@aws-amplify/api-rest — Greenflagged

Api-rest category of aws-amplify

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

amzn-ossaws-amplify-opsamplify-studio-uibuilderamplify-codegenamplify-data-dev-npmaws-amplify-data-runtime

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
semgrep	semgrep:api-obfuscation-reflect	AI (semgrep): Reflect.get() is used as the default case in a standard Proxy get trap — idiomatic, non-obfuscated TypeScript code. Not a real obfuscation signal for this package.	ai	2026/04/21
phantom-deps	phantom-dep:tslib	AI (phantom-deps): tslib is a well-known implicit TypeScript runtime dependency; phantom-dep firing on it is a stable false positive for TypeScript packages.	ai	2026/04/21
provenance	missing-githead	AI (provenance): gitHead absence is a publish environment change, not a security issue; stable for AWS Amplify's established release process.	ai	2026/04/21
dependencies	unvetted-dep:axios	AI (dependencies): axios 0.19.0 is a pinned, widely-used HTTP library; stable dependency for this package.	ai	2026/04/21
maintainer-change	maintainer-removed	AI (maintainer-change): Routine maintainer list update in established monorepo; aws-amplify-ops is institutional AWS account with strong approval track record.	ai	2026/04/21
bogus-package	bogus-package	AI (bogus-package): Signals reflect monorepo templated structure, not malicious intent; stable for aws-amplify packages.	ai	2026/04/21
maintainer-change	maintainer-added	AI (maintainer-change): New maintainer on active AWS Amplify project; publisher has 85 approved packages and 2614-day history.	ai	2026/04/21
provenance	no-provenance	AI (provenance): Provenance attestation is a CI/CD best practice; its absence is not a security defect for this established package.	ai	2026/04/21
provenance	publisher-changed	AI (provenance): Publisher change from aws-amplify-ops to ericclemmons reflects a documented AWS Amplify team transition; ericclemmons is a known AWS Amplify principal engineer. Stable for this package.	ai	2026/04/21
dependencies	unvetted-dep:@aws-amplify/core	AI (dependencies): Internal monorepo dependency within aws-amplify; expected and stable for this package.	ai	2026/04/21

Versions (showing 51 of 130)

View all versions

Version	Deps	Published
4.6.4	1 / 3	2026-04-14
4.6.3	1 / 3	2026-02-05
4.6.2	1 / 3	2026-01-22
4.6.1	1 / 3	2026-01-15
4.6.0	1 / 3	2025-12-10
4.5.0	1 / 3	2025-11-06
4.4.1	1 / 3	2025-09-29
4.4.0	1 / 3	2025-09-11
4.3.0	1 / 3	2025-08-06
4.2.0	1 / 3	2025-07-23
4.1.8	1 / 3	2025-07-03
4.1.7	1 / 3	2025-07-02
4.1.6	1 / 3	2025-06-17
4.1.5	1 / 3	2025-05-27
4.1.4	1 / 4	2025-04-28
4.1.3	1 / 4	2025-04-21
4.1.2	1 / 4	2025-04-09
4.1.1	1 / 4	2025-03-28
4.1.0	1 / 4	2025-03-25
4.0.75	1 / 4	2025-03-21
4.0.74	1 / 4	2025-03-14
4.0.73	1 / 4	2025-03-07
4.0.72	1 / 4	2025-03-05
4.0.71	1 / 4	2025-02-27
4.0.70	1 / 4	2025-02-20
4.0.69	1 / 4	2025-02-12
4.0.68	1 / 4	2025-02-04
4.0.67	1 / 3	2025-01-24
4.0.66	1 / 3	2025-01-14
4.0.65	1 / 3	2025-01-03
4.0.64	1 / 3	2024-12-19
4.0.63	1 / 3	2024-12-12
4.0.62	1 / 3	2024-12-03
4.0.61	1 / 3	2024-12-03
4.0.60	1 / 3	2024-11-25
4.0.59	1 / 3	2024-11-20
4.0.58	1 / 3	2024-11-13
4.0.57	1 / 3	2024-11-12
4.0.56	1 / 3	2024-10-31
4.0.55	1 / 3	2024-10-29
4.0.54	1 / 3	2024-10-25
4.0.53	1 / 3	2024-10-21
4.0.52	1 / 3	2024-10-15
4.0.51	1 / 3	2024-10-05
4.0.50	1 / 3	2024-09-30
4.0.49	1 / 3	2024-09-17
4.0.48	1 / 3	2024-09-16
4.0.47	1 / 3	2024-09-04
4.0.46	1 / 3	2024-09-03
4.0.45	1 / 3	2024-08-26
4.0.44	1 / 3	2024-08-21