@aws-cdk/cdk-assets-lib

CDK Asset Publishing Library

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

amzn-ossaws-cdk-team

Keywords

awscdk

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
provenance	publisher-changed	AI (provenance): AWS CDK packages migrated publishing to GitHub Actions CI/CD; SLSA provenance attestation confirms artifact integrity. This transition is expected and documented for the aws-cdk-cli monorepo.	ai	2026/04/22
phantom-deps	phantom-dep:minimatch	AI (phantom-deps): minimatch is explicitly declared as a runtime dependency in package.json; phantom-dep finding is a false positive.	ai	2026/04/22
semgrep	semgrep:base64-decode	AI (semgrep): Base64 decoding is used for ECR authorization token parsing — standard AWS ECR auth flow, not obfuscation.	ai	2026/04/22
semgrep	semgrep:env-spread	AI (semgrep): process.env spreading is necessary for Docker command execution in a CDK asset publishing library.	ai	2026/04/22
semgrep	semgrep:child-process-import	AI (semgrep): child_process is required for spawning Docker and shell commands — core functionality of a CDK asset publishing library.	ai	2026/04/22
semgrep	semgrep:child-process-spawn	AI (semgrep): child_process.spawn is used to execute Docker commands for asset publishing — expected and documented behavior.	ai	2026/04/22

Versions (showing 5 of 5)

Version	Deps	Published
1.0.4	14 / 30	2025-09-24
1.0.3	14 / 30	2025-07-29
1.0.2	14 / 30	2025-07-16
1.0.1	14 / 30	2025-07-07
1.0.0	14 / 30	2025-06-25

v1.0.4

2 findings

HIGH Publisher changed: aws-cdk-team → GitHub Actions (on 2025-09-24) provenance

This version was published by a different npm account than previous versions on 2025-09-24. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance