@aws-amplify/core
Core category of aws-amplify
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| publish-pattern | dormant-publish | AI (publish-pattern): AWS-published package with strong track record; dormancy followed by legitimate build system updates, not takeover indicator. | ai | |
| provenance | missing-githead | AI (provenance): Established AWS Amplify package published by aws-amplify-ops with strong track record; missing gitHead is likely a CI pipeline change, not a malicious signal. | ai | |
| phantom-deps | phantom-dep:tslib | AI (phantom-deps): tslib is a standard TypeScript runtime helper, commonly used implicitly by TypeScript-compiled packages. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): Legitimate webpack config pattern for loading react-native-url-polyfill metadata; not arbitrary module loading. | ai | |
| phantom-deps | phantom-dep:@types/node-fetch | AI (phantom-deps): @types/node-fetch is a type declaration package; not directly imported at runtime by design. | ai | |
| semgrep | semgrep:env-bulk-read | AI (semgrep): Reading process.env keys to detect React environment is standard platform detection logic in a core AWS Amplify library. | ai | |
| phantom-deps | phantom-dep:@types/uuid | AI (phantom-deps): @types/ packages are type-only and commonly included without direct imports; stable false positive for this package. | ai | |
| dependencies | unvetted-dep:@aws-sdk/url-parser-node | AI (dependencies): @aws-sdk/url-parser-node is an official AWS SDK v3 package from Amazon; the unvetted flag reflects the alpha stage at time of publish, not a security concern. | ai | |
| provenance | publisher-changed | AI (provenance): Publisher change from mlabieniec to aws-amplify-ops in June 2019 reflects legitimate AWS organizational transfer; stable for this package. | ai | |
| dependencies | unvetted-dep:url | AI (dependencies): Standard Node.js URL utility; legitimate dependency for AWS library. | ai | |
| dependencies | unvetted-dep:@aws-sdk/credential-provider-cognito-identity | AI (dependencies): First-party AWS SDK package; unvetted status expected for beta SDK v3 packages in active development. | ai | |
| dependencies | unvetted-dep:@aws-crypto/sha256-js | AI (dependencies): AWS crypto library; expected dependency for AWS Amplify core. | ai | |
| typosquat | typosquat.levenshtein:cors | AI (typosquat): Scoped @aws-amplify/core package is not a typosquat; legitimate AWS Amplify namespace. | ai | |
| bogus-package | bogus-package | AI (bogus-package): Official AWS package with clear purpose and repository; mass-production signal is false positive for corporate publishers. | ai | |
| dependencies | unvetted-dep:zen-observable | AI (dependencies): zen-observable is an established RxJS-related package; legitimate dependency for observable patterns. | ai | |
| dependencies | unvetted-dep:@aws-sdk/client-cognito-identity | AI (dependencies): Official AWS SDK v3 package; expected dependency for Cognito integration in AWS Amplify. | ai | |
| phantom-deps | phantom-dep:@aws-sdk/node-http-handler | AI (phantom-deps): AWS SDK packages loaded by convention; framework-scoped dependency pattern. | ai | |
| phantom-deps | phantom-dep:@aws-sdk/util-user-agent-browser | AI (phantom-deps): AWS SDK utility package loaded by convention; framework-scoped dependency pattern. | ai | |
| dependencies | unvetted-dep:@aws-sdk/node-http-handler | AI (dependencies): First-party AWS SDK package; unvetted status expected for beta SDK v3 packages in active development. | ai | |
| dependencies | unvetted-dep:zen-observable-ts | AI (dependencies): zen-observable-ts is a known RxJS observable library; unvetted status is metadata signal, not security concern. | ai | |
| semgrep | semgrep:new-function-constructor | AI (semgrep): new Function() used for safe browser/Node.js environment detection; input is not user-controlled. Legitimate pattern in cross-platform libraries. | ai | |
| dependencies | unvetted-dep:aws-sdk | AI (dependencies): aws-sdk is a core AWS library; pinned version 2.474.0 is stable for this package. | ai | |
| source-diff | large-new-source-files | AI (source-diff): 106 new source files reflect major version bump with AWS SDK v3 integration; no bundled/injected code indicators. | ai | |
| provenance | no-provenance | AI (provenance): AWS Amplify is an established project; missing provenance is a process improvement, not a security blocker for this trusted publisher. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): zen-observable is an established library; new dependency is legitimate for this AWS-maintained package. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): Maintainer transition to aws-amplify-ops in 2019 is a documented organizational handoff; stable for this package. | ai | |
| maintainer-change | maintainer-removed | AI (maintainer-change): Normal maintainer rotation; no compromise indicators present in this established project. | ai |
Versions (showing 51 of 322)
| Version | Deps | Published |
|---|---|---|
| 6.16.3 | 8 / 3 | |
| 6.16.2 | 8 / 3 | |
| 6.16.1 | 8 / 3 | |
| 6.16.0 | 8 / 3 | |
| 6.15.1 | 8 / 3 | |
| 6.15.0 | 8 / 3 | |
| 6.14.0 | 8 / 3 | |
| 6.13.3 | 8 / 3 | |
| 6.13.2 | 8 / 3 | |
| 6.13.1 | 8 / 3 | |
| 6.13.0 | 8 / 3 | |
| 6.12.3 | 8 / 3 | |
| 6.12.2 | 8 / 3 | |
| 6.12.1 | 8 / 3 | |
| 6.12.0 | 8 / 3 | |
| 6.11.4 | 8 / 4 | |
| 6.11.3 | 8 / 4 | |
| 6.11.2 | 8 / 4 | |
| 6.11.1 | 8 / 4 | |
| 6.11.0 | 8 / 4 | |
| 6.10.6 | 8 / 4 | |
| 6.10.5 | 8 / 4 | |
| 6.10.4 | 8 / 4 | |
| 6.10.3 | 8 / 4 | |
| 6.10.2 | 8 / 4 | |
| 6.10.1 | 8 / 4 | |
| 6.10.0 | 9 / 4 | |
| 6.9.3 | 9 / 4 | |
| 6.9.2 | 8 / 4 | |
| 6.9.1 | 8 / 4 | |
| 6.9.0 | 8 / 4 | |
| 6.8.0 | 8 / 4 | |
| 6.7.3 | 8 / 4 | |
| 6.7.2 | 8 / 4 | |
| 6.7.1 | 8 / 4 | |
| 6.7.0 | 8 / 4 | |
| 6.6.0 | 8 / 4 | |
| 6.5.3 | 8 / 4 | |
| 6.5.2 | 8 / 4 | |
| 6.5.1 | 8 / 4 | |
| 6.5.0 | 8 / 4 | |
| 6.4.7 | 8 / 4 | |
| 6.4.6 | 8 / 4 | |
| 6.4.5 | 8 / 4 | |
| 6.4.4 | 8 / 4 | |
| 6.4.3 | 8 / 4 | |
| 6.4.2 | 8 / 4 | |
| 6.4.1 | 8 / 4 | |
| 6.4.0 | 8 / 4 | |
| 6.3.13 | 8 / 4 | |
| 6.3.12 | 8 / 4 |
v6.16.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.16.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.16.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.15.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.15.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.14.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.13.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.13.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.13.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.13.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.12.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.12.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.12.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.12.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.11.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.11.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.11.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.11.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.11.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.10.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.10.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.10.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.10.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.10.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.10.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.10.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.9.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.9.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.9.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.9.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.8.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.7.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.7.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.7.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.7.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.6.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.5.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.5.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.5.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.5.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.4.7
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.4.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.4.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.4.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.4.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.4.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.4.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.4.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.3.13
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.3.12
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.