@aws-amplify/pubsub
Pubsub category of aws-amplify
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | large-new-source-files | AI (source-diff): AWS Amplify pubsub was actively expanding features in this era; new source files reflect legitimate feature growth, not injected code. | ai | |
| source-diff | source-size-dropped | AI (source-diff): Size reduction reflects refactoring of shared code into @aws-amplify/core; a known pattern in the amplify-js monorepo, not a stub replacement. | ai | |
| provenance | missing-githead | AI (provenance): AWS Amplify is a large org that periodically updates CI/CD pipelines; missing gitHead across a version with no content changes is a low-risk publish environment shift, not a supply chain indicator. | ai | |
| provenance | publisher-changed | AI (provenance): AWS Amplify consolidated publishing under aws-amplify-ops org account; this is a documented organizational transition, not a compromise. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): New maintainers are AWS Amplify team members added as part of the same organizational consolidation; stable for this package. | ai | |
| provenance | no-provenance | AI (provenance): Package predates Sigstore provenance availability on npm; no provenance is expected for packages of this age from this publisher. | ai | |
| dependencies | unvetted-dep:@types/paho-mqtt | AI (dependencies): @types/paho-mqtt is a TypeScript type definition package for the MQTT client; expected and benign dependency for an AWS Amplify PubSub package. | ai | |
| dependencies | unvetted-dep:zen-observable | AI (dependencies): zen-observable is a legitimate RxJS observable implementation; standard dependency for AWS Amplify pubsub. | ai | |
| phantom-deps | phantom-dep:@types/paho-mqtt | AI (phantom-deps): TypeScript type definitions loaded by convention in framework packages; expected pattern. | ai | |
| phantom-deps | phantom-dep:@types/zen-observable | AI (phantom-deps): TypeScript type definitions loaded by convention in framework packages; expected pattern. | ai | |
| bogus-package | bogus-package | AI (bogus-package): Mass-production signal reflects AWS's monorepo structure; no keywords is minor metadata issue, not malicious. | ai | |
| phantom-deps | phantom-dep:buffer | AI (phantom-deps): buffer is a polyfill for browser compatibility; standard in AWS SDK packages. | ai | |
| phantom-deps | phantom-dep:@aws-amplify/auth | AI (phantom-deps): Same-org dependency used conditionally; stable pattern for AWS Amplify monorepo. | ai | |
| phantom-deps | phantom-dep:url | AI (phantom-deps): url is a polyfill for browser compatibility; common pattern in AWS SDK packages. | ai | |
| phantom-deps | phantom-dep:graphql | AI (phantom-deps): graphql may be used conditionally or through re-exports; stable for this package. | ai |
Versions (showing 100 of 134)
| Version | Deps | Published |
|---|---|---|
| 6.1.70 | 6 / 1 | |
| 6.1.69 | 6 / 1 | |
| 6.1.68 | 6 / 1 | |
| 6.1.67 | 6 / 1 | |
| 6.1.66 | 6 / 1 | |
| 6.1.65 | 6 / 1 | |
| 6.1.64 | 6 / 1 | |
| 6.1.63 | 6 / 1 | |
| 6.1.62 | 6 / 1 | |
| 6.1.61 | 6 / 1 | |
| 6.1.60 | 6 / 1 | |
| 6.1.59 | 6 / 1 | |
| 6.1.58 | 6 / 1 | |
| 6.1.57 | 6 / 1 | |
| 6.1.56 | 6 / 1 | |
| 6.1.55 | 6 / 2 | |
| 6.1.54 | 6 / 2 | |
| 6.1.53 | 6 / 2 | |
| 6.1.52 | 6 / 2 | |
| 6.1.51 | 6 / 2 | |
| 6.1.50 | 6 / 2 | |
| 6.1.49 | 6 / 2 | |
| 6.1.48 | 6 / 2 | |
| 6.1.47 | 6 / 2 | |
| 6.1.46 | 6 / 2 | |
| 6.1.45 | 6 / 2 | |
| 6.1.44 | 6 / 2 | |
| 6.1.43 | 6 / 2 | |
| 6.1.42 | 6 / 2 | |
| 6.1.41 | 6 / 2 | |
| 6.1.40 | 6 / 2 | |
| 6.1.39 | 6 / 2 | |
| 6.1.38 | 6 / 2 | |
| 6.1.37 | 6 / 2 | |
| 6.1.36 | 6 / 2 | |
| 6.1.35 | 6 / 2 | |
| 6.1.34 | 6 / 2 | |
| 6.1.33 | 6 / 2 | |
| 6.1.32 | 6 / 2 | |
| 6.1.31 | 6 / 2 | |
| 6.1.30 | 6 / 2 | |
| 6.1.29 | 6 / 2 | |
| 6.1.28 | 6 / 2 | |
| 6.1.27 | 6 / 2 | |
| 6.1.26 | 6 / 2 | |
| 6.1.25 | 6 / 2 | |
| 6.1.24 | 6 / 2 | |
| 6.1.23 | 6 / 2 | |
| 6.1.22 | 6 / 2 | |
| 6.1.21 | 6 / 2 | |
| 6.1.20 | 6 / 2 | |
| 6.1.19 | 6 / 2 | |
| 6.1.18 | 6 / 2 | |
| 6.1.17 | 6 / 2 | |
| 6.1.16 | 6 / 2 | |
| 6.1.15 | 6 / 2 | |
| 6.1.14 | 6 / 2 | |
| 6.1.13 | 6 / 2 | |
| 6.1.12 | 6 / 2 | |
| 6.1.11 | 6 / 2 | |
| 6.1.10 | 6 / 2 | |
| 6.1.9 | 6 / 2 | |
| 6.1.8 | 6 / 2 | |
| 6.1.7 | 6 / 2 | |
| 6.1.6 | 6 / 2 | |
| 6.1.5 | 6 / 2 | |
| 6.1.4 | 6 / 2 | |
| 6.1.3 | 6 / 2 | |
| 5.6.6 | 9 / 1 | |
| 5.6.5 | 9 / 1 | |
| 5.6.4 | 9 / 1 | |
| 4.0.0 | 7 / 2 | |
| 3.3.3 | 7 / 2 | |
| 3.3.2 | 7 / 2 | |
| 3.3.1 | 7 / 2 | |
| 3.3.0 | 7 / 2 | |
| 3.2.28 | 7 / 2 | |
| 3.2.27 | 7 / 2 | |
| 3.2.26 | 7 / 2 | |
| 3.2.25 | 7 / 2 | |
| 3.2.24 | 7 / 2 | |
| 3.2.23 | 7 / 2 | |
| 3.2.22 | 7 / 2 | |
| 3.2.21 | 7 / 2 | |
| 3.2.20 | 7 / 2 | |
| 3.2.19 | 7 / 2 | |
| 3.2.18 | 7 / 2 | |
| 3.2.17 | 7 / 2 | |
| 3.2.16 | 7 / 2 | |
| 3.2.15 | 7 / 2 | |
| 3.2.14 | 7 / 2 | |
| 3.2.13 | 7 / 2 | |
| 3.2.12 | 7 / 2 | |
| 3.2.11 | 7 / 2 | |
| 3.2.10 | 7 / 2 | |
| 3.2.9 | 7 / 2 | |
| 3.2.8 | 7 / 2 | |
| 3.2.7 | 7 / 2 | |
| 3.2.6 | 7 / 2 | |
| 3.2.5 | 7 / 2 |
v6.1.70
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.1.68
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.1.67
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.1.66
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.1.64
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.1.63
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.1.62
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.1.61
