@smithy/protocol-http — Greenflagged

[![NPM version](https://img.shields.io/npm/v/@smithy/protocol-http/latest.svg)](https://www.npmjs.com/package/@smithy/protocol-http) [![NPM downloads](https://img.shields.io/npm/dm/@smithy/protocol-http.svg)](https://www.npmjs.com/package/@smithy/protocol

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

trivikr-awssmithy-teamaws-sdk-bot

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
provenance	publisher-changed	AI (provenance): Transition from named account to GitHub Actions CI/CD; SLSA provenance confirms legitimate automated publishing.	ai	2026/06/02
npm-metadata	no-description	AI (npm-metadata): Stable omission across versions of this well-established AWS Smithy package.	ai	2026/06/02
phantom-deps	phantom-dep:tslib	AI (phantom-deps): tslib is a known implicit runtime dependency for TypeScript projects.	ai	2026/06/02
publish-pattern	dormant-publish	AI (publish-pattern): Smithy-team is the canonical AWS Smithy publisher; sporadic release cadence is normal for this org's packages.	ai	2026/05/20
publish-pattern	new-deps-added	AI (publish-pattern): @smithy/core is a sibling package from the same trusted org; not a suspicious third-party dep.	ai	2026/05/20
source-diff	source-size-dropped	AI (source-diff): Size drop reflects intentional refactor moving code into @smithy/core, not code removal or stubbing.	ai	2026/05/20

Versions (showing 33 of 33)

Version	Deps	Published
5.5.1	2 / 1	2026-06-17
5.5.0	2 / 1	2026-06-15
5.4.7	2 / 1	2026-06-12
5.4.6	2 / 0	2026-06-01
5.4.5	2 / 0	2026-05-27
5.4.4	2 / 0	2026-05-21
5.4.3	2 / 0	2026-05-15
5.4.2	2 / 0	2026-05-14
5.4.1	2 / 0	2026-05-11
5.4.0	2 / 0	2026-05-08
5.3.14	2 / 4	2026-04-16
5.3.13	2 / 4	2026-04-06
5.3.12	2 / 4	2026-03-12
5.3.11	2 / 4	2026-03-04
5.3.10	2 / 4	2026-02-24
5.3.9	2 / 4	2026-02-23
5.3.8	2 / 4	2026-01-13
5.3.7	2 / 4	2025-12-18
5.3.6	2 / 4	2025-12-15
5.3.5	2 / 4	2025-11-10
5.3.4	2 / 4	2025-10-30
5.3.3	2 / 4	2025-10-15
5.3.2	2 / 4	2025-10-14
5.3.1	2 / 4	2025-10-13
5.3.0	2 / 4	2025-09-30
5.2.1	2 / 4	2025-09-10
5.2.0	2 / 4	2025-09-04
5.1.3	2 / 4	2025-08-06
5.1.2	2 / 4	2025-05-29
5.1.1	2 / 4	2025-05-19
5.1.0	2 / 4	2025-03-24
5.0.1	2 / 4	2025-01-09
5.0.0	2 / 4	2025-01-06

v5.5.1

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v5.5.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v5.4.7

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v5.4.6

2 findings

HIGH Publisher changed: smithy-team → GitHub Actions (on 2026-06-01) provenance

This version was published by a different npm account than previous versions on 2026-06-01. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.