility library; stable constraint ^0.8.6 is appropriate for this package.	ai	2026/04/21
maintainer-change	maintainer-added	AI (maintainer-change): Maintainer addition is normal for AWS-maintained monorepo; repository URL unchanged and legitimate.	ai	2026/04/21
dependencies	unvetted-dep:axios	AI (dependencies): axios is a standard HTTP client used throughout AWS Amplify; stable dependency for this package.	ai	2026/04/21
dependencies	unvetted-dep:@aws-amplify/cache	AI (dependencies): @aws-amplify/cache is a sibling AWS Amplify package; unvetted status is expected within the same org scope.	ai	2026/04/21
bogus-package	bogus-package	AI (bogus-package): Signals are minor metadata issues (mass-production maintainer, missing keywords); not indicative of malware for AWS-official package.	ai	2026/04/21
phantom-deps	phantom-dep:uuid	AI (phantom-deps): uuid is properly declared and used in config; phantom status is expected for utility dependencies.	ai	2026/04/21
source-diff	source-size-dropped	AI (source-diff): Source size reduction reflects normal refactoring and build system changes; no indication of stub/redirect.	ai	2026/04/21
provenance	no-provenance	AI (provenance): No provenance is common for packages published before Sigstore adoption; not a security risk for this established package.	ai	2026/04/21
typosquat	typosquat.levenshtein:hapi	AI (typosquat): Scoped package @aws-amplify/api is not a typosquat; Levenshtein distance on scoped names produces false positives.	ai	2026/04/21
typosquat	typosquat.levenshtein:pg	AI (typosquat): Scoped package @aws-amplify/api is not a typosquat; Levenshtein distance on scoped names produces false positives.	ai	2026/04/21
typosquat	typosquat.levenshtein:joi	AI (typosquat): Scoped package @aws-amplify/api is not a typosquat; Levenshtein distance on scoped names produces false positives.	ai	2026/04/21
typosquat	typosquat.levenshtein:ajv	AI (typosquat): Scoped package @aws-amplify/api is not a typosquat; Levenshtein distance on scoped names produces false positives.	ai	2026/04/21
phantom-deps	phantom-dep:@types/zen-observable	AI (phantom-deps): Framework-scoped types package; phantom declaration is conventional for TypeScript projects.	ai	2026/04/21
publish-pattern	new-deps-added	AI (publish-pattern): uuid is an established, benign utility library; not a suspicious dependency addition pattern.	ai	2026/04/21
phantom-deps	phantom-dep:@aws-amplify/auth	AI (phantom-deps): Same-org scoped dependency in AWS Amplify monorepo; phantom declaration is expected.	ai	2026/04/21
provenance	publisher-changed	AI (provenance): Publisher transition (2018) aligns with AWS organizational changes; official repo and authorship provide trust.	ai	2026/04/21
source-diff	encoded-string-file:dist/aws-amplify-api.min.js	AI (source-diff): Minified webpack bundle with standard UMD boilerplate; encoded strings are normal build artifacts, not malicious payloads.	ai	2026/04/21
dependencies	unvetted-dep:@aws-amplify/core	AI (dependencies): Sibling @aws-amplify package from same trusted publisher; expected dependency.	ai	2026/04/21

Versions (showing 51 of 87)

View all versions

Version	Deps	Published
6.3.26	5 / 2	2026-05-05
6.3.25	5 / 2	2026-04-14
6.3.24	5 / 2	2026-02-05
6.3.23	5 / 2	2026-01-22
6.3.22	5 / 2	2026-01-15
6.3.21	5 / 2	2025-12-10
6.3.20	5 / 2	2025-11-06
6.3.19	5 / 2	2025-09-29
6.3.18	5 / 2	2025-09-11
6.3.17	5 / 2	2025-08-06
6.3.16	5 / 2	2025-07-23
6.3.15	5 / 2	2025-07-03
6.3.14	5 / 2	2025-07-02
6.3.13	5 / 2	2025-06-17
6.3.12	5 / 2	2025-05-27
6.3.11	5 / 3	2025-04-28
6.3.10	5 / 3	2025-04-21
6.3.9	5 / 3	2025-04-09
6.3.8	5 / 3	2025-03-28
6.3.7	5 / 3	2025-03-25
6.3.6	5 / 3	2025-03-21
6.3.5	5 / 3	2025-03-14
6.3.4	5 / 3	2025-03-07
6.3.3	5 / 3	2025-03-05
6.3.2	5 / 3	2025-02-27
6.3.1	5 / 3	2025-02-20
6.3.0	5 / 3	2025-02-12
6.2.3	5 / 3	2025-02-04
6.2.2	3 / 2	2025-01-24
6.2.1	3 / 2	2025-01-14
6.2.0	3 / 2	2025-01-03
6.1.9	3 / 1	2024-12-19
6.1.8	3 / 1	2024-12-12
6.1.7	3 / 1	2024-12-03
6.1.6	3 / 1	2024-12-03
6.1.5	3 / 1	2024-11-25
6.1.4	3 / 1	2024-11-20
6.1.3	3 / 1	2024-11-13
6.1.2	3 / 1	2024-11-12
6.1.1	3 / 1	2024-10-31
6.1.0	3 / 1	2024-10-29
6.0.56	3 / 1	2024-10-25
6.0.55	3 / 1	2024-10-21
6.0.54	3 / 1	2024-10-15
6.0.53	3 / 1	2024-10-05
6.0.52	3 / 1	2024-09-30
6.0.51	3 / 1	2024-09-17
6.0.50	3 / 1	2024-09-16
6.0.49	3 / 1	2024-09-04
6.0.48	3 / 1	2024-09-03
6.0.47	3 / 1	2024-08-26