@aws-cdk/cx-api
Cloud executable protocol
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:node_modules/@aws-cdk/cloud-assembly-api/lib/artifacts/asset-manifest-artifact.js | AI (source-diff): Standard TypeScript/jsii compiler output with long export lines and inline source maps. Bundled first-party AWS CDK package. Not malicious obfuscation. | ai | |
| source-diff | obfuscated-file:node_modules/@aws-cdk/cloud-assembly-api/lib/assets.js | AI (source-diff): Long lines are jsii/TS compiler re-export boilerplate. Bundled first-party AWS CDK package. Not malicious obfuscation. | ai | |
| source-diff | obfuscated-file:node_modules/@aws-cdk/cloud-assembly-api/lib/cloud-artifact.js | AI (source-diff): Standard TypeScript/jsii compiler output. Bundled first-party AWS CDK package. Not malicious obfuscation. | ai | |
| source-diff | obfuscated-file:node_modules/@aws-cdk/cloud-assembly-api/lib/cloud-assembly.js | AI (source-diff): Standard TypeScript/jsii compiler output. Bundled first-party AWS CDK package. Not malicious obfuscation. | ai | |
| source-diff | obfuscated-file:node_modules/@aws-cdk/cloud-assembly-api/lib/artifacts/cloudformation-artifact.js | AI (source-diff): Standard TypeScript/jsii compiler output. Bundled first-party AWS CDK package. Not malicious obfuscation. | ai | |
| source-diff | obfuscated-file:node_modules/@aws-cdk/cloud-assembly-api/lib/environment.js | AI (source-diff): Long line is inline base64 source map (sourceMappingURL), a standard build artifact. Bundled first-party AWS CDK package. Not malicious. | ai | |
| source-diff | obfuscated-file:lib/legacy-moved.js | AI (source-diff): Long export lines are jsii/TS compiler boilerplate for backwards-compat re-exports. Documented in file comments. Not malicious obfuscation. | ai | |
| phantom-deps | phantom-dep:semver | AI (phantom-deps): semver is in both dependencies and bundledDependencies — correct pattern for bundled deps; phantom-dep detection is a false positive here. | ai |
Versions (showing 100 of 631)
| Version | Deps | Published |
|---|---|---|
| 2.254.0 | 2 / 9 | |
| 2.253.1 | 2 / 9 | |
| 2.253.0 | 2 / 9 | |
| 2.252.0 | 2 / 9 | |
| 2.251.0 | 2 / 9 | |
| 2.250.0 | 2 / 9 | |
| 2.249.0 | 2 / 9 | |
| 2.248.0 | 2 / 9 | |
| 2.247.0 | 2 / 9 | |
| 2.246.0 | 2 / 9 | |
| 2.245.0 | 2 / 9 | |
| 2.244.0 | 2 / 9 | |
| 2.243.0 | 2 / 9 | |
| 2.242.0 | 2 / 9 | |
| 2.241.0 | 2 / 9 | |
| 2.240.0 | 2 / 9 | |
| 2.239.0 | 2 / 9 | |
| 2.238.0 | 2 / 9 | |
| 2.237.1 | 1 / 9 | |
| 2.237.0 | 1 / 9 | |
| 2.236.0 | 1 / 9 | |
| 2.235.1 | 1 / 9 | |
| 2.235.0 | 1 / 9 | |
| 2.234.1 | 1 / 9 | |
| 2.234.0 | 1 / 9 | |
| 2.233.0 | 1 / 9 | |
| 2.232.2 | 1 / 9 | |
| 2.232.1 | 1 / 9 | |
| 2.232.0 | 1 / 9 | |
| 2.231.0 | 1 / 9 | |
| 2.230.0 | 1 / 9 | |
| 2.229.1 | 1 / 9 | |
| 2.229.0 | 1 / 9 | |
| 2.228.0 | 1 / 9 | |
| 2.227.0 | 1 / 9 | |
| 2.226.0 | 1 / 9 | |
| 2.225.0 | 1 / 9 | |
| 2.224.0 | 1 / 9 | |
| 2.223.0 | 1 / 9 | |
| 2.222.0 | 1 / 9 | |
| 2.221.1 | 1 / 9 | |
| 2.221.0 | 1 / 9 | |
| 2.220.0 | 1 / 9 | |
| 2.219.0 | 1 / 9 | |
| 2.218.0 | 1 / 9 | |
| 2.217.0 | 1 / 9 | |
| 2.216.0 | 1 / 9 | |
| 2.215.0 | 1 / 9 | |
| 2.214.1 | 1 / 9 | |
| 2.214.0 | 1 / 9 | |
| 2.213.0 | 1 / 9 | |
| 2.212.0 | 1 / 9 | |
| 2.211.0 | 1 / 9 | |
| 2.210.0 | 1 / 9 | |
| 2.209.1 | 1 / 9 | |
| 2.209.0 | 1 / 9 | |
| 2.208.0 | 1 / 9 | |
| 2.207.0 | 1 / 9 | |
| 2.206.0 | 1 / 9 | |
| 2.205.0 | 1 / 9 | |
| 2.204.0 | 1 / 9 | |
| 2.203.1 | 1 / 9 | |
| 2.203.0 | 1 / 9 | |
| 2.202.0 | 1 / 9 | |
| 2.201.0 | 1 / 9 | |
| 2.200.2 | 1 / 9 | |
| 2.200.1 | 1 / 9 | |
| 2.200.0 | 1 / 9 | |
| 2.199.0 | 1 / 9 | |
| 2.198.0 | 1 / 9 | |
| 2.197.0 | 1 / 9 | |
| 2.196.1 | 1 / 9 | |
| 2.196.0 | 1 / 9 | |
| 2.195.0 | 1 / 9 | |
| 2.194.0 | 1 / 9 | |
| 2.193.0 | 1 / 9 | |
| 2.192.0 | 1 / 9 | |
| 2.191.0 | 1 / 9 | |
| 2.190.0 | 1 / 9 | |
| 2.189.1 | 1 / 9 | |
| 2.189.0 | 1 / 9 | |
| 2.188.0 | 1 / 9 | |
| 2.187.0 | 1 / 9 | |
| 2.186.0 | 1 / 9 | |
| 2.185.0 | 1 / 9 | |
| 2.184.1 | 1 / 9 | |
| 2.184.0 | 1 / 9 | |
| 2.183.0 | 1 / 9 | |
| 2.182.0 | 1 / 9 | |
| 2.181.1 | 1 / 9 | |
| 2.181.0 | 1 / 9 | |
| 2.180.0 | 1 / 9 | |
| 2.179.0 | 1 / 9 | |
| 2.178.2 | 1 / 9 | |
| 2.178.1 | 1 / 9 | |
| 2.178.0 | 1 / 9 | |
| 2.177.0 | 1 / 9 | |
| 2.176.0 | 1 / 9 | |
| 2.175.1 | 1 / 9 | |
| 2.175.0 | 1 / 9 |
v2.254.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.253.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.253.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.252.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.251.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.250.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.249.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.248.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.247.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.246.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.245.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.244.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.243.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.242.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.241.0
8 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.240.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.239.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.238.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.237.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.237.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.236.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.235.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.235.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.234.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.234.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.233.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.232.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.232.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.232.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.231.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.230.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.229.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.229.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.228.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.227.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.226.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.225.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.224.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.223.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.222.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.221.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.221.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.220.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.219.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.218.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.217.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.216.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.215.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.214.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.214.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.213.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.212.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.211.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.210.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.209.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.209.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.208.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.207.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.206.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.205.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.204.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.203.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.203.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.202.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.201.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.200.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.200.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.200.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.199.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.198.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.197.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.196.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.196.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.195.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.194.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.193.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.192.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.191.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.190.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.189.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.189.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.188.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.187.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.186.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.185.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.184.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.184.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.183.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.182.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.181.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.181.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.180.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.179.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.178.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.178.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.178.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.177.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.176.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.175.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.175.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.