@aws-amplify/api-graphql

Api-graphql category of aws-amplify

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

amzn-ossaws-amplify-opsamplify-studio-uibuilderamplify-codegenamplify-data-dev-npmaws-amplify-data-runtime

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
publish-pattern	dormant-publish	AI (publish-pattern): Major version gap (v3→v4) explains dormancy; aws-amplify-ops is a well-established publisher with 4000+ approved packages.	ai	2026/05/15
phantom-deps	phantom-dep:@aws-sdk/types	AI (phantom-deps): Framework-scoped type package; stable false positive for AWS Amplify packages.	ai	2026/05/15
source-diff	source-size-tripled	AI (source-diff): 6x size increase is expected for a major version rewrite adding new providers and ESM/CJS dual builds.	ai	2026/05/15
source-diff	large-new-source-files	AI (source-diff): Major version rewrite accounts for 163 new source files; consistent with v3→v4 restructuring of AWS Amplify GraphQL API.	ai	2026/05/15
provenance	missing-githead	AI (provenance): AWS Amplify is a large AWS org; missing gitHead is consistent with a CI/CD pipeline change rather than a compromise signal, especially with no other corroborating indicators.	ai	2026/04/21
phantom-deps	phantom-dep:@types/zen-observable	AI (phantom-deps): Framework-scoped type definition loaded by TypeScript convention; stable false positive for this package.	ai	2026/04/21
dependencies	unvetted-dep:zen-observable	AI (dependencies): zen-observable is a stable, widely-used RxJS dependency; acceptable for AWS Amplify's GraphQL API layer.	ai	2026/04/21
maintainer-change	maintainer-added	AI (maintainer-change): mattsb42-aws is an AWS-affiliated maintainer; addition is consistent with normal team transitions.	ai	2026/04/21
publish-pattern	new-deps-added	AI (publish-pattern): New dependency is @aws-amplify/pubsub, an internal sibling package, not a third-party addition.	ai	2026/04/21
dependencies	unvetted-dep:@aws-amplify/pubsub	AI (dependencies): Internal AWS Amplify monorepo dependency; unvetted status is expected for internal packages.	ai	2026/04/21
dependencies	unvetted-dep:zen-observable-ts	AI (dependencies): zen-observable-ts is a standard RxJS observable library; unvetted status is expected for ecosystem packages.	ai	2026/04/21
phantom-deps	phantom-dep:uuid	AI (phantom-deps): uuid is referenced in config but not directly imported; benign phantom dependency.	ai	2026/04/21
dependencies	unvetted-dep:@aws-amplify/cache	AI (dependencies): Internal AWS Amplify monorepo dependency; unvetted status is expected for internal packages.	ai	2026/04/21
provenance	no-provenance	AI (provenance): Provenance attestation is not yet standard practice; absence is not a security concern for this package.	ai	2026/04/21
maintainer-change	maintainer-removed	AI (maintainer-change): Removal of prior maintainers is normal team transition; no compromise indicators present.	ai	2026/04/21
bogus-package	bogus-package	AI (bogus-package): Mass-production pattern reflects AWS monorepo structure; no malicious intent. Missing keywords is cosmetic.	ai	2026/04/21
dependencies	unvetted-dep:@aws-amplify/api-rest	AI (dependencies): Sibling package in the AWS Amplify monorepo, published at the same build hash. Consistently co-released; not an independent third-party dependency.	ai	2026/04/21
dependencies	unvetted-peer-dep:@aws-amplify/pubsub	AI (dependencies): Peer dependency on internal AWS Amplify package; acceptable for monorepo architecture.	ai	2026/04/21
dependencies	unvetted-dep:@aws-amplify/core	AI (dependencies): Internal AWS Amplify monorepo dependency; unvetted status is expected for internal packages.	ai	2026/04/21

Versions (showing 51 of 132)

View all versions

Version	Deps	Published
4.8.7	7 / 0	2026-05-05
4.8.6	8 / 0	2026-04-14
4.8.5	8 / 0	2026-02-05
4.8.4	8 / 0	2026-01-22
4.8.3	8 / 0	2026-01-15
4.8.2	8 / 0	2025-12-10
4.8.1	8 / 0	2025-11-06
4.8.0	8 / 0	2025-09-29
4.7.22	8 / 0	2025-09-11
4.7.21	8 / 0	2025-08-06
4.7.20	8 / 0	2025-07-23
4.7.19	8 / 0	2025-07-03
4.7.18	8 / 0	2025-07-02
4.7.17	8 / 0	2025-06-17
4.7.16	8 / 0	2025-05-27
4.7.15	8 / 3	2025-04-28
4.7.14	8 / 3	2025-04-21
4.7.13	8 / 3	2025-04-09
4.7.12	8 / 3	2025-03-28
4.7.11	8 / 3	2025-03-25
4.7.10	8 / 3	2025-03-21
4.7.9	8 / 3	2025-03-14
4.7.8	8 / 3	2025-03-07
4.7.7	8 / 3	2025-03-05
4.7.6	8 / 3	2025-02-27
4.7.5	8 / 3	2025-02-20
4.7.4	8 / 3	2025-02-12
4.7.3	8 / 3	2025-02-04
4.7.2	8 / 3	2025-01-24
4.7.1	8 / 3	2025-01-14
4.7.0	8 / 3	2025-01-03
4.6.7	8 / 3	2024-12-19
4.6.6	8 / 3	2024-12-12
4.6.5	8 / 3	2024-12-03
4.6.4	8 / 3	2024-12-03
4.6.3	8 / 3	2024-11-25
4.6.2	8 / 3	2024-11-20
4.6.1	8 / 3	2024-11-13
4.6.0	8 / 3	2024-11-12
4.5.1	8 / 3	2024-10-31
4.5.0	8 / 3	2024-10-29
4.4.3	8 / 3	2024-10-25
4.4.2	8 / 3	2024-10-21
4.4.1	8 / 3	2024-10-15
4.4.0	8 / 3	2024-10-05
4.3.3	8 / 3	2024-09-30
4.3.2	8 / 3	2024-09-17
4.3.1	8 / 3	2024-09-16
4.3.0	8 / 3	2024-09-04
4.2.1	8 / 3	2024-09-03
4.2.0	8 / 3	2024-08-26