@aws-amplify/api
Api category of aws-amplify
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| dependencies | unvetted-dep:@aws-amplify/auth | AI (dependencies): @aws-amplify/auth is a first-party AWS Amplify package from the same org scope; its use here is expected and stable across all versions of this package. | ai | |
| maintainer-change | maintainer-removed | AI (maintainer-change): Removal of richardzcode aligns with legitimate AWS team transitions; no compromise indicators present. | ai | |
| dependencies | unvetted-dep:zen-observable | AI (dependencies): zen-observable is a legitimate RxJS utility library; stable constraint ^0.8.6 is appropriate for this package. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): Maintainer addition is normal for AWS-maintained monorepo; repository URL unchanged and legitimate. | ai | |
| dependencies | unvetted-dep:axios | AI (dependencies): axios is a standard HTTP client used throughout AWS Amplify; stable dependency for this package. | ai | |
| dependencies | unvetted-dep:@aws-amplify/cache | AI (dependencies): @aws-amplify/cache is a sibling AWS Amplify package; unvetted status is expected within the same org scope. | ai | |
| bogus-package | bogus-package | AI (bogus-package): Signals are minor metadata issues (mass-production maintainer, missing keywords); not indicative of malware for AWS-official package. | ai | |
| phantom-deps | phantom-dep:uuid | AI (phantom-deps): uuid is properly declared and used in config; phantom status is expected for utility dependencies. | ai | |
| source-diff | source-size-dropped | AI (source-diff): Source size reduction reflects normal refactoring and build system changes; no indication of stub/redirect. | ai | |
| provenance | no-provenance | AI (provenance): No provenance is common for packages published before Sigstore adoption; not a security risk for this established package. | ai | |
| typosquat | typosquat.levenshtein:hapi | AI (typosquat): Scoped package @aws-amplify/api is not a typosquat; Levenshtein distance on scoped names produces false positives. | ai | |
| typosquat | typosquat.levenshtein:pg | AI (typosquat): Scoped package @aws-amplify/api is not a typosquat; Levenshtein distance on scoped names produces false positives. | ai | |
| typosquat | typosquat.levenshtein:joi | AI (typosquat): Scoped package @aws-amplify/api is not a typosquat; Levenshtein distance on scoped names produces false positives. | ai | |
| typosquat | typosquat.levenshtein:ajv | AI (typosquat): Scoped package @aws-amplify/api is not a typosquat; Levenshtein distance on scoped names produces false positives. | ai | |
| phantom-deps | phantom-dep:@types/zen-observable | AI (phantom-deps): Framework-scoped types package; phantom declaration is conventional for TypeScript projects. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): uuid is an established, benign utility library; not a suspicious dependency addition pattern. | ai | |
| phantom-deps | phantom-dep:@aws-amplify/auth | AI (phantom-deps): Same-org scoped dependency in AWS Amplify monorepo; phantom declaration is expected. | ai | |
| provenance | publisher-changed | AI (provenance): Publisher transition (2018) aligns with AWS organizational changes; official repo and authorship provide trust. | ai | |
| source-diff | encoded-string-file:dist/aws-amplify-api.min.js | AI (source-diff): Minified webpack bundle with standard UMD boilerplate; encoded strings are normal build artifacts, not malicious payloads. | ai | |
| dependencies | unvetted-dep:@aws-amplify/core | AI (dependencies): Sibling @aws-amplify package from same trusted publisher; expected dependency. | ai |
Versions (showing 87 of 87)
| Version | Deps | Published |
|---|---|---|
| 6.3.26 | 5 / 2 | |
| 6.3.25 | 5 / 2 | |
| 6.3.24 | 5 / 2 | |
| 6.3.23 | 5 / 2 | |
| 6.3.22 | 5 / 2 | |
| 6.3.21 | 5 / 2 | |
| 6.3.20 | 5 / 2 | |
| 6.3.19 | 5 / 2 | |
| 6.3.18 | 5 / 2 | |
| 6.3.17 | 5 / 2 | |
| 6.3.16 | 5 / 2 | |
| 6.3.15 | 5 / 2 | |
| 6.3.14 | 5 / 2 | |
| 6.3.13 | 5 / 2 | |
| 6.3.12 | 5 / 2 | |
| 6.3.11 | 5 / 3 | |
| 6.3.10 | 5 / 3 | |
| 6.3.9 | 5 / 3 | |
| 6.3.8 | 5 / 3 | |
| 6.3.7 | 5 / 3 | |
| 6.3.6 | 5 / 3 | |
| 6.3.5 | 5 / 3 | |
| 6.3.4 | 5 / 3 | |
| 6.3.3 | 5 / 3 | |
| 6.3.2 | 5 / 3 | |
| 6.3.1 | 5 / 3 | |
| 6.3.0 | 5 / 3 | |
| 6.2.3 | 5 / 3 | |
| 6.2.2 | 3 / 2 | |
| 6.2.1 | 3 / 2 | |
| 6.2.0 | 3 / 2 | |
| 6.1.9 | 3 / 1 | |
| 6.1.8 | 3 / 1 | |
| 6.1.7 | 3 / 1 | |
| 6.1.6 | 3 / 1 | |
| 6.1.5 | 3 / 1 | |
| 6.1.4 | 3 / 1 | |
| 6.1.3 | 3 / 1 | |
| 6.1.2 | 3 / 1 | |
| 6.1.1 | 3 / 1 | |
| 6.1.0 | 3 / 1 | |
| 6.0.56 | 3 / 1 | |
| 6.0.55 | 3 / 1 | |
| 6.0.54 | 3 / 1 | |
| 6.0.53 | 3 / 1 | |
| 6.0.52 | 3 / 1 | |
| 6.0.51 | 3 / 1 | |
| 6.0.50 | 3 / 1 | |
| 6.0.49 | 3 / 1 | |
| 6.0.48 | 3 / 1 | |
| 6.0.47 | 3 / 1 | |
| 6.0.46 | 3 / 1 | |
| 6.0.45 | 3 / 1 | |
| 6.0.44 | 3 / 1 | |
| 6.0.43 | 3 / 1 | |
| 6.0.42 | 3 / 1 | |
| 6.0.41 | 3 / 1 | |
| 6.0.40 | 3 / 1 | |
| 6.0.39 | 3 / 1 | |
| 6.0.38 | 3 / 1 | |
| 6.0.37 | 3 / 1 | |
| 6.0.36 | 3 / 1 | |
