@aws-amplify/auth — Greenflagged

Auth category of aws-amplify

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

amzn-ossaws-amplify-opsamplify-studio-uibuilderamplify-codegenamplify-data-dev-npmaws-amplify-data-runtime

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
dependencies	unvetted-dep:@aws-amplify/common	AI (dependencies): @aws-amplify/common is a sibling package in the same AWS Amplify monorepo; expected dependency for all versions of this package.	ai	2026/04/21
dependencies	unvetted-dep:aws-sdk	AI (dependencies): aws-sdk is a core AWS dependency expected for @aws-amplify/auth; stable and legitimate for this package across all versions.	ai	2026/04/21
source-diff	source-size-dropped	AI (source-diff): Pre-release version of monorepo package; source size variations are expected and benign in this context.	ai	2026/04/21
dependencies	unvetted-peer-dep:react-native	AI (dependencies): react-native is a legitimate peer dependency for auth library; expected for this package.	ai	2026/04/21
source-diff	encoded-string-file:dist/aws-amplify-auth.min.js	AI (source-diff): Minified bundle for a major AWS library; long encoded strings are standard minification artifacts. Sample confirms safe-buffer/process polyfill code, not malicious payloads.	ai	2026/04/21
dependencies	unvetted-dep:@aws-amplify/cache	AI (dependencies): Internal AWS Amplify monorepo dependency; same org scope and legitimate internal coupling.	ai	2026/04/21
bogus-package	bogus-package	AI (bogus-package): AWS Amplify publishes many packages with templated names by design; this is a known false positive for the aws-amplify org scope.	ai	2026/04/21
semgrep	semgrep:toplevel-fetch	AI (semgrep): Fetch call is part of Cognito auth flow (launchUri handler); legitimate use, not data exfiltration.	ai	2026/04/21
phantom-deps	phantom-dep:@aws-amplify/cache	AI (phantom-deps): Expected monorepo internal dependency pattern; same org scope.	ai	2026/04/21
provenance	no-provenance	AI (provenance): Provenance not yet enabled; not a security disqualifier for established AWS package.	ai	2026/04/21
maintainer-change	maintainer-added	AI (maintainer-change): New maintainers (amzn-oss, jamesiri, jpeddicord) reflect AWS organizational changes within the official Amplify project, not a takeover.	ai	2026/04/21
publish-pattern	new-deps-added	AI (publish-pattern): crypto-js is established library appropriate for auth package; no supply-chain risk.	ai	2026/04/21
maintainer-change	maintainer-removed	AI (maintainer-change): Removal of richardzcode is part of legitimate maintainer transition within AWS Amplify; combined with new AWS maintainers, indicates organizational restructuring, not compromise.	ai	2026/04/21
provenance	publisher-changed	AI (provenance): Documented AWS organizational transition in 2020; legitimate maintainer handoff.	ai	2026/04/21
semgrep	semgrep:base64-decode	AI (semgrep): Base64 decoding is legitimate Cognito auth protocol handling, not obfuscation.	ai	2026/04/21
source-diff	large-new-source-files	AI (source-diff): 55 new files reflect normal package evolution; no bundled/injected code indicators.	ai	2026/04/21
dependencies	unvetted-dep:@aws-amplify/core	AI (dependencies): Internal AWS Amplify dependency within same organization scope; monorepo pattern.	ai	2026/04/21