@aws-amplify/pubsub
Pubsub category of aws-amplify
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | large-new-source-files | AI (source-diff): AWS Amplify pubsub was actively expanding features in this era; new source files reflect legitimate feature growth, not injected code. | ai | |
| source-diff | source-size-dropped | AI (source-diff): Size reduction reflects refactoring of shared code into @aws-amplify/core; a known pattern in the amplify-js monorepo, not a stub replacement. | ai | |
| provenance | missing-githead | AI (provenance): AWS Amplify is a large org that periodically updates CI/CD pipelines; missing gitHead across a version with no content changes is a low-risk publish environment shift, not a supply chain indicator. | ai | |
| provenance | publisher-changed | AI (provenance): AWS Amplify consolidated publishing under aws-amplify-ops org account; this is a documented organizational transition, not a compromise. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): New maintainers are AWS Amplify team members added as part of the same organizational consolidation; stable for this package. | ai | |
| provenance | no-provenance | AI (provenance): Package predates Sigstore provenance availability on npm; no provenance is expected for packages of this age from this publisher. | ai | |
| dependencies | unvetted-dep:@types/paho-mqtt | AI (dependencies): @types/paho-mqtt is a TypeScript type definition package for the MQTT client; expected and benign dependency for an AWS Amplify PubSub package. | ai | |
| dependencies | unvetted-dep:zen-observable | AI (dependencies): zen-observable is a legitimate RxJS observable implementation; standard dependency for AWS Amplify pubsub. | ai | |
| phantom-deps | phantom-dep:@types/paho-mqtt | AI (phantom-deps): TypeScript type definitions loaded by convention in framework packages; expected pattern. | ai | |
| phantom-deps | phantom-dep:@types/zen-observable | AI (phantom-deps): TypeScript type definitions loaded by convention in framework packages; expected pattern. | ai | |
| bogus-package | bogus-package | AI (bogus-package): Mass-production signal reflects AWS's monorepo structure; no keywords is minor metadata issue, not malicious. | ai | |
| phantom-deps | phantom-dep:buffer | AI (phantom-deps): buffer is a polyfill for browser compatibility; standard in AWS SDK packages. | ai | |
| phantom-deps | phantom-dep:@aws-amplify/auth | AI (phantom-deps): Same-org dependency used conditionally; stable pattern for AWS Amplify monorepo. | ai | |
| phantom-deps | phantom-dep:url | AI (phantom-deps): url is a polyfill for browser compatibility; common pattern in AWS SDK packages. | ai | |
| phantom-deps | phantom-dep:graphql | AI (phantom-deps): graphql may be used conditionally or through re-exports; stable for this package. | ai |
Versions (showing 51 of 134)
| Version | Deps | Published |
|---|---|---|
| 6.1.70 | 6 / 1 | |
| 6.1.69 | 6 / 1 | |
| 6.1.68 | 6 / 1 | |
| 6.1.67 | 6 / 1 | |
| 6.1.66 | 6 / 1 | |
| 6.1.65 | 6 / 1 | |
| 6.1.64 | 6 / 1 | |
| 6.1.63 | 6 / 1 | |
| 6.1.62 | 6 / 1 | |
| 6.1.61 | 6 / 1 | |
| 6.1.60 | 6 / 1 | |
| 6.1.59 | 6 / 1 | |
| 6.1.58 | 6 / 1 | |
| 6.1.57 | 6 / 1 | |
| 6.1.56 | 6 / 1 | |
| 6.1.55 | 6 / 2 | |
| 6.1.54 | 6 / 2 | |
| 6.1.53 | 6 / 2 | |
| 6.1.52 | 6 / 2 | |
| 6.1.51 | 6 / 2 | |
| 6.1.50 | 6 / 2 | |
| 6.1.49 | 6 / 2 | |
| 6.1.48 | 6 / 2 | |
| 6.1.47 | 6 / 2 | |
| 6.1.46 | 6 / 2 | |
| 6.1.45 | 6 / 2 | |
| 6.1.44 | 6 / 2 | |
| 6.1.43 | 6 / 2 | |
| 6.1.42 | 6 / 2 | |
| 6.1.41 | 6 / 2 | |
| 6.1.40 | 6 / 2 | |
| 6.1.39 | 6 / 2 | |
| 6.1.38 | 6 / 2 | |
| 6.1.37 | 6 / 2 | |
| 6.1.36 | 6 / 2 | |
| 6.1.35 | 6 / 2 | |
| 6.1.34 | 6 / 2 | |
| 6.1.33 | 6 / 2 | |
| 6.1.32 | 6 / 2 | |
| 6.1.31 | 6 / 2 | |
| 6.1.30 | 6 / 2 | |
| 6.1.29 | 6 / 2 | |
| 6.1.28 | 6 / 2 | |
| 6.1.27 | 6 / 2 | |
| 6.1.26 | 6 / 2 | |
| 6.1.25 | 6 / 2 | |
| 6.1.24 | 6 / 2 | |
| 6.1.23 | 6 / 2 | |
| 6.1.22 | 6 / 2 | |
| 6.1.21 | 6 / 2 | |
| 6.1.20 | 6 / 2 |
v6.1.70
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.1.68
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.1.67
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.1.66
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.1.64
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.1.63
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.1.62
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.1.61
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.1.60
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.1.59
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.1.58
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.1.57
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.1.56
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.1.55
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.1.54
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.1.53
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.1.52
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.1.51
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.1.50
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.1.49
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.1.48
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.1.47
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.1.46
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.1.45
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.1.44
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.1.43
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.1.42
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.1.41
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.1.40
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.1.39
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.1.38
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.1.37
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.1.36
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.1.35
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.1.34
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.1.33
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.1.32
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.1.31
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.1.30
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.1.29
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.1.28
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.1.27
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.1.26
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.1.25
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.1.24
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.1.23
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.1.22
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.1.21
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.1.20
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.