@aws-cdk/cfnspec
The CloudFormation resource specification used by @aws-cdk packages
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:build-tools/validate-evolution.js | AI (source-diff): File is readable TypeScript/JS build tooling for spec evolution validation; long lines are likely JSON/data content, not obfuscation. False positive for this AWS CDK package. | ai | |
| semgrep | semgrep:child-process-import | AI (semgrep): child_process usage is confined to build-tools/create-missing-libraries.js, a build-time scaffolding utility in the aws-cdk monorepo. Not runtime code; stable false positive for this package. | ai | |
| semgrep | semgrep:child-process-spawn | AI (semgrep): spawn() is in a build-time exec() helper in build-tools/create-missing-libraries.js. Expected pattern for monorepo build tooling; not a runtime risk. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): Dynamic require in build-tools scripts loads package.json files from known monorepo paths — a standard build-time pattern, not a runtime security risk. Stable for this package. | ai |
Versions (showing 100 of 388)
| Version | Deps | Published |
|---|---|---|
| 1.204.0 | 2 / 10 | |
| 1.203.0 | 2 / 10 | |
| 1.202.0 | 2 / 10 | |
| 1.201.0 | 2 / 10 | |
| 1.200.0 | 2 / 9 | |
| 1.199.0 | 2 / 9 | |
| 1.198.1 | 2 / 9 | |
| 1.198.0 | 2 / 9 | |
| 1.197.0 | 2 / 9 | |
| 1.196.0 | 2 / 9 | |
| 1.195.0 | 2 / 9 | |
| 1.194.0 | 2 / 9 | |
| 1.193.0 | 2 / 9 | |
| 1.192.0 | 2 / 9 | |
| 1.191.0 | 2 / 9 | |
| 1.190.0 | 2 / 9 | |
| 1.189.0 | 2 / 9 | |
| 1.188.0 | 2 / 9 | |
| 1.187.0 | 2 / 9 | |
| 1.186.1 | 2 / 9 | |
| 1.186.0 | 2 / 9 | |
| 1.185.0 | 2 / 9 | |
| 1.184.1 | 2 / 9 | |
| 1.184.0 | 2 / 9 | |
| 1.183.0 | 2 / 9 | |
| 1.182.0 | 2 / 9 | |
| 1.181.1 | 2 / 9 | |
| 1.181.0 | 2 / 9 | |
| 1.180.0 | 2 / 9 | |
| 1.179.0 | 2 / 9 | |
| 1.178.0 | 2 / 9 | |
| 1.177.0 | 2 / 9 | |
| 1.176.0 | 2 / 9 | |
| 1.175.0 | 2 / 9 | |
| 1.174.0 | 2 / 9 | |
| 1.173.0 | 2 / 9 | |
| 1.172.0 | 2 / 9 | |
| 1.171.0 | 2 / 9 | |
| 1.170.1 | 2 / 9 | |
| 1.170.0 | 2 / 9 | |
| 1.169.0 | 2 / 9 | |
| 1.168.0 | 2 / 9 | |
| 1.167.0 | 2 / 9 | |
| 1.166.1 | 2 / 9 | |
| 1.165.0 | 2 / 9 | |
| 1.164.0 | 2 / 9 | |
| 1.163.2 | 2 / 9 | |
| 1.163.1 | 2 / 9 | |
| 1.163.0 | 2 / 9 | |
| 1.162.0 | 2 / 9 | |
| 1.161.0 | 2 / 9 | |
| 1.160.0 | 2 / 9 | |
| 1.159.0 | 2 / 9 | |
| 1.158.0 | 2 / 9 | |
| 1.157.0 | 2 / 9 | |
| 1.156.1 | 2 / 9 | |
| 1.156.0 | 2 / 9 | |
| 1.155.0 | 2 / 9 | |
| 1.154.0 | 2 / 9 | |
| 1.153.1 | 2 / 9 | |
| 1.153.0 | 2 / 9 | |
| 1.152.0 | 2 / 9 | |
| 1.151.0 | 2 / 9 | |
| 1.150.0 | 2 / 9 | |
| 1.149.0 | 2 / 9 | |
| 1.148.0 | 2 / 9 | |
| 1.147.0 | 2 / 9 | |
| 1.146.0 | 2 / 9 | |
| 1.145.0 | 2 / 9 | |
| 1.144.0 | 2 / 9 | |
| 1.143.0 | 2 / 9 | |
| 1.142.0 | 2 / 9 | |
| 1.141.0 | 2 / 9 | |
| 1.140.0 | 2 / 9 | |
| 1.139.0 | 2 / 9 | |
| 1.138.2 | 2 / 9 | |
| 1.138.1 | 2 / 9 | |
| 1.138.0 | 2 / 9 | |
| 1.137.0 | 2 / 9 | |
| 1.136.0 | 2 / 9 | |
| 1.135.0 | 2 / 9 | |
| 1.134.0 | 2 / 9 | |
| 1.133.0 | 2 / 9 | |
| 1.132.0 | 2 / 9 | |
| 1.131.0 | 2 / 9 | |
| 1.130.0 | 2 / 9 | |
| 1.129.0 | 2 / 9 | |
| 1.128.0 | 2 / 9 | |
| 1.127.0 | 1 / 10 | |
| 1.126.0 | 1 / 10 | |
| 1.125.0 | 1 / 10 | |
| 1.124.0 | 1 / 10 | |
| 1.123.0 | 1 / 10 | |
| 1.122.0 | 1 / 10 | |
| 1.121.0 | 1 / 10 | |
| 1.120.0 | 1 / 10 | |
| 1.119.0 | 1 / 10 | |
| 1.118.0 | 1 / 10 | |
| 1.117.0 | 1 / 10 | |
| 1.116.0 | 1 / 10 |
v1.204.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.203.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.202.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.201.0
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.200.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.199.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.198.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.198.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.197.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.196.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.195.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.194.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.193.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.192.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.191.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.190.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.189.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.188.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.187.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.186.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.186.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.185.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.184.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.184.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.183.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.182.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.181.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.181.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.180.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.179.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.178.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.177.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.176.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.175.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.174.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.173.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.172.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.171.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.170.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.170.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.169.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.168.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.167.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.166.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.165.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.164.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.163.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.163.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.163.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.162.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.161.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.160.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.159.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.158.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.157.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.156.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.156.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.155.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.154.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.153.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.153.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.152.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.151.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.150.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.149.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.148.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.147.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.146.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.145.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.144.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.143.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.142.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.141.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.140.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.139.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.138.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.138.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.138.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.137.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.136.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.135.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.134.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.133.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.132.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.131.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.130.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.129.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.128.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.127.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.126.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.125.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.124.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.123.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.122.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.121.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.120.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.119.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.118.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.117.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.116.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.