@aws-amplify/datastore — Greenflagged

AppSyncLocal support for aws-amplify

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

amzn-ossaws-amplify-opsamplify-studio-uibuilderamplify-codegenamplify-data-dev-npmaws-amplify-data-runtime

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
semgrep	semgrep:hex-decode	AI (semgrep): PRNG/random bytes utility using hex encoding — cryptographic utility, not obfuscation.	ai	2026/05/15
semgrep	semgrep:base64-decode	AI (semgrep): JWT token payload parsing — standard auth pattern in Amplify DataStore sync processor, not malicious.	ai	2026/05/15
publish-pattern	new-deps-added	AI (publish-pattern): New deps (rxjs, ulid, buffer, @aws-amplify/api-graphql) are all legitimate, well-known packages appropriate for a major version update of an AWS Amplify library.	ai	2026/04/21
source-diff	large-new-source-files	AI (source-diff): Diff is against v1.0.1; this is a major version jump (1.x→5.x) for an established AWS library. Large file count increase is expected and files are standard build artifacts (source maps, CJS/ESM bundles).	ai	2026/04/21
dependencies	unvetted-dep:@aws-amplify/core	AI (dependencies): @aws-amplify/core is a first-party AWS Amplify dependency; its presence in this package is expected and stable across all versions.	ai	2026/04/21
maintainer-change	maintainer-removed	AI (maintainer-change): Removal of individual maintainers corresponds to AWS Amplify's shift to team-based publishing. Publisher aws-amplify-ops is unchanged and has strong track record.	ai	2026/04/21
maintainer-change	maintainer-added	AI (maintainer-change): AWS Amplify migrated from individual maintainer accounts to team/bot accounts (amplify-*). This is a documented organizational change, not a takeover signal.	ai	2026/04/21
dependencies	unvetted-dep:ulid	AI (dependencies): ulid is a legitimate, widely-used ULID generation library with no known malicious history. Its use in an AWS SDK package is appropriate.	ai	2026/04/21
phantom-deps	phantom-dep:buffer	AI (phantom-deps): buffer is a Node.js core polyfill commonly declared as a runtime dep for browser bundling without direct imports in source. Standard pattern for SDK packages.	ai	2026/04/21
publish-pattern	dormant-publish	AI (publish-pattern): Dormancy is an artifact of comparing against v1.0.1 (the only prior approved version). The package has been actively maintained; this is a major version jump, not a revival of an abandoned package.	ai	2026/04/21
source-diff	encoded-string-file:dist/aws-amplify-datastore.min.js	AI (source-diff): Encoded strings in minified dist are cryptographic constants and license headers, not malicious payloads. Standard for compiled AWS libraries.	ai	2026/04/21
phantom-deps	phantom-dep:@aws-amplify/pubsub	AI (phantom-deps): Same-org phantom dependency is expected; likely used transitively through other @aws-amplify modules.	ai	2026/04/21
dependencies	unvetted-dep:@aws-amplify/pubsub	AI (dependencies): Internal AWS Amplify dependency; acceptable within the ecosystem.	ai	2026/04/21
dependencies	unvetted-dep:zen-observable-ts	AI (dependencies): Pinned to 0.8.19; zen-observable-ts is a stable RxJS dependency, acceptable for this package.	ai	2026/04/21
bogus-package	bogus-package	AI (bogus-package): AWS Amplify is a large monorepo; mass-produced scoped packages and missing keywords are normal, not spam indicators.	ai	2026/04/21
dependencies	unvetted-dep:zen-push	AI (dependencies): zen-push is a legitimate observable utility used in the Apollo/GraphQL ecosystem; appropriate for Amplify DataStore.	ai	2026/04/21
dependencies	unvetted-dep:idb	AI (dependencies): Dependency already accepted in prior versions; stable for this package.	ai	2026/04/21

Versions (showing 75 of 75)

Version	Deps	Published
5.1.7	7 / 7	2026-05-05
5.1.6	7 / 7	2026-04-14
5.1.5	7 / 7	2026-02-05
5.1.4	7 / 7	2026-01-22
5.1.3	7 / 7	2026-01-15
5.1.2	7 / 7	2025-12-10
5.1.1	7 / 7	2025-11-06
5.1.0	7 / 7	2025-09-29
5.0.89	7 / 7	2025-09-11
5.0.88	7 / 7	2025-08-06
5.0.87	7 / 7	2025-07-23
5.0.86	7 / 7	2025-07-03
5.0.85	7 / 7	2025-07-02
5.0.84	7 / 7	2025-06-17
5.0.83	7 / 7	2025-05-27
5.0.82	7 / 8	2025-04-28
5.0.81	7 / 8	2025-04-21
5.0.80	7 / 8	2025-04-09
5.0.79	7 / 8	2025-03-28
5.0.78	7 / 8	2025-03-25
5.0.77	7 / 8	2025-03-21
5.0.76	7 / 8	2025-03-14
5.0.75	7 / 8	2025-03-07
5.0.74	7 / 8	2025-03-05
5.0.73	7 / 8	2025-02-27
5.0.72	7 / 8	2025-02-20
5.0.71	7 / 8	2025-02-12
5.0.70	7 / 8	2025-02-04
5.0.69	6 / 8	2025-01-24
5.0.68	6 / 8	2025-01-14
5.0.67	6 / 8	2025-01-03
5.0.66	6 / 8	2024-12-19
5.0.65	6 / 8	2024-12-12
5.0.64	6 / 8	2024-12-03
5.0.63	6 / 8	2024-12-03
5.0.62	6 / 8	2024-11-25
5.0.61	6 / 8	2024-11-20
5.0.60	6 / 8	2024-11-13
5.0.59	6 / 8	2024-11-12
5.0.58	6 / 8	2024-10-31
5.0.57	6 / 8	2024-10-29
5.0.56	6 / 8	2024-10-25
5.0.55	6 / 8	2024-10-21
5.0.54	6 / 8	2024-10-15
5.0.53	6 / 8	2024-10-05
5.0.52	6 / 8	2024-09-30
5.0.51	6 / 8	2024-09-17
5.0.50	6 / 8	2024-09-16
5.0.49	6 / 8	2024-09-04
5.0.48	6 / 8	2024-09-03
5.0.47	6 / 8	2024-08-26
5.0.46	6 / 8	2024-08-21
5.0.45	6 / 8	2024-08-15
5.0.44	6 / 8	2024-08-07
5.0.43	6 / 8	2024-08-05
5.0.42	6 / 8	2024-07-23
5.0.41	6 / 8	2024-07-22
5.0.40	6 / 8	2024-07-19
5.0.39	6 / 8	2024-07-08
5.0.38	6 / 8	2024-06-24
5.0.37	6 / 8	2024-06-07
5.0.36	6 / 8	2024-06-04
5.0.35	6 / 8	2024-05-23
5.0.34	6 / 8	2024-05-23
5.0.33	6 / 8	2024-05-13
5.0.32	6 / 8	2024-05-07
5.0.31	6 / 8	2024-04-29
4.7.22	12 / 6	2026-03-13
4.7.21	12 / 6	2026-03-09
4.7.20	12 / 6	2026-02-25
4.7.19	12 / 6	2026-02-17
4.7.18	12 / 6	2025-11-10
1.0.3	8 / 1	2019-12-18
1.0.2	8 / 1	2019-12-04
1.0.1	8 / 1	2019-12-03