@aws-amplify/ui-react
[](https://www.npmjs.com/package/@aws-amplify/ui-react) [ relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:dist/Field-Cq088Vbv.js | AI (source-diff): Standard CJS bundle output for this package; not obfuscated. | ai | |
| source-diff | obfuscated-file:dist/esm/primitives/Icon/icons/IconPasskey.mjs | AI (source-diff): SVG icon component with long path data; not obfuscated. | ai | |
| publish-pattern | dormant-publish | AI (publish-pattern): Diff is against ancient v0.2.25; package has been actively published (4499 versions). | ai | |
| source-diff | obfuscated-file:dist/esm/components/Authenticator/FederatedSignIn/FederatedSignInButtons/FederatedSignInButton.mjs | AI (source-diff): Minified ESM output; legitimate React component code. | ai | |
| source-diff | obfuscated-file:dist/esm/components/AccountSettings/DeleteUser/DeleteUser.mjs | AI (source-diff): Minified ESM output; legitimate React component code. | ai | |
| source-diff | obfuscated-file:dist/esm/components/AccountSettings/DeleteUser/defaults.mjs | AI (source-diff): Minified ESM output; legitimate React component imports. | ai | |
| source-diff | obfuscated-file:dist/esm/components/AccountSettings/ChangePassword/defaults.mjs | AI (source-diff): Minified ESM output; legitimate React component imports. | ai | |
| source-diff | obfuscated-file:dist/esm/primitives/shared/constants.mjs | AI (source-diff): Minified ESM constants file; contains only UI class name mappings. | ai | |
| source-diff | obfuscated-file:dist/esm/components/InAppMessaging/CloseIconButton/CloseIconButton.mjs | AI (source-diff): Minified ESM output from Rollup build; legitimate React component code. | ai | |
| source-diff | obfuscated-file:dist/esm/components/AccountSettings/ChangePassword/ChangePassword.mjs | AI (source-diff): Minified ESM output from Rollup build; legitimate React component code. | ai | |
| source-diff | obfuscated-file:dist/internal.js | AI (source-diff): Standard Rollup-minified CJS internal bundle. | ai | |
| source-diff | obfuscated-file:dist/Field-1dd46eaa.js | AI (source-diff): Standard Rollup-minified CJS bundle for a React component library. | ai | |
| source-diff | obfuscated-file:dist/index.js | AI (source-diff): Standard Rollup-minified CJS entry point. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): Major rewrite from v0.x to v4.x; all deps are legitimate ecosystem packages. | ai | |
| source-diff | obfuscated-file:dist/33.js | AI (source-diff): Webpack chunk with CSS scoping logic; standard minified build output for this package. | ai | |
| source-diff | obfuscated-file:dist/13.js | AI (source-diff): Webpack chunk output for AWS Amplify UI components; long lines from minification, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/22.js | AI (source-diff): Webpack-minified Stencil.js web component code (MFA UI); long lines are minification artifact. | ai | |
| source-diff | net-exec-file:dist/1.js | AI (source-diff): Webpack-bundled chunk containing base64-js; network+exec pattern is webpack module system artifact, not malicious. | ai | |
| source-diff | obfuscated-file:dist/24.js | AI (source-diff): Webpack-minified CSS scoping utility code; long lines are minification artifact. | ai | |
| source-diff | large-new-source-files | AI (source-diff): Version started shipping webpack dist bundles; 74 new files is expected for a UI component library build. | ai | |
| source-diff | source-size-tripled | AI (source-diff): Size increase from adding webpack dist output; expected for UI component library with bundled dependencies. | ai | |
| source-diff | obfuscated-file:dist/31.js | AI (source-diff): Webpack-bundled chunk containing CSS scoping utility; minified build output, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/29.js | AI (source-diff): Webpack-bundled chunk containing standard Amplify MFA component code; minified build output, not obfuscation. | ai | |
| maintainer-change | maintainer-removed | AI (maintainer-change): Normal team churn within AWS Amplify org; publisher remains aws-amplify-ops, the canonical org account. | ai | |
| source-diff | net-exec-file:dist/5.js | AI (source-diff): Webpack bundle containing base64-js; no actual network/exec malware pattern. | ai | |
| source-diff | obfuscated-file:dist/23.js | AI (source-diff): Standard webpack chunk output for CSS scoping utility; long lines from minification, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/@aws-amplify/ui-react.js | AI (source-diff): Standard webpack UMD bundle output; long lines from bundling/minification. | ai | |
| source-diff | net-exec-file:dist/@aws-amplify/ui-react.js | AI (source-diff): Standard webpack UMD bundle; network+exec pattern is false positive from bundled dependencies. | ai | |
| source-diff | net-exec-file:dist/polyfills-core-js.js | AI (source-diff): Webpack buildin/global.js uses new Function('return this') for global detection — standard webpack pattern. | ai | |
| dependencies | unvetted-dep:@aws-amplify/ui | AI (dependencies): First-party AWS Amplify package; legitimate and expected dependency for this UI library. | ai | |
| phantom-deps | phantom-dep:@xstate/react | AI (phantom-deps): Referenced in config files only; common pattern for optional/peer-style usage in UI libraries. | ai | |
| phantom-deps | phantom-dep:tslib | AI (phantom-deps): tslib is a standard TypeScript runtime helper; commonly an implicit transitive dependency in compiled TS packages. | ai | |
