amazon-cognito-identity-js
Amazon Cognito Identity Provider JavaScript SDK
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| license | uncommon-license:SEE LICENSE IN LICENSE.txt | AI (license): Amazon Software License is a known AWS license; this flag is a stable false positive for all AWS SDK packages. | ai | |
| provenance | missing-githead | AI (provenance): AWS SDK package with legitimate maintainer transition; missing gitHead reflects build environment change during team handoff, not a malicious publish. | ai | |
| npm-metadata | bundled-binaries | AI (npm-metadata): Binaries are Android/React Native build artifacts (Facebook React Native, WebKit JSC) from the bundled example app — expected for this React Native SDK package. | ai | |
| source-diff | encoded-string-file:dist/amazon-cognito-identity.js | AI (source-diff): Long string is standard webpack UMD bundle output. This package ships pre-built dist files as part of its design; not obfuscation. | ai | |
| provenance | publisher-changed | AI (provenance): Both itrestian and mlabieniec are Amazon employees listed in package.json contributors; this is a legitimate internal AWS maintainer transition, not a hostile takeover. | ai | |
| source-diff | encoded-string-file:dist/amazon-cognito-identity.min.js | AI (source-diff): Long string is standard webpack minified UMD bundle output. Expected artifact for this package's build process. | ai | |
| maintainer-change | maintainer-removed | AI (maintainer-change): Removal of mattsb42-aws alongside addition of other AWS Amplify accounts reflects normal team rotation, not a package takeover. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): @aws-crypto/sha256-js is AWS's own cryptography library, replacing crypto-js. This is a well-known, security-motivated dependency change in AWS SDKs. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): New maintainers are all AWS Amplify organizational accounts, consistent with normal team rotation within AWS. Not a hostile takeover signal. | ai | |
| semgrep | semgrep:hex-decode | AI (semgrep): Hex decoding is core to SRP authentication in Cognito SDK (AuthenticationHelper). Legitimate cryptographic use, not obfuscation. | ai | |
| provenance | no-provenance | AI (provenance): Established AWS Amplify package predating widespread Sigstore adoption; publisher identity is well-established through long track record. | ai | |
| semgrep | semgrep:toplevel-fetch | AI (semgrep): fetch() calls are the core HTTP transport for Cognito API requests — the fundamental purpose of this SDK. Not exfiltration. | ai | |
| semgrep | semgrep:base64-decode | AI (semgrep): Base64 decoding is used to parse JWT token payloads (CognitoJwtToken). Standard and expected for a JWT-handling authentication library. | ai |
Versions (showing 51 of 89)
| Version | Deps | Published |
|---|---|---|
| 6.3.16 | 5 / 6 | |
| 6.2.0 | 5 / 21 | |
| 5.0.1 | 5 / 20 | |
| 5.0.0 | 5 / 20 | |
| 4.6.3 | 5 / 19 | |
| 4.5.1 | 4 / 18 | |
| 4.5.0 | 4 / 18 | |
| 4.4.0 | 4 / 18 | |
| 4.3.5 | 3 / 18 | |
| 4.3.4 | 3 / 18 | |
| 4.3.3 | 3 / 18 | |
| 4.3.2 | 3 / 18 | |
| 4.3.1 | 3 / 18 | |
| 4.3.0 | 3 / 18 | |
| 4.2.4 | 3 / 18 | |
| 4.2.3 | 3 / 18 | |
| 4.2.2 | 3 / 18 | |
| 4.2.1 | 3 / 18 | |
| 4.2.0 | 3 / 18 | |
| 4.1.0 | 3 / 18 | |
| 3.3.3 | 3 / 21 | |
| 3.3.0 | 3 / 21 | |
| 3.2.7 | 3 / 18 | |
| 3.2.6 | 3 / 18 | |
| 3.2.5 | 3 / 18 | |
| 3.2.4 | 3 / 18 | |
| 3.2.3 | 3 / 18 | |
| 3.2.2 | 3 / 18 | |
| 3.2.1 | 3 / 18 | |
| 3.2.0 | 3 / 21 | |
| 3.1.3 | 3 / 21 | |
| 3.1.2 | 3 / 21 | |
| 3.1.0 | 3 / 21 | |
| 3.0.16 | 3 / 20 | |
| 3.0.15 | 3 / 20 | |
| 3.0.14 | 3 / 20 | |
| 3.0.13 | 3 / 20 | |
| 3.0.12 | 3 / 20 | |
| 3.0.11 | 3 / 20 | |
| 3.0.10 | 3 / 20 | |
| 3.0.9 | 3 / 20 | |
| 3.0.8 | 3 / 20 | |
| 3.0.7 | 3 / 20 | |
| 3.0.6 | 3 / 20 | |
| 3.0.5 | 3 / 20 | |
| 3.0.4 | 3 / 20 | |
| 3.0.3 | 3 / 20 | |
| 3.0.2 | 3 / 20 | |
| 3.0.1 | 3 / 20 | |
| 2.0.30 | 3 / 20 | |
| 2.0.29 | 3 / 20 |
v6.3.16
2 findingsModified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.2.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.0.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.6.3
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: aws-amplify-ops.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.5.1
2 findingsThis version was published by a different npm account than previous versions on 2020-10-29. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.5.0
2 findingsThis version was published by a different npm account than previous versions on 2020-10-15. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.4.0
2 findingsThis version was published by a different npm account than previous versions on 2020-09-03. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.3.5
2 findingsThis version was published by a different npm account than previous versions on 2020-09-01. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.3.4
2 findingsThis version was published by a different npm account than previous versions on 2020-08-19. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.3.3
2 findingsThis version was published by a different npm account than previous versions on 2020-07-07. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.3.2
2 findingsThis version was published by a different npm account than previous versions on 2020-06-18. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.3.1
2 findingsThis version was published by a different npm account than previous versions on 2020-06-03. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.3.0
2 findingsThis version was published by a different npm account than previous versions on 2020-05-22. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.2.4
2 findingsThis version was published by a different npm account than previous versions on 2020-05-14. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.2.3
2 findingsThis version was published by a different npm account than previous versions on 2020-04-30. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.2.2
2 findingsThis version was published by a different npm account than previous versions on 2020-04-24. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.2.1
