← Home

@aws-amplify/cli-internal

npm Repository

Amplify CLI

4
Versions
Apache-2.0
License
Yes
Install Scripts
Missing
Provenance

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

amzn-ossaws-amplify-opsamplify-studio-uibuilderamplify-codegenamplify-data-dev-npmaws-amplify-data-runtime

Keywords

graphqlappsyncaws

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
provenance no-provenance AI (provenance): Established AWS Amplify monorepo package; lack of Sigstore provenance is common and not a risk signal here. ai
install-scripts install-script:postinstall AI (install-scripts): Runs local node scripts/post-install.js; consistent with CLI setup across all versions of this package. ai
semgrep semgrep:credential-dir-access AI (semgrep): Sample shows error message string matching on credential paths, not credential harvesting; stable CLI behavior. ai
semgrep semgrep:dynamic-require AI (semgrep): Plugin loader pattern for Amplify provider plugins; documented and stable across versions. ai
semgrep semgrep:child-process-import AI (semgrep): CLI tool legitimately spawns subprocesses; stable pattern across all versions. ai

Versions (showing 4 of 4)

Version Deps Published
14.4.0 88 / 21
14.2.3 70 / 19
14.2.0 70 / 19
14.0.2 69 / 19

v14.4.0

4 findings
HIGH Package has 'postinstall' script install-scripts

Script: node scripts/post-install.js

HIGH credential-dir-access: lib/amplify-exception-handler.js:139 semgrep

Accessing credential directories suggests credential harvesting Source: https://github.com/aws-amplify/amplify-cli/blob/b30991213c07cbcc3b19b5386b51174ccc6d4237/lib/amplify-exception-handler.js#L139 137 | path = '~/.amplify'; 138 | } > 139 | else if (err.message.includes('/.aws/amplify/')) { 140 | path = '~/.aws/amplify'; 141 | }

HIGH credential-dir-access: lib/amplify-exception-handler.js:140 semgrep

Accessing credential directories suggests credential harvesting Source: https://github.com/aws-amplify/amplify-cli/blob/b30991213c07cbcc3b19b5386b51174ccc6d4237/lib/amplify-exception-handler.js#L140 138 | } 139 | else if (err.message.includes('/.aws/amplify/')) { > 140 | path = '~/.aws/amplify'; 141 | } 142 | else if (err.message.includes('/amplify/')) {

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v14.2.3

4 findings
HIGH Package has 'postinstall' script install-scripts

Script: node scripts/post-install.js

HIGH credential-dir-access: lib/amplify-exception-handler.js:139 semgrep

Accessing credential directories suggests credential harvesting Source: https://github.com/aws-amplify/amplify-cli/blob/f7aa51f9ab70a655991dbcfafdce678ad8194af1/lib/amplify-exception-handler.js#L139 137 | path = '~/.amplify'; 138 | } > 139 | else if (err.message.includes('/.aws/amplify/')) { 140 | path = '~/.aws/amplify'; 141 | }

HIGH credential-dir-access: lib/amplify-exception-handler.js:140 semgrep

Accessing credential directories suggests credential harvesting Source: https://github.com/aws-amplify/amplify-cli/blob/f7aa51f9ab70a655991dbcfafdce678ad8194af1/lib/amplify-exception-handler.js#L140 138 | } 139 | else if (err.message.includes('/.aws/amplify/')) { > 140 | path = '~/.aws/amplify'; 141 | } 142 | else if (err.message.includes('/amplify/')) {

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v14.2.0

4 findings
HIGH Package has 'postinstall' script install-scripts

Script: node scripts/post-install.js

HIGH credential-dir-access: lib/amplify-exception-handler.js:139 semgrep

Accessing credential directories suggests credential harvesting Source: https://github.com/aws-amplify/amplify-cli/blob/63ffdad2481937029eff028390fe0647915a9827/lib/amplify-exception-handler.js#L139 137 | path = '~/.amplify'; 138 | } > 139 | else if (err.message.includes('/.aws/amplify/')) { 140 | path = '~/.aws/amplify'; 141 | }

HIGH credential-dir-access: lib/amplify-exception-handler.js:140 semgrep

Accessing credential directories suggests credential harvesting Source: https://github.com/aws-amplify/amplify-cli/blob/63ffdad2481937029eff028390fe0647915a9827/lib/amplify-exception-handler.js#L140 138 | } 139 | else if (err.message.includes('/.aws/amplify/')) { > 140 | path = '~/.aws/amplify'; 141 | } 142 | else if (err.message.includes('/amplify/')) {

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v14.0.2

4 findings
HIGH Package has 'postinstall' script install-scripts

Script: node scripts/post-install.js

HIGH credential-dir-access: lib/amplify-exception-handler.js:139 semgrep

Accessing credential directories suggests credential harvesting Source: https://github.com/aws-amplify/amplify-cli/blob/287dda43e871eb48aa63cecdb92dbc7fc8bb793c/lib/amplify-exception-handler.js#L139 137 | path = '~/.amplify'; 138 | } > 139 | else if (err.message.includes('/.aws/amplify/')) { 140 | path = '~/.aws/amplify'; 141 | }

HIGH credential-dir-access: lib/amplify-exception-handler.js:140 semgrep

Accessing credential directories suggests credential harvesting Source: https://github.com/aws-amplify/amplify-cli/blob/287dda43e871eb48aa63cecdb92dbc7fc8bb793c/lib/amplify-exception-handler.js#L140 138 | } 139 | else if (err.message.includes('/.aws/amplify/')) { > 140 | path = '~/.aws/amplify'; 141 | } 142 | else if (err.message.includes('/amplify/')) {

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.