@aws-cdk/cloudformation-diff
Utilities to diff CDK stacks against CloudFormation templates
Supply chain provenance
Status for the latest visible version.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| dependencies | unvetted-dep:aws-sdk | AI (dependencies): aws-sdk is the official AWS JavaScript SDK v2, a first-party Amazon package. Its use is expected and appropriate in an AWS CDK CloudFormation diff utility. | ai | |
| dependencies | unvetted-dep:@aws-cdk/cfnspec | AI (dependencies): @aws-cdk/cfnspec is a sibling package from the same aws-cdk-team publisher and monorepo; it is a legitimate internal CDK dependency. | ai | |
| phantom-deps | phantom-dep:@types/node | AI (phantom-deps): @types/node is a TypeScript type package commonly declared in CDK package dependencies for type resolution; not a real runtime phantom dependency concern for this package. | ai | |
| source-diff | obfuscated-file:lib/format-foreach.js | AI (source-diff): Compiled TypeScript output from official AWS CDK package; long lines are from TS compilation, not obfuscation. Code is readable and matches package purpose. SLSA provenance confirms CI/CD origin. | ai | |
| provenance | publisher-changed | AI (provenance): AWS CDK migrated to GitHub Actions CI/CD publishing with SLSA attestation; this is a legitimate infrastructure change for the official aws/aws-cdk-cli repo. | ai | |
| source-diff | obfuscated-file:lib/mappings.js | AI (source-diff): The file contains readable compiled TypeScript with meaningful names and logic; long lines are likely data tables, not obfuscation. Consistent with the package's diff-rendering purpose. | ai | |
| provenance | no-provenance | AI (provenance): aws-cdk-team is a well-established publisher with 500+ approved packages; lack of Sigstore provenance is a known gap for this publisher, not a security risk. | ai | |
| source-diff | obfuscated-file:lib/diff/template-and-changeset-diff-merger.js | AI (source-diff): File contains readable TypeScript-compiled JS with standard CDK class definitions. Long lines are an artifact of the TypeScript compiler output, not obfuscation. Pattern is consistent across all CDK packages. | ai | |
| source-diff | obfuscated-file:lib/iam/iam-identity-center.js | AI (source-diff): File contains readable TypeScript-compiled JS with standard CDK class definitions. Long lines are an artifact of the TypeScript compiler output, not obfuscation. Pattern is consistent across all CDK packages. | ai | |
| dependencies | unvetted-dep:@aws-cdk/service-spec-types | AI (dependencies): First-party AWS CDK package from the same aws/aws-cdk-cli organization; expected internal dependency for this package. | ai | |
| dependencies | unvetted-dep:@aws-cdk/aws-service-spec | AI (dependencies): First-party AWS CDK package from the same aws/aws-cdk-cli organization; expected internal dependency for this package. | ai |
Versions (showing 54 of 554)
| Version | Deps | Published |
|---|---|---|
| 1.6.0 | 8 / 5 | |
| 1.5.0 | 8 / 5 | |
| 1.4.0 | 8 / 5 | |
| 1.3.0 | 8 / 5 | |
| 1.2.0 | 8 / 5 | |
| 1.1.0 | 8 / 5 | |
| 1.0.0 | 8 / 5 | |
| 0.39.0 | 8 / 5 | |
| 0.38.0 | 8 / 5 | |
| 0.37.0 | 8 / 5 | |
| 0.36.2 | 8 / 5 | |
| 0.36.1 | 8 / 5 | |
| 0.36.0 | 8 / 5 | |
| 0.35.0 | 8 / 5 | |
| 0.34.0 | 8 / 5 | |
| 0.33.0 | 8 / 5 | |
| 0.32.0 | 8 / 5 | |
| 0.31.0 | 8 / 5 | |
| 0.30.0 | 8 / 5 | |
| 0.29.0 | 8 / 5 | |
| 0.28.0 | 8 / 5 | |
| 0.27.0 | 8 / 5 | |
| 0.26.0 | 8 / 5 | |
| 0.25.3 | 8 / 5 | |
| 0.25.2 | 8 / 5 | |
| 0.25.1 | 8 / 5 | |
| 0.25.0 | 8 / 5 | |
| 0.24.1 | 8 / 5 | |
| 0.24.0 | 8 / 5 | |
| 0.23.0 | 8 / 5 | |
| 0.22.0 | 7 / 4 | |
| 0.21.0 | 6 / 4 | |
| 0.20.0 | 6 / 4 | |
| 0.19.0 | 4 / 2 | |
| 0.18.1 | 4 / 2 | |
| 0.18.0 | 4 / 2 | |
| 0.17.0 | 3 / 2 | |
| 0.16.0 | 3 / 2 | |
| 0.15.2 | 3 / 2 | |
| 0.15.1 | 3 / 2 | |
| 0.15.0 | 3 / 2 | |
| 0.14.1 | 3 / 2 | |
| 0.14.0 | 3 / 2 | |
| 0.13.0 | 3 / 2 | |
| 0.12.0 | 3 / 2 | |
| 0.11.0 | 3 / 2 | |
| 0.10.0 | 3 / 2 | |
| 0.9.2 | 3 / 2 | |
| 0.9.1 | 3 / 2 | |
| 0.9.0 | 3 / 2 | |
| 0.8.2 | 3 / 2 | |
| 0.8.1 | 3 / 2 | |
| 0.8.0 | 3 / 2 | |
| 0.0.0 | 7 / 22 |
v1.6.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.5.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.4.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.3.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.2.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.1.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.39.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.38.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.37.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.36.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.36.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.36.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.35.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.34.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.33.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.32.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.31.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.30.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.29.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.28.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.27.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.26.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.25.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.25.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.25.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.25.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.24.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.24.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.23.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.22.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.21.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.20.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.19.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.18.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.18.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.17.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.16.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.15.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.15.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.15.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.14.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.14.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.13.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.12.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.11.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.10.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.9.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.9.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.9.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.8.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.8.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.8.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.