@aws-amplify/api-graphql
Api-graphql category of aws-amplify
32
Versions
Apache-2.0
License
No
Install Scripts
Missing
Provenance
Supply chain provenance
Status for the latest visible version.
No SLSA provenance
npm registry signatures
gitHead linked
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
amzn-ossaws-amplify-opsamplify-studio-uibuilderamplify-codegenamplify-data-dev-npmaws-amplify-data-runtime
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| publish-pattern | dormant-publish | AI (publish-pattern): Major version gap (v3→v4) explains dormancy; aws-amplify-ops is a well-established publisher with 4000+ approved packages. | ai | |
| phantom-deps | phantom-dep:@aws-sdk/types | AI (phantom-deps): Framework-scoped type package; stable false positive for AWS Amplify packages. | ai | |
| source-diff | source-size-tripled | AI (source-diff): 6x size increase is expected for a major version rewrite adding new providers and ESM/CJS dual builds. | ai | |
| source-diff | large-new-source-files | AI (source-diff): Major version rewrite accounts for 163 new source files; consistent with v3→v4 restructuring of AWS Amplify GraphQL API. | ai | |
| provenance | missing-githead | AI (provenance): AWS Amplify is a large AWS org; missing gitHead is consistent with a CI/CD pipeline change rather than a compromise signal, especially with no other corroborating indicators. | ai | |
| phantom-deps | phantom-dep:@types/zen-observable | AI (phantom-deps): Framework-scoped type definition loaded by TypeScript convention; stable false positive for this package. | ai | |
| dependencies | unvetted-dep:zen-observable | AI (dependencies): zen-observable is a stable, widely-used RxJS dependency; acceptable for AWS Amplify's GraphQL API layer. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): mattsb42-aws is an AWS-affiliated maintainer; addition is consistent with normal team transitions. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): New dependency is @aws-amplify/pubsub, an internal sibling package, not a third-party addition. | ai | |
| dependencies | unvetted-dep:@aws-amplify/pubsub | AI (dependencies): Internal AWS Amplify monorepo dependency; unvetted status is expected for internal packages. | ai | |
| dependencies | unvetted-dep:zen-observable-ts | AI (dependencies): zen-observable-ts is a standard RxJS observable library; unvetted status is expected for ecosystem packages. | ai | |
| phantom-deps | phantom-dep:uuid | AI (phantom-deps): uuid is referenced in config but not directly imported; benign phantom dependency. | ai | |
| dependencies | unvetted-dep:@aws-amplify/cache | AI (dependencies): Internal AWS Amplify monorepo dependency; unvetted status is expected for internal packages. | ai | |
| provenance | no-provenance | AI (provenance): Provenance attestation is not yet standard practice; absence is not a security concern for this package. | ai | |
| maintainer-change | maintainer-removed | AI (maintainer-change): Removal of prior maintainers is normal team transition; no compromise indicators present. | ai | |
| bogus-package | bogus-package | AI (bogus-package): Mass-production pattern reflects AWS monorepo structure; no malicious intent. Missing keywords is cosmetic. | ai | |
| dependencies | unvetted-dep:@aws-amplify/api-rest | AI (dependencies): Sibling package in the AWS Amplify monorepo, published at the same build hash. Consistently co-released; not an independent third-party dependency. | ai | |
| dependencies | unvetted-peer-dep:@aws-amplify/pubsub | AI (dependencies): Peer dependency on internal AWS Amplify package; acceptable for monorepo architecture. | ai | |
| dependencies | unvetted-dep:@aws-amplify/core | AI (dependencies): Internal AWS Amplify monorepo dependency; unvetted status is expected for internal packages. | ai |
Versions (showing 32 of 133)
| Version | Deps | Published |
|---|---|---|
| 1.2.6 | 8 / 1 | |
| 1.2.5 | 8 / 1 | |
| 1.2.4 | 8 / 1 | |
| 1.2.3 | 8 / 1 | |
| 1.2.2 | 8 / 1 | |
| 1.2.1 | 8 / 1 | |
| 1.2.0 | 8 / 1 | |
| 1.1.7 | 8 / 1 | |
| 1.1.6 | 8 / 1 | |
| 1.1.5 | 8 / 1 | |
| 1.1.4 | 8 / 1 | |
| 1.1.3 | 8 / 1 | |
| 1.1.2 | 8 / 1 | |
| 1.1.1 | 8 / 1 | |
| 1.1.0 | 8 / 1 | |
| 1.0.18 | 8 / 1 | |
| 1.0.17 | 8 / 1 | |
| 1.0.16 | 8 / 1 | |
| 1.0.15 | 8 / 1 | |
| 1.0.14 | 8 / 1 | |
| 1.0.13 | 8 / 1 | |
| 1.0.12 | 8 / 1 | |
| 1.0.11 | 8 / 1 | |
| 1.0.10 | 8 / 1 | |
| 1.0.9 | 8 / 1 | |
| 1.0.8 | 7 / 1 | |
| 1.0.7 | 7 / 1 | |
| 1.0.6 | 7 / 1 | |
| 1.0.5 | 7 / 1 | |
| 1.0.4 | 7 / 1 | |
| 1.0.2 | 7 / 1 | |
| 1.0.1 | 9 / 0 |