@aws-cdk/cx-api
Cloud executable protocol
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:node_modules/@aws-cdk/cloud-assembly-api/lib/artifacts/asset-manifest-artifact.js | AI (source-diff): Standard TypeScript/jsii compiler output with long export lines and inline source maps. Bundled first-party AWS CDK package. Not malicious obfuscation. | ai | |
| source-diff | obfuscated-file:node_modules/@aws-cdk/cloud-assembly-api/lib/assets.js | AI (source-diff): Long lines are jsii/TS compiler re-export boilerplate. Bundled first-party AWS CDK package. Not malicious obfuscation. | ai | |
| source-diff | obfuscated-file:node_modules/@aws-cdk/cloud-assembly-api/lib/cloud-artifact.js | AI (source-diff): Standard TypeScript/jsii compiler output. Bundled first-party AWS CDK package. Not malicious obfuscation. | ai | |
| source-diff | obfuscated-file:node_modules/@aws-cdk/cloud-assembly-api/lib/cloud-assembly.js | AI (source-diff): Standard TypeScript/jsii compiler output. Bundled first-party AWS CDK package. Not malicious obfuscation. | ai | |
| source-diff | obfuscated-file:node_modules/@aws-cdk/cloud-assembly-api/lib/artifacts/cloudformation-artifact.js | AI (source-diff): Standard TypeScript/jsii compiler output. Bundled first-party AWS CDK package. Not malicious obfuscation. | ai | |
| source-diff | obfuscated-file:node_modules/@aws-cdk/cloud-assembly-api/lib/environment.js | AI (source-diff): Long line is inline base64 source map (sourceMappingURL), a standard build artifact. Bundled first-party AWS CDK package. Not malicious. | ai | |
| source-diff | obfuscated-file:lib/legacy-moved.js | AI (source-diff): Long export lines are jsii/TS compiler boilerplate for backwards-compat re-exports. Documented in file comments. Not malicious obfuscation. | ai | |
| phantom-deps | phantom-dep:semver | AI (phantom-deps): semver is in both dependencies and bundledDependencies — correct pattern for bundled deps; phantom-dep detection is a false positive here. | ai |
Versions (showing 100 of 631)
| Version | Deps | Published |
|---|---|---|
| 2.174.1 | 1 / 9 | |
| 2.174.0 | 1 / 9 | |
| 2.173.4 | 1 / 9 | |
| 2.173.3 | 1 / 9 | |
| 2.173.2 | 1 / 9 | |
| 2.173.1 | 1 / 9 | |
| 2.173.0 | 1 / 9 | |
| 2.172.0 | 1 / 9 | |
| 2.171.1 | 1 / 9 | |
| 2.171.0 | 1 / 9 | |
| 2.170.0 | 1 / 9 | |
| 2.169.0 | 1 / 9 | |
| 2.168.0 | 1 / 9 | |
| 2.167.2 | 1 / 9 | |
| 2.167.1 | 1 / 9 | |
| 2.167.0 | 1 / 9 | |
| 2.166.0 | 1 / 9 | |
| 2.165.0 | 1 / 9 | |
| 2.164.1 | 1 / 9 | |
| 2.164.0 | 1 / 9 | |
| 2.163.1 | 1 / 9 | |
| 2.163.0 | 1 / 9 | |
| 2.162.1 | 1 / 9 | |
| 2.162.0 | 1 / 9 | |
| 2.161.1 | 1 / 9 | |
| 2.161.0 | 1 / 9 | |
| 2.160.0 | 1 / 9 | |
| 2.159.1 | 1 / 9 | |
| 2.159.0 | 1 / 9 | |
| 2.158.0 | 1 / 9 | |
| 2.157.0 | 1 / 9 | |
| 2.156.0 | 1 / 9 | |
| 2.155.0 | 1 / 9 | |
| 2.154.1 | 1 / 9 | |
| 2.154.0 | 1 / 9 | |
| 2.153.0 | 1 / 9 | |
| 2.152.0 | 1 / 9 | |
| 2.151.1 | 1 / 9 | |
| 2.151.0 | 1 / 9 | |
| 2.150.0 | 1 / 9 | |
| 2.149.0 | 1 / 9 | |
| 2.148.1 | 1 / 9 | |
| 2.148.0 | 1 / 9 | |
| 2.147.3 | 1 / 9 | |
| 2.147.2 | 1 / 9 | |
| 2.147.1 | 1 / 9 | |
| 2.147.0 | 1 / 9 | |
| 2.146.0 | 1 / 9 | |
| 2.145.0 | 1 / 9 | |
| 2.144.0 | 1 / 9 | |
| 2.143.1 | 1 / 9 | |
| 2.143.0 | 1 / 9 | |
| 2.142.1 | 1 / 9 | |
| 2.142.0 | 1 / 9 | |
| 2.141.0 | 1 / 9 | |
| 2.140.0 | 1 / 9 | |
| 2.139.1 | 1 / 9 | |
| 2.139.0 | 1 / 9 | |
| 2.138.0 | 1 / 9 | |
| 2.137.0 | 1 / 9 | |
| 2.136.1 | 1 / 9 | |
| 2.136.0 | 1 / 9 | |
| 2.135.0 | 1 / 9 | |
| 2.134.0 | 1 / 9 | |
| 2.133.0 | 1 / 9 | |
| 2.132.1 | 1 / 9 | |
| 2.132.0 | 1 / 9 | |
| 2.131.0 | 1 / 9 | |
| 2.130.0 | 1 / 9 | |
| 2.129.0 | 1 / 9 | |
| 2.128.0 | 1 / 9 | |
| 2.127.0 | 1 / 9 | |
| 2.126.0 | 1 / 9 | |
| 2.125.0 | 1 / 9 | |
| 2.124.0 | 1 / 9 | |
| 2.123.0 | 1 / 9 | |
| 2.122.0 | 1 / 9 | |
| 2.121.1 | 1 / 9 | |
| 2.121.0 | 1 / 9 | |
| 2.120.0 | 1 / 9 | |
| 2.119.0 | 1 / 9 | |
| 2.118.0 | 1 / 9 | |
| 2.117.0 | 1 / 9 | |
| 2.116.1 | 1 / 9 | |
| 2.116.0 | 1 / 9 | |
| 2.115.0 | 1 / 9 | |
| 2.114.1 | 1 / 9 | |
| 2.114.0 | 1 / 9 | |
| 2.113.0 | 1 / 9 | |
| 2.112.0 | 1 / 9 | |
| 2.111.0 | 1 / 9 | |
| 2.110.1 | 1 / 9 | |
| 2.110.0 | 1 / 9 | |
| 2.109.0 | 1 / 9 | |
| 2.108.1 | 1 / 9 | |
| 2.108.0 | 1 / 9 | |
| 2.107.0 | 1 / 9 | |
| 2.106.1 | 1 / 9 | |
| 2.106.0 | 1 / 9 | |
| 2.105.0 | 1 / 9 |
v2.174.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.174.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.173.4
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.173.3
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.173.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.173.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.173.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.172.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.171.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.171.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.170.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.169.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.168.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.167.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.167.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.167.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.166.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.165.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.164.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.164.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.163.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.163.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.162.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.162.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.161.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.161.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.160.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.159.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.159.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.158.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.157.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.156.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.155.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.154.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.154.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.153.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.152.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.151.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.151.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.150.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.149.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.148.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.148.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.147.3
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.147.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.147.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.147.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.146.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.145.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.144.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.143.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.143.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.142.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.142.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.141.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.140.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.139.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.139.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.138.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.137.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.136.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.136.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.135.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.134.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.133.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.132.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.132.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.131.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.130.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.129.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.128.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.127.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.126.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.125.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.124.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.123.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.122.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.121.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.121.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.120.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.119.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.118.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.117.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.116.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.116.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.115.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.114.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.114.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.113.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.112.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.111.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.110.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.110.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.109.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.108.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.108.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.107.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.106.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.106.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.105.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.