@aws-cdk/cloud-assembly-schema
Schema for the protocol between CDK framework and CDK CLI
Supply chain provenance
Status for the latest visible version.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| maintainer-change | maintainer-removed | AI (maintainer-change): Removal of individual AWS CDK team members (eladb, romainmuller, rix0rrr) is consistent with the shift to automated GitHub Actions publishing for this AWS-owned package. | ai | |
| source-diff | obfuscated-file:lib/integ-tests/commands/common.js | AI (source-diff): Long lines are inline base64 source maps (//# sourceMappingURL=data:application/json;base64,...), not obfuscation. Standard TypeScript compiler output for this AWS CDK package. | ai | |
| source-diff | obfuscated-file:lib/integ-tests/commands/deploy.js | AI (source-diff): Long lines are inline base64 source maps, not obfuscation. Standard TypeScript compiler output for this AWS CDK package. | ai | |
| source-diff | obfuscated-file:lib/integ-tests/test-case.js | AI (source-diff): Long lines are inline base64 source maps, not obfuscation. Standard TypeScript compiler output for this AWS CDK package. | ai | |
| provenance | publisher-changed | AI (provenance): AWS CDK migrated publishing to GitHub Actions with SLSA provenance attestation. This is a documented organizational transition, not a compromise. SLSA attestation confirms CI/CD integrity. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): The dynamic require in scripts/update-schema.js loads a hardcoded local JSON version file (cloud-assembly.version.json) via a constant path — no user input or arbitrary module loading. This is a dev/build script, not runtime code. | ai | |
| provenance | no-provenance | AI (provenance): Published by the well-established aws-cdk-team with 842 approved packages. Lack of Sigstore provenance is acceptable for this trusted publisher. | ai | |
| bogus-package | bogus-package | AI (bogus-package): AWS CDK schema package; README links are legitimate protocol/framework references, not phishing. Semver reflects monorepo versioning, not inflation. | ai | |
| dependencies | unvetted-dep:jsonschema | AI (dependencies): jsonschema is a well-known JSON schema validator; bundled dependency with tight version constraint (~1.4.1). | ai |
Versions (showing 30 of 630)
| Version | Deps | Published |
|---|---|---|
| 1.56.0 | 2 / 7 | |
| 1.55.0 | 2 / 7 | |
| 1.54.0 | 2 / 7 | |
| 1.53.0 | 2 / 7 | |
| 1.52.0 | 2 / 7 | |
| 1.51.0 | 2 / 7 | |
| 1.50.0 | 2 / 7 | |
| 1.49.1 | 2 / 7 | |
| 1.49.0 | 2 / 7 | |
| 1.48.0 | 2 / 7 | |
| 1.47.1 | 2 / 7 | |
| 1.47.0 | 2 / 7 | |
| 1.46.0 | 2 / 7 | |
| 1.45.0 | 2 / 7 | |
| 1.44.0 | 2 / 7 | |
| 1.43.0 | 2 / 7 | |
| 1.42.1 | 2 / 7 | |
| 1.42.0 | 2 / 7 | |
| 1.41.0 | 2 / 7 | |
| 1.40.0 | 2 / 7 | |
| 1.39.0 | 2 / 7 | |
| 1.38.0 | 2 / 7 | |
| 1.37.0 | 2 / 7 | |
| 1.36.1 | 2 / 7 | |
| 1.36.0 | 2 / 7 | |
| 1.35.0 | 2 / 7 | |
| 1.34.1 | 2 / 7 | |
| 1.34.0 | 2 / 7 | |
| 1.33.1 | 2 / 7 | |
| 1.33.0 | 2 / 7 |
v1.56.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.55.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.54.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.53.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.52.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.51.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.50.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.49.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.49.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.48.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.47.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.47.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.46.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.45.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.44.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.43.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.42.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.42.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.41.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.40.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.39.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.38.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.37.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.36.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.36.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.35.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.34.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.34.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.33.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.33.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.