@aws-cdk/cx-api
Cloud executable protocol
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:node_modules/@aws-cdk/cloud-assembly-api/lib/artifacts/asset-manifest-artifact.js | AI (source-diff): Standard TypeScript/jsii compiler output with long export lines and inline source maps. Bundled first-party AWS CDK package. Not malicious obfuscation. | ai | |
| source-diff | obfuscated-file:node_modules/@aws-cdk/cloud-assembly-api/lib/assets.js | AI (source-diff): Long lines are jsii/TS compiler re-export boilerplate. Bundled first-party AWS CDK package. Not malicious obfuscation. | ai | |
| source-diff | obfuscated-file:node_modules/@aws-cdk/cloud-assembly-api/lib/cloud-artifact.js | AI (source-diff): Standard TypeScript/jsii compiler output. Bundled first-party AWS CDK package. Not malicious obfuscation. | ai | |
| source-diff | obfuscated-file:node_modules/@aws-cdk/cloud-assembly-api/lib/cloud-assembly.js | AI (source-diff): Standard TypeScript/jsii compiler output. Bundled first-party AWS CDK package. Not malicious obfuscation. | ai | |
| source-diff | obfuscated-file:node_modules/@aws-cdk/cloud-assembly-api/lib/artifacts/cloudformation-artifact.js | AI (source-diff): Standard TypeScript/jsii compiler output. Bundled first-party AWS CDK package. Not malicious obfuscation. | ai | |
| source-diff | obfuscated-file:node_modules/@aws-cdk/cloud-assembly-api/lib/environment.js | AI (source-diff): Long line is inline base64 source map (sourceMappingURL), a standard build artifact. Bundled first-party AWS CDK package. Not malicious. | ai | |
| source-diff | obfuscated-file:lib/legacy-moved.js | AI (source-diff): Long export lines are jsii/TS compiler boilerplate for backwards-compat re-exports. Documented in file comments. Not malicious obfuscation. | ai | |
| phantom-deps | phantom-dep:semver | AI (phantom-deps): semver is in both dependencies and bundledDependencies — correct pattern for bundled deps; phantom-dep detection is a false positive here. | ai |
Versions (showing 51 of 631)
| Version | Deps | Published |
|---|---|---|
| 2.254.0 | 2 / 9 | |
| 2.253.1 | 2 / 9 | |
| 2.253.0 | 2 / 9 | |
| 2.252.0 | 2 / 9 | |
| 2.251.0 | 2 / 9 | |
| 2.250.0 | 2 / 9 | |
| 2.249.0 | 2 / 9 | |
| 2.248.0 | 2 / 9 | |
| 2.247.0 | 2 / 9 | |
| 2.246.0 | 2 / 9 | |
| 2.245.0 | 2 / 9 | |
| 2.244.0 | 2 / 9 | |
| 2.243.0 | 2 / 9 | |
| 2.242.0 | 2 / 9 | |
| 2.241.0 | 2 / 9 | |
| 2.240.0 | 2 / 9 | |
| 2.239.0 | 2 / 9 | |
| 2.238.0 | 2 / 9 | |
| 2.237.1 | 1 / 9 | |
| 2.237.0 | 1 / 9 | |
| 2.236.0 | 1 / 9 | |
| 2.235.1 | 1 / 9 | |
| 2.235.0 | 1 / 9 | |
| 2.234.1 | 1 / 9 | |
| 2.234.0 | 1 / 9 | |
| 2.233.0 | 1 / 9 | |
| 2.232.2 | 1 / 9 | |
| 2.232.1 | 1 / 9 | |
| 2.232.0 | 1 / 9 | |
| 2.231.0 | 1 / 9 | |
| 2.230.0 | 1 / 9 | |
| 2.229.1 | 1 / 9 | |
| 2.229.0 | 1 / 9 | |
| 2.228.0 | 1 / 9 | |
| 2.227.0 | 1 / 9 | |
| 2.226.0 | 1 / 9 | |
| 2.225.0 | 1 / 9 | |
| 2.224.0 | 1 / 9 | |
| 2.223.0 | 1 / 9 | |
| 2.222.0 | 1 / 9 | |
| 2.221.1 | 1 / 9 | |
| 2.221.0 | 1 / 9 | |
| 2.220.0 | 1 / 9 | |
| 2.219.0 | 1 / 9 | |
| 2.218.0 | 1 / 9 | |
| 2.217.0 | 1 / 9 | |
| 2.216.0 | 1 / 9 | |
| 2.215.0 | 1 / 9 | |
| 2.214.1 | 1 / 9 | |
| 2.214.0 | 1 / 9 | |
| 2.213.0 | 1 / 9 |
v2.254.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.253.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.253.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.252.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.251.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.250.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.249.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.248.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.247.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.246.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.245.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.244.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.243.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.242.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.241.0
8 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.240.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.239.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.238.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.237.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.237.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.236.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.235.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.235.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.234.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.234.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.233.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.232.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.232.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.232.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.231.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.230.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.229.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.229.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.228.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.227.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.226.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.225.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.224.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.223.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.222.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.221.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.221.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.220.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.219.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.218.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.217.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.216.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.215.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.214.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.214.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.213.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.