@aws-amplify/core — Greenflagged

Core category of aws-amplify

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

amzn-ossaws-amplify-opsamplify-studio-uibuilderamplify-codegenamplify-data-dev-npmaws-amplify-data-runtime

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
publish-pattern	dormant-publish	AI (publish-pattern): AWS-published package with strong track record; dormancy followed by legitimate build system updates, not takeover indicator.	ai	2026/04/22
provenance	missing-githead	AI (provenance): Established AWS Amplify package published by aws-amplify-ops with strong track record; missing gitHead is likely a CI pipeline change, not a malicious signal.	ai	2026/04/22
phantom-deps	phantom-dep:tslib	AI (phantom-deps): tslib is a standard TypeScript runtime helper, commonly used implicitly by TypeScript-compiled packages.	ai	2026/04/22
semgrep	semgrep:dynamic-require	AI (semgrep): Legitimate webpack config pattern for loading react-native-url-polyfill metadata; not arbitrary module loading.	ai	2026/04/22
phantom-deps	phantom-dep:@types/node-fetch	AI (phantom-deps): @types/node-fetch is a type declaration package; not directly imported at runtime by design.	ai	2026/04/22
semgrep	semgrep:env-bulk-read	AI (semgrep): Reading process.env keys to detect React environment is standard platform detection logic in a core AWS Amplify library.	ai	2026/04/21
phantom-deps	phantom-dep:@types/uuid	AI (phantom-deps): @types/ packages are type-only and commonly included without direct imports; stable false positive for this package.	ai	2026/04/21
dependencies	unvetted-dep:@aws-sdk/url-parser-node	AI (dependencies): @aws-sdk/url-parser-node is an official AWS SDK v3 package from Amazon; the unvetted flag reflects the alpha stage at time of publish, not a security concern.	ai	2026/04/21
provenance	publisher-changed	AI (provenance): Publisher change from mlabieniec to aws-amplify-ops in June 2019 reflects legitimate AWS organizational transfer; stable for this package.	ai	2026/04/21
dependencies	unvetted-dep:url	AI (dependencies): Standard Node.js URL utility; legitimate dependency for AWS library.	ai	2026/04/21
dependencies	unvetted-dep:@aws-sdk/credential-provider-cognito-identity	AI (dependencies): First-party AWS SDK package; unvetted status expected for beta SDK v3 packages in active development.	ai	2026/04/21
dependencies	unvetted-dep:@aws-crypto/sha256-js	AI (dependencies): AWS crypto library; expected dependency for AWS Amplify core.	ai	2026/04/21
typosquat	typosquat.levenshtein:cors	AI (typosquat): Scoped @aws-amplify/core package is not a typosquat; legitimate AWS Amplify namespace.	ai	2026/04/21
bogus-package	bogus-package	AI (bogus-package): Official AWS package with clear purpose and repository; mass-production signal is false positive for corporate publishers.	ai	2026/04/21
dependencies	unvetted-dep:zen-observable	AI (dependencies): zen-observable is an established RxJS-related package; legitimate dependency for observable patterns.	ai	2026/04/21
dependencies	unvetted-dep:@aws-sdk/client-cognito-identity	AI (dependencies): Official AWS SDK v3 package; expected dependency for Cognito integration in AWS Amplify.	ai	2026/04/21
phantom-deps	phantom-dep:@aws-sdk/node-http-handler	AI (phantom-deps): AWS SDK packages loaded by convention; framework-scoped dependency pattern.	ai	2026/04/21
phantom-deps	phantom-dep:@aws-sdk/util-user-agent-browser	AI (phantom-deps): AWS SDK utility package loaded by convention; framework-scoped dependency pattern.	ai	2026/04/21
dependencies	unvetted-dep:@aws-sdk/node-http-handler	AI (dependencies): First-party AWS SDK package; unvetted status expected for beta SDK v3 packages in active development.	ai	2026/04/21
dependencies	unvetted-dep:zen-observable-ts	AI (dependencies): zen-observable-ts is a known RxJS observable library; unvetted status is metadata signal, not security concern.	ai	2026/04/21
semgrep	semgrep:new-function-constructor	AI (semgrep): new Function() used for safe browser/Node.js environment detection; input is not user-controlled. Legitimate pattern in cross-platform libraries.	ai	2026/04/21
dependencies	unvetted-dep:aws-sdk	AI (dependencies): aws-sdk is a core AWS library; pinned version 2.474.0 is stable for this package.	ai	2026/04/21
source-diff	large-new-source-files	AI (source-diff): 106 new source files reflect major version bump with AWS SDK v3 integration; no bundled/injected code indicators.	ai	2026/04/21
provenance	no-provenance	AI (provenance): AWS Amplify is an established project; missing provenance is a process improvement, not a security blocker for this trusted publisher.	ai	2026/04/21
publish-pattern	new-deps-added	AI (publish-pattern): zen-observable is an established library; new dependency is legitimate for this AWS-maintained package.	ai	2026/04/21
maintainer-change	maintainer-added	AI (maintainer-change): Maintainer transition to aws-amplify-ops in 2019 is a documented organizational handoff; stable for this package.	ai	2026/04/21
maintainer-change	maintainer-removed	AI (maintainer-change): Normal maintainer rotation; no compromise indicators present in this established project.	ai	2026/04/21

