← Home

amazon-chime-sdk-js

npm Repository Homepage
2
Versions
License
No
Install Scripts
Verified
Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

amzn-osschimesdk

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
source-diff obfuscated-file:build/encodedtransformworkercode/EncodedTransformWorkerCode.js AI (source-diff): Intentionally bundled Web Worker code as inline string; generated by documented script, Apache-licensed, readable content. ai
source-diff obfuscated-file:build/encodedtransformworkercode/EncodedTransformWorkerCode.d.ts AI (source-diff): Type declaration for the same bundled worker string; same rationale as the .js file. ai
publish-pattern dormant-publish AI (publish-pattern): Active AWS SDK with 107 published versions; dormancy signal is a false positive for this package. ai
phantom-deps phantom-dep:resize-observer AI (phantom-deps): Polyfill loaded by convention; stable false positive for this package. ai
phantom-deps phantom-dep:@types/ua-parser-js AI (phantom-deps): Type-only package used by TypeScript compiler; not directly imported at runtime. ai

Versions (showing 2 of 2)

Version Deps Published
3.31.0 9 / 35
3.30.0 9 / 32

v3.31.0

3 findings
HIGH New obfuscated file: build/encodedtransformworkercode/EncodedTransformWorkerCode.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: build/encodedtransformworkercode/EncodedTransformWorkerCode.d.ts source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.30.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.