| 6.0.35 | 3 / 1 | |
| 6.0.34 | 3 / 1 | |
| 6.0.33 | 3 / 1 | |
| 6.0.32 | 3 / 1 | |
| 6.0.31 | 3 / 1 | |
| 5.4.21 | 3 / 2 | |
| 5.4.20 | 3 / 2 | |
| 5.4.19 | 3 / 2 | |
| 5.4.18 | 3 / 2 | |
| 3.1.9 | 2 / 1 | |
| 3.1.8 | 2 / 1 | |
| 3.1.7 | 2 / 1 | |
| 3.1.6 | 2 / 1 | |
| 3.1.5 | 2 / 1 | |
| 3.1.4 | 2 / 1 | |
| 3.1.3 | 2 / 1 | |
| 3.1.2 | 2 / 1 | |
| 3.1.0 | 2 / 1 | |
| 2.1.3 | 7 / 1 | |
| 1.0.18 | 8 / 21 | |
| 1.0.14 | 8 / 21 | |
| 1.0.13 | 8 / 21 | |
| 1.0.9 | 7 / 21 | |
| 1.0.4 | 7 / 21 | |
| 1.0.1 | 7 / 21 |
v6.3.26
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.3.24
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.3.23
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.3.22
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.3.21
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.3.20
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.3.19
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.3.18
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.3.17
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.3.16
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.3.15
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.3.14
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.3.13
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.3.12
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.3.11
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.3.10
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.3.9
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.3.8
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.3.7
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.3.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.3.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.3.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.3.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.3.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.3.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.3.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.2.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.2.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.2.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.2.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.1.9
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.1.8
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.1.7
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.1.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.1.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.1.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.1.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.1.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.1.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.1.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.0.56
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.0.55
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.0.54
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.0.53
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.0.52
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.0.51
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.0.50
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.0.49
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.0.48
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.0.47
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.0.46
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.0.45
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.0.44
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.0.43
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.0.42
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.0.41
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.0.40
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.0.39
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.0.38
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.0.37
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.0.36
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.0.35
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.0.34
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.0.33
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.0.32
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.0.31
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.4.21
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.4.20
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.4.19
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.4.18
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.1.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.18
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.14
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.13
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.9
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.1
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2018-07-18. This could indicate a legitimate maintainer transition or an account compromise.