Versions (showing 100 of 324)

Show 55 prereleases

Version	Deps	Published
5.8.11	10 / 5	2024-03-06
5.8.10	10 / 5	2024-02-20
5.8.9	10 / 5	2024-01-09
5.8.8	10 / 5	2024-01-05
5.8.7	10 / 5	2023-12-04
5.8.6	10 / 5	2023-11-06
5.8.5	10 / 5	2023-09-14
5.8.4	10 / 5	2023-08-23
5.8.3	10 / 5	2023-08-22
5.8.2	10 / 5	2023-08-17
5.8.1	10 / 5	2023-08-10
5.8.0	10 / 5	2023-07-31
5.7.0	10 / 5	2023-07-20
5.6.0	10 / 5	2023-07-13
5.5.2	9 / 6	2023-06-28
5.5.1	9 / 6	2023-06-21
5.5.0	9 / 6	2023-06-20
5.4.0	9 / 6	2023-06-05
5.3.1	10 / 5	2023-05-27
5.3.0	10 / 5	2023-05-12
5.2.0	9 / 5	2023-05-04
5.1.13	9 / 5	2023-04-27
5.1.12	9 / 5	2023-04-20
5.1.11	9 / 5	2023-04-18
5.1.10	9 / 5	2023-04-13
5.1.9	9 / 5	2023-04-12
5.1.8	9 / 5	2023-04-06
5.1.7	9 / 5	2023-04-04
5.1.6	9 / 5	2023-03-30
5.1.5	9 / 5	2023-03-23
5.1.4	9 / 5	2023-03-21
5.1.3	9 / 5	2023-03-16
5.1.2	9 / 5	2023-03-13
5.1.1	9 / 5	2023-03-08
5.1.0	9 / 5	2023-03-06
5.0.16	9 / 5	2023-02-24
5.0.15	9 / 5	2023-02-16
5.0.14	9 / 5	2023-02-09
5.0.13	9 / 5	2023-02-08
5.0.12	9 / 5	2023-01-30
5.0.11	9 / 5	2023-01-19
5.0.10	9 / 5	2023-01-13
5.0.9	9 / 5	2023-01-10
5.0.8	9 / 5	2022-12-27
5.0.7	9 / 5	2022-12-16
5.0.6	9 / 5	2022-12-15
5.0.5	9 / 5	2022-12-06
5.0.4	9 / 5	2022-11-23
5.0.3	9 / 5	2022-11-19
5.0.2	9 / 5	2022-11-16
5.0.1	9 / 5	2022-11-11
5.0.0	9 / 5	2022-11-08
4.7.15	8 / 5	2023-02-09
4.7.14	8 / 5	2022-12-27
4.7.13	8 / 5	2022-12-14
4.7.12	8 / 5	2022-11-04
4.7.11	8 / 5	2022-10-27
4.7.10	8 / 5	2022-10-26
4.7.9	8 / 5	2022-10-25
4.7.8	8 / 5	2022-10-14
4.7.7	8 / 5	2022-10-14
4.7.6	8 / 5	2022-09-30
4.7.5	8 / 5	2022-09-20
4.7.4	8 / 5	2022-09-08
4.7.3	8 / 5	2022-09-01
4.7.2	8 / 5	2022-08-23
4.7.1	8 / 5	2022-08-18
4.7.0	8 / 5	2022-08-16
4.6.1	8 / 5	2022-08-01
4.6.0	8 / 5	2022-07-28
4.5.10	8 / 5	2022-07-21
4.5.9	8 / 5	2022-07-07
4.5.8	8 / 5	2022-06-18
4.5.7	8 / 5	2022-06-15
4.5.6	8 / 5	2022-05-24
4.5.5	8 / 5	2022-05-23
4.5.4	8 / 5	2022-05-12
4.5.3	8 / 5	2022-05-03
4.5.2	8 / 5	2022-04-14
4.5.1	8 / 5	2022-04-04
4.5.0	8 / 5	2022-03-28
4.4.2	8 / 5	2022-03-22
4.4.1	8 / 5	2022-03-10
4.4.0	8 / 5	2022-02-28
4.3.14	8 / 5	2022-02-03
4.3.13	8 / 5	2022-01-27
4.3.12	8 / 5	2022-01-07
4.3.11	8 / 5	2021-12-16
4.3.10	8 / 5	2021-12-03
4.3.9	8 / 5	2021-12-02
4.3.8	8 / 5	2021-11-18
4.3.7	8 / 5	2021-11-16
4.3.6	8 / 5	2021-11-12
4.3.5	8 / 5	2021-11-09
4.3.4	8 / 5	2021-10-28
4.3.3	8 / 5	2021-10-21
4.3.2	8 / 5	2021-10-07
4.3.1	8 / 5	2021-09-30
4.3.0	8 / 5	2021-09-24
4.2.11	8 / 5	2021-09-22

Showing 100 of 324 Next page →