@aws-cdk/cloudformation-diff

Utilities to diff CDK stacks against CloudFormation templates

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

amzn-ossaws-cdk-team

Keywords

awscdk

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
dependencies	unvetted-dep:aws-sdk	AI (dependencies): aws-sdk is the official AWS JavaScript SDK v2, a first-party Amazon package. Its use is expected and appropriate in an AWS CDK CloudFormation diff utility.	ai	2026/04/22
dependencies	unvetted-dep:@aws-cdk/cfnspec	AI (dependencies): @aws-cdk/cfnspec is a sibling package from the same aws-cdk-team publisher and monorepo; it is a legitimate internal CDK dependency.	ai	2026/04/22
phantom-deps	phantom-dep:@types/node	AI (phantom-deps): @types/node is a TypeScript type package commonly declared in CDK package dependencies for type resolution; not a real runtime phantom dependency concern for this package.	ai	2026/04/22
source-diff	obfuscated-file:lib/format-foreach.js	AI (source-diff): Compiled TypeScript output from official AWS CDK package; long lines are from TS compilation, not obfuscation. Code is readable and matches package purpose. SLSA provenance confirms CI/CD origin.	ai	2026/04/22
provenance	publisher-changed	AI (provenance): AWS CDK migrated to GitHub Actions CI/CD publishing with SLSA attestation; this is a legitimate infrastructure change for the official aws/aws-cdk-cli repo.	ai	2026/04/22
source-diff	obfuscated-file:lib/mappings.js	AI (source-diff): The file contains readable compiled TypeScript with meaningful names and logic; long lines are likely data tables, not obfuscation. Consistent with the package's diff-rendering purpose.	ai	2026/04/22
provenance	no-provenance	AI (provenance): aws-cdk-team is a well-established publisher with 500+ approved packages; lack of Sigstore provenance is a known gap for this publisher, not a security risk.	ai	2026/04/22
source-diff	obfuscated-file:lib/diff/template-and-changeset-diff-merger.js	AI (source-diff): File contains readable TypeScript-compiled JS with standard CDK class definitions. Long lines are an artifact of the TypeScript compiler output, not obfuscation. Pattern is consistent across all CDK packages.	ai	2026/04/22
source-diff	obfuscated-file:lib/iam/iam-identity-center.js	AI (source-diff): File contains readable TypeScript-compiled JS with standard CDK class definitions. Long lines are an artifact of the TypeScript compiler output, not obfuscation. Pattern is consistent across all CDK packages.	ai	2026/04/22
dependencies	unvetted-dep:@aws-cdk/service-spec-types	AI (dependencies): First-party AWS CDK package from the same aws/aws-cdk-cli organization; expected internal dependency for this package.	ai	2026/04/22
dependencies	unvetted-dep:@aws-cdk/aws-service-spec	AI (dependencies): First-party AWS CDK package from the same aws/aws-cdk-cli organization; expected internal dependency for this package.	ai	2026/04/22

Versions (showing 100 of 554)

