@aws/language-server-runtimes
Runtimes to host Language Servers for AWS
Supply chain provenance
Status for the latest visible version.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| provenance | publisher-changed | AI (provenance): Transition to GitHub Actions CI/CD publishing with SLSA attestation; legitimate automation change for this AWS package. | ai | |
| publish-pattern | dormant-publish | AI (publish-pattern): Dormancy followed by GitHub Actions publishing with SLSA attestation; consistent with CI/CD pipeline migration, not takeover. | ai | |
| dependencies | unvetted-dep:mac-ca | AI (dependencies): mac-ca is a well-known macOS CA certificate accessor; legitimate use for TLS in AWS tooling. | ai | |
| semgrep | semgrep:base64-decode | AI (semgrep): Base64 used for credential key decoding in auth module — legitimate crypto pattern, not payload obfuscation. | ai | |
| semgrep | semgrep:child-process-import | AI (semgrep): child_process used only for Mac proxy settings detection via scutil — expected system utility usage. | ai | |
| bogus-package | bogus-package | AI (bogus-package): Established AWS package; README link density and missing keywords are false positives for SDK-style documentation. | ai |
Versions (showing 51 of 65)
| Version | Deps | Published |
|---|---|---|
| 0.3.17 | 18 / 15 | |
| 0.3.16 | 18 / 15 | |
| 0.3.15 | 18 / 15 | |
| 0.3.14 | 20 / 15 | |
| 0.3.13 | 20 / 15 | |
| 0.3.12 | 20 / 15 | |
| 0.3.9 | 20 / 15 | |
| 0.3.6 | 20 / 15 | |
| 0.3.5 | 20 / 15 | |
| 0.3.4 | 20 / 15 | |
| 0.3.3 | 20 / 15 | |
| 0.3.1 | 20 / 15 | |
| 0.3.0 | 20 / 15 | |
| 0.2.129 | 21 / 15 | |
| 0.2.128 | 21 / 15 | |
| 0.2.127 | 21 / 15 | |
| 0.2.126 | 21 / 15 | |
| 0.2.125 | 21 / 15 | |
| 0.2.124 | 21 / 15 | |
| 0.2.123 | 21 / 15 | |
| 0.2.122 | 21 / 15 | |
| 0.2.121 | 21 / 15 | |
| 0.2.120 | 21 / 15 | |
| 0.2.119 | 21 / 15 | |
| 0.2.118 | 21 / 15 | |
| 0.2.117 | 21 / 15 | |
| 0.2.116 | 21 / 15 | |
| 0.2.115 | 21 / 15 | |
| 0.2.114 | 21 / 15 | |
| 0.2.113 | 21 / 15 | |
| 0.2.112 | 21 / 15 | |
| 0.2.111 | 21 / 15 | |
| 0.2.110 | 21 / 15 | |
| 0.2.109 | 21 / 15 | |
| 0.2.108 | 21 / 15 | |
| 0.2.107 | 21 / 15 | |
| 0.2.106 | 21 / 15 | |
| 0.2.105 | 21 / 15 | |
| 0.2.104 | 21 / 15 | |
| 0.2.103 | 21 / 15 | |
| 0.2.102 | 21 / 15 | |
| 0.2.101 | 21 / 15 | |
| 0.2.100 | 21 / 15 | |
| 0.2.99 | 21 / 15 | |
| 0.2.98 | 21 / 15 | |
| 0.2.97 | 21 / 15 | |
| 0.2.96 | 21 / 15 | |
| 0.2.95 | 21 / 15 | |
| 0.2.94 | 21 / 15 | |
| 0.2.93 | 21 / 15 | |
| 0.2.92 | 20 / 15 |
v0.3.17
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.3.16
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.3.15
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.3.14
2 findingsThis version was published by a different npm account than previous versions on 2026-02-16. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.3.13
2 findingsThis version was published by a different npm account than previous versions on 2026-01-26. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.3.12
2 findingsThis version was published by a different npm account than previous versions on 2025-12-19. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.3.9
2 findingsThis version was published by a different npm account than previous versions on 2025-11-26. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.3.6
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.3.5
2 findingsThis version was published by a different npm account than previous versions on 2025-11-07. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.3.4
2 findingsThis version was published by a different npm account than previous versions on 2025-11-04. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.3.3
2 findingsThis version was published by a different npm account than previous versions on 2025-10-31. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.3.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.129
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.128
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.127
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.126
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.125
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.124
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.123
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.122
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.121
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.120
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.119
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.118
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.117
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.116
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.115
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.114
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.113
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.112
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.111
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.110
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.109
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.108
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.107
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.106
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.105
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.104
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.103
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.102
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.101
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.100
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.99
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.98
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.97
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.96
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.95
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.94
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.93
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.92
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.