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.1.60
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.1.59
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.1.58
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.1.57
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.1.56
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.1.55
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.1.54
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.1.53
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.1.52
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.1.51
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.1.50
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.1.49
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.1.48
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.1.47
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.1.46
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.1.45
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.1.44
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.1.43
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.1.42
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.1.41
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.1.40
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.1.39
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.1.38
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.1.37
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.1.36
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.1.35
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.1.34
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.1.33
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.1.32
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.1.31
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.1.30
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.1.29
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.1.28
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.1.27
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.1.26
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.1.25
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.1.24
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.1.23
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.1.22
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.1.21
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.1.20
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.1.19
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.1.18
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.1.17
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.1.16
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.1.15
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.1.14
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.1.13
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.1.12
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.1.11
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.1.10
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.1.9
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.1.8
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.1.7
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.1.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.1.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.1.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.1.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.6.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.6.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.6.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.0
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: aws-amplify-ops.
v3.3.3
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: aws-amplify-ops.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.3.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.3.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.2.28
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.2.27
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.2.26
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.2.25
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.2.24
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.2.23
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.2.22
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.2.21
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.2.20
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.2.19
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.2.18
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.2.17
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.2.16
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.2.15
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.2.14
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.2.13
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.2.12
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.2.11
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.2.10
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.2.9
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.2.8
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.2.7
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.2.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.2.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.