Version	Deps	Published
2.187.1	7 / 24	2026-04-16
2.187.0	7 / 22	2026-04-01
2.186.0	7 / 23	2026-03-09
2.185.1	7 / 23	2026-01-28
2.185.0	7 / 23	2025-12-11
2.184.1	7 / 23	2025-09-11
2.184.0	7 / 23	2025-09-05
2.183.1	7 / 23	2025-08-27
2.183.0	7 / 23	2025-07-16
2.182.0	7 / 23	2025-06-05
2.181.2	7 / 23	2025-05-14
2.181.1	7 / 24	2025-04-23
2.181.0	7 / 24	2025-04-16
2.180.0	7 / 24	2025-03-25
2.179.0	7 / 8	2025-02-18
2.178.2	7 / 8	2025-02-12
2.178.1	7 / 8	2025-02-07
2.178.0	7 / 8	2025-02-06
2.177.0	7 / 8	2025-01-25
2.176.0	7 / 8	2025-01-15
2.175.1	7 / 8	2025-01-11
2.175.0	7 / 8	2025-01-09
2.174.1	7 / 8	2025-01-07
2.174.0	7 / 8	2025-01-04
2.173.4	7 / 8	2024-12-27
2.173.3	7 / 8	2024-12-26
2.173.2	7 / 8	2024-12-18
2.173.1	7 / 8	2024-12-14
2.173.0	7 / 8	2024-12-12
2.172.0	7 / 8	2024-12-07
2.171.1	7 / 8	2024-11-27
2.171.0	7 / 8	2024-11-25
2.170.0	7 / 8	2024-11-22
2.169.0	7 / 8	2024-11-21
2.168.0	7 / 8	2024-11-20
2.167.2	7 / 8	2024-11-19
2.167.1	7 / 8	2024-11-15
2.167.0	7 / 8	2024-11-13
2.166.0	7 / 8	2024-11-07
2.165.0	7 / 8	2024-10-31
2.164.1	7 / 8	2024-10-25
2.164.0	7 / 8	2024-10-24
2.163.1	7 / 8	2024-10-22
2.163.0	7 / 8	2024-10-22
2.162.1	7 / 8	2024-10-11
2.162.0	7 / 8	2024-10-10
2.161.1	7 / 8	2024-10-05
2.161.0	7 / 8	2024-10-04
2.160.0	7 / 8	2024-09-24
2.159.1	7 / 8	2024-09-19
2.159.0	7 / 8	2024-09-19
2.158.0	7 / 8	2024-09-11
2.157.0	7 / 8	2024-09-10
2.156.0	7 / 8	2024-09-06
2.155.0	7 / 8	2024-08-30
2.154.1	7 / 8	2024-08-23
2.154.0	7 / 8	2024-08-22
2.153.0	7 / 8	2024-08-20
2.152.0	7 / 8	2024-08-15
2.151.1	7 / 8	2024-08-14
2.151.0	7 / 8	2024-08-02
2.150.0	7 / 8	2024-07-23
2.149.0	7 / 8	2024-07-12
2.148.1	7 / 8	2024-07-11
2.148.0	7 / 8	2024-07-05
2.147.3	7 / 8	2024-07-02
2.147.2	7 / 8	2024-06-28
2.147.1	7 / 8	2024-06-24
2.147.0	7 / 8	2024-06-20
2.146.0	7 / 8	2024-06-13
2.145.0	7 / 8	2024-06-07
2.144.0	7 / 8	2024-05-31
2.143.1	7 / 8	2024-05-30
2.143.0	7 / 8	2024-05-24
2.142.1	7 / 8	2024-05-17
2.142.0	7 / 8	2024-05-15
2.141.0	7 / 8	2024-05-08
2.140.0	7 / 8	2024-05-02
2.139.1	7 / 8	2024-04-30
2.139.0	7 / 8	2024-04-24
2.138.0	7 / 8	2024-04-18
2.137.0	7 / 8	2024-04-11
2.136.1	8 / 7	2024-04-10
2.136.0	8 / 7	2024-04-06
2.135.0	8 / 7	2024-04-02
2.134.0	8 / 7	2024-03-26
2.133.0	7 / 8	2024-03-15
2.132.1	7 / 8	2024-03-12
2.132.0	7 / 8	2024-03-09
2.131.0	7 / 8	2024-03-01
2.130.0	7 / 8	2024-02-23
2.129.0	7 / 8	2024-02-21
2.128.0	7 / 8	2024-02-14
2.127.0	7 / 8	2024-02-10
2.126.0	7 / 8	2024-02-02
2.125.0	7 / 8	2024-02-01
2.124.0	7 / 8	2024-01-26
2.123.0	7 / 8	2024-01-24
2.122.0	7 / 8	2024-01-18
2.121.1	7 / 8	2024-01-13

Showing 100 of 554 Next page →

v2.187.1

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.187.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.186.0

2 findings

HIGH New obfuscated file: lib/format-foreach.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.185.1

2 findings

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

INFO Publisher changed: aws-cdk-team → GitHub Actions (on 2026-01-28) provenance

[Accepted risk] This version was published by a different npm account than previous versions on 2026-01-28. This could indicate a legitimate maintainer transition or an account compromise.

v2.185.0

2 findings

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

INFO Publisher changed: aws-cdk-team → GitHub Actions (on 2025-12-11) provenance

[Accepted risk] This version was published by a different npm account than previous versions on 2025-12-11. This could indicate a legitimate maintainer transition or an account compromise.

v2.184.1

2 findings

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

INFO Publisher changed: aws-cdk-team → GitHub Actions (on 2025-09-11) provenance

[Accepted risk] This version was published by a different npm account than previous versions on 2025-09-11. This could indicate a legitimate maintainer transition or an account compromise.

v2.184.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.183.1

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.183.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.182.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.181.2

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.181.1

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.181.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.180.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.