2 findingsThis version was published by a different npm account than previous versions on 2020-04-07. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.2.0
2 findingsThis version was published by a different npm account than previous versions on 2020-04-02. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.1.0
2 findingsThis version was published by a different npm account than previous versions on 2020-03-31. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.3.3
2 findingsThis version was published by a different npm account than previous versions on 2020-01-11. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.3.0
2 findingsThis version was published by a different npm account than previous versions on 2020-01-10. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.2.7
2 findingsThis version was published by a different npm account than previous versions on 2020-03-30. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.2.6
2 findingsThis version was published by a different npm account than previous versions on 2020-03-25. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.2.5
2 findingsThis version was published by a different npm account than previous versions on 2020-02-28. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.2.4
2 findingsThis version was published by a different npm account than previous versions on 2020-02-07. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.2.3
2 findingsThis version was published by a different npm account than previous versions on 2020-02-07. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.2.2
2 findingsThis version was published by a different npm account than previous versions on 2020-01-10. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.2.1
2 findingsThis version was published by a different npm account than previous versions on 2019-12-18. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.2.0
2 findingsThis version was published by a different npm account than previous versions on 2019-10-29. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.1.3
2 findingsThis version was published by a different npm account than previous versions on 2019-10-23. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.1.2
2 findingsThis version was published by a different npm account than previous versions on 2019-10-10. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.1.0
2 findingsThis version was published by a different npm account than previous versions on 2019-10-10. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.0.16
2 findingsThis version was published by a different npm account than previous versions on 2019-08-21. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.0.15
2 findingsThis version was published by a different npm account than previous versions on 2019-07-30. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.0.14
2 findingsThis version was published by a different npm account than previous versions on 2019-07-18. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.0.13
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: aws-amplify-ops.
This version was published by a different npm account than previous versions on 2019-06-17. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.0.12
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: aws-amplify-ops.
This version was published by a different npm account than previous versions on 2019-05-06. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.0.11
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: aws-amplify-ops.
This version was published by a different npm account than previous versions on 2019-04-09. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.0.10
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: aws-amplify-ops.
This version was published by a different npm account than previous versions on 2019-03-28. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.0.9
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: aws-amplify-ops.
This version was published by a different npm account than previous versions on 2019-03-06. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.0.8
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: aws-amplify-ops.
This version was published by a different npm account than previous versions on 2019-03-04. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.0.7
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: mlabieniec.
This version was published by a different npm account than previous versions on 2019-01-10. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.0.6
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: mlabieniec.
This version was published by a different npm account than previous versions on 2018-12-13. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.0.5
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: mlabieniec.
This version was published by a different npm account than previous versions on 2018-12-07. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.0.4
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: mlabieniec.
This version was published by a different npm account than previous versions on 2018-12-03. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.0.3
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: mlabieniec.
This version was published by a different npm account than previous versions on 2018-10-17. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.0.2
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: mlabieniec.
This version was published by a different npm account than previous versions on 2018-10-04. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.0.1
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: mlabieniec.
This version was published by a different npm account than previous versions on 2018-10-02. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.30
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: mlabieniec.
This version was published by a different npm account than previous versions on 2018-09-27. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.29
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: mlabieniec.
This version was published by a different npm account than previous versions on 2018-09-21. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.