| dependencies | unvetted-dep:@radix-ui/react-dropdown-menu | AI (dependencies): Radix UI is a well-known, reputable headless UI component library; legitimate dependency. | ai | |
| dependencies | unvetted-dep:@radix-ui/react-slider | AI (dependencies): Radix UI is a well-known, reputable headless UI component library; legitimate dependency. | ai | |
| dependencies | unvetted-dep:@xstate/react | AI (dependencies): Reputable state machine library widely used in React ecosystems; legitimate dependency. | ai | |
| dependencies | unvetted-dep:qrcode | AI (dependencies): Well-known QR code generation library; legitimate use in a UI component library. | ai | |
| dependencies | unvetted-dep:@aws-amplify/ui-react-core | AI (dependencies): First-party AWS Amplify package; legitimate and expected dependency for this UI library. | ai | |
| dependencies | unvetted-dep:@aws-amplify/ui-components | AI (dependencies): Sibling package in the AWS Amplify ecosystem published by the same trusted publisher; dependency is expected and legitimate. | ai | |
| bogus-package | bogus-package | AI (bogus-package): Signals reflect early monorepo package conventions (sparse README, no keywords) from a highly trusted AWS Amplify publisher. Not indicative of spam or malicious intent. | ai | |
| provenance | no-provenance | AI (provenance): aws-amplify-ops is a long-established publisher; lack of Sigstore provenance is consistent with their historical publishing pattern and not a risk signal for this package. | ai |
Versions (showing 51 of 72)
| Version | Deps | Published |
|---|---|---|
| 6.15.4 | 9 / 3 | |
| 6.15.3 | 9 / 3 | |
| 6.15.2 | 9 / 3 | |
| 6.15.1 | 9 / 3 | |
| 6.15.0 | 9 / 3 | |
| 6.14.0 | 9 / 3 | |
| 6.13.2 | 9 / 3 | |
| 6.13.1 | 9 / 3 | |
| 6.13.0 | 9 / 3 | |
| 6.12.1 | 9 / 3 | |
| 6.12.0 | 9 / 3 | |
| 6.11.2 | 9 / 3 | |
| 6.11.1 | 9 / 3 | |
| 6.11.0 | 9 / 3 | |
| 6.10.0 | 9 / 3 | |
| 6.9.5 | 9 / 3 | |
| 6.9.4 | 9 / 3 | |
| 6.9.3 | 9 / 3 | |
| 6.9.2 | 9 / 3 | |
| 6.9.1 | 9 / 3 | |
| 6.9.0 | 9 / 3 | |
| 6.8.1 | 9 / 4 | |
| 6.8.0 | 9 / 3 | |
| 6.7.2 | 9 / 4 | |
| 6.7.1 | 9 / 4 | |
| 6.7.0 | 9 / 4 | |
| 6.6.0 | 9 / 4 | |
| 6.5.5 | 9 / 4 | |
| 6.5.4 | 9 / 4 | |
| 6.5.3 | 9 / 4 | |
| 6.5.2 | 9 / 4 | |
| 6.5.1 | 9 / 4 | |
| 6.5.0 | 9 / 4 | |
| 6.4.0 | 9 / 4 | |
| 6.3.1 | 9 / 4 | |
| 6.3.0 | 9 / 4 | |
| 6.2.2 | 9 / 4 | |
| 6.2.1 | 9 / 4 | |
| 6.2.0 | 9 / 4 | |
| 6.1.14 | 9 / 4 | |
| 6.1.13 | 9 / 4 | |
| 6.1.12 | 9 / 4 | |
| 6.1.11 | 9 / 4 | |
| 6.1.10 | 9 / 4 | |
| 6.1.9 | 9 / 4 | |
| 4.6.3 | 19 / 29 | |
| 0.2.25 | 1 / 5 | |
| 0.2.24 | 1 / 5 | |
| 0.2.23 | 1 / 5 | |
| 0.2.22 | 1 / 5 | |
| 0.2.21 | 1 / 5 |
v6.15.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.15.2
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.15.1
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.15.0
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.14.0
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.13.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.13.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.13.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.12.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.12.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.11.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.11.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.11.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.10.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.9.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.9.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.9.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.9.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.9.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.9.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.8.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.8.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.7.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.7.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.7.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.6.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.5.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.5.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.5.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.5.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.5.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.5.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.4.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.3.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.3.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.2.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.2.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.2.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.1.14
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.1.13
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.1.12
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.1.11
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.1.10
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.1.9
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.25
7 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.24
7 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.23
7 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.22
7 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.21
7 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.