amazon-cognito-identity-js
Amazon Cognito Identity Provider JavaScript SDK
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| license | uncommon-license:SEE LICENSE IN LICENSE.txt | AI (license): Amazon Software License is a known AWS license; this flag is a stable false positive for all AWS SDK packages. | ai | |
| provenance | missing-githead | AI (provenance): AWS SDK package with legitimate maintainer transition; missing gitHead reflects build environment change during team handoff, not a malicious publish. | ai | |
| npm-metadata | bundled-binaries | AI (npm-metadata): Binaries are Android/React Native build artifacts (Facebook React Native, WebKit JSC) from the bundled example app — expected for this React Native SDK package. | ai | |
| source-diff | encoded-string-file:dist/amazon-cognito-identity.js | AI (source-diff): Long string is standard webpack UMD bundle output. This package ships pre-built dist files as part of its design; not obfuscation. | ai | |
| provenance | publisher-changed | AI (provenance): Both itrestian and mlabieniec are Amazon employees listed in package.json contributors; this is a legitimate internal AWS maintainer transition, not a hostile takeover. | ai | |
| source-diff | encoded-string-file:dist/amazon-cognito-identity.min.js | AI (source-diff): Long string is standard webpack minified UMD bundle output. Expected artifact for this package's build process. | ai | |
| maintainer-change | maintainer-removed | AI (maintainer-change): Removal of mattsb42-aws alongside addition of other AWS Amplify accounts reflects normal team rotation, not a package takeover. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): @aws-crypto/sha256-js is AWS's own cryptography library, replacing crypto-js. This is a well-known, security-motivated dependency change in AWS SDKs. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): New maintainers are all AWS Amplify organizational accounts, consistent with normal team rotation within AWS. Not a hostile takeover signal. | ai | |
| semgrep | semgrep:hex-decode | AI (semgrep): Hex decoding is core to SRP authentication in Cognito SDK (AuthenticationHelper). Legitimate cryptographic use, not obfuscation. | ai | |
| provenance | no-provenance | AI (provenance): Established AWS Amplify package predating widespread Sigstore adoption; publisher identity is well-established through long track record. | ai | |
| semgrep | semgrep:toplevel-fetch | AI (semgrep): fetch() calls are the core HTTP transport for Cognito API requests — the fundamental purpose of this SDK. Not exfiltration. | ai | |
| semgrep | semgrep:base64-decode | AI (semgrep): Base64 decoding is used to parse JWT token payloads (CognitoJwtToken). Standard and expected for a JWT-handling authentication library. | ai |
Versions (showing 89 of 89)
| Version | Deps | Published |
|---|---|---|
| 6.3.16 | 5 / 6 | |
| 6.2.0 | 5 / 21 | |
| 5.0.1 | 5 / 20 | |
| 5.0.0 | 5 / 20 | |
| 4.6.3 | 5 / 19 | |
| 4.5.1 | 4 / 18 | |
| 4.5.0 | 4 / 18 | |
| 4.4.0 | 4 / 18 | |
| 4.3.5 | 3 / 18 | |
| 4.3.4 | 3 / 18 | |
| 4.3.3 | 3 / 18 | |
| 4.3.2 | 3 / 18 | |
| 4.3.1 | 3 / 18 | |
| 4.3.0 | 3 / 18 | |
| 4.2.4 | 3 / 18 | |
| 4.2.3 | 3 / 18 | |
| 4.2.2 | 3 / 18 | |
| 4.2.1 | 3 / 18 | |
| 4.2.0 | 3 / 18 | |
| 4.1.0 | 3 / 18 | |
| 3.3.3 | 3 / 21 | |
| 3.3.0 | 3 / 21 | |
| 3.2.7 | 3 / 18 | |
| 3.2.6 | 3 / 18 | |
| 3.2.5 | 3 / 18 | |
| 3.2.4 | 3 / 18 | |
| 3.2.3 | 3 / 18 | |
| 3.2.2 | 3 / 18 | |
| 3.2.1 | 3 / 18 | |
| 3.2.0 | 3 / 21 | |
| 3.1.3 | 3 / 21 | |
| 3.1.2 | 3 / 21 | |
| 3.1.0 | 3 / 21 | |
| 3.0.16 | 3 / 20 | |
| 3.0.15 | 3 / 20 | |
| 3.0.14 | 3 / 20 | |
| 3.0.13 | 3 / 20 | |
| 3.0.12 | 3 / 20 | |
| 3.0.11 | 3 / 20 | |
| 3.0.10 | 3 / 20 | |
| 3.0.9 | 3 / 20 | |
| 3.0.8 | 3 / 20 | |
| 3.0.7 | 3 / 20 | |
| 3.0.6 | 3 / 20 | |
| 3.0.5 | 3 / 20 | |
| 3.0.4 | 3 / 20 | |
| 3.0.3 | 3 / 20 | |
| 3.0.2 | 3 / 20 | |
| 3.0.1 | 3 / 20 | |
| 2.0.30 | 3 / 20 | |
| 2.0.29 | 3 / 20 | |
| 2.0.28 | 3 / 20 | |
| 2.0.27 | 3 / 20 | |
| 2.0.26 | 3 / 20 | |
| 2.0.25 | 3 / 20 | |
| 2.0.24 | 3 / 20 | |
| 2.0.23 | 3 / 20 | |
| 2.0.22 | 3 / 20 | |
| 2.0.21 | 3 / 20 | |
| 2.0.20 | 3 / 20 | |
| 2.0.19 | 3 / 20 | |
| 2.0.17 | 3 / 20 | |
| 2.0.16 | 3 / 20 | |
| 2.0.15 | 3 / 20 | |
| 2.0.14 | 3 / 20 | |
| 2.0.13 | 3 / 20 | |
| 2.0.12 | 3 / 20 | |
| 2.0.11 | 3 / 20 | |
| 2.0.10 | 3 / 20 | |
| 2.0.9 | 3 / 20 | |
| 2.0.8 | 3 / 20 | |
| 2.0.7 | 3 / 20 | |
| 2.0.2 | 3 / 20 | |
| 2.0.1 | 3 / 20 | |
| 2.0.0 | 3 / 20 | |
| 1.31.0 | 2 / 18 | |
| 1.30.0 | 2 / 18 | |
| 1.29.0 | 2 / 18 | |
| 1.28.0 | 2 / 18 | |
| 1.27.0 | 2 / 18 | |
| 1.26.0 | 2 / 18 | |
| 1.16.0 | 1 / 9 | |
| 1.15.0 | 2 / 9 | |
| 1.14.0 | 2 / 9 | |
| 1.13.0 | 2 / 9 | |
| 1.2.0 | 0 / 16 | |
| 1.1.0 | 0 / 16 | |
| 1.0.0 | 0 / 16 | |
| 0.9.0 | 0 / 16 |
v6.3.16
2 findingsModified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.2.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.0.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.6.3
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: aws-amplify-ops.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.5.1
2 findingsThis version was published by a different npm account than previous versions on 2020-10-29. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.5.0
2 findingsThis version was published by a different npm account than previous versions on 2020-10-15. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.4.0
2 findingsThis version was published by a different npm account than previous versions on 2020-09-03. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.3.5
2 findingsThis version was published by a different npm account than previous versions on 2020-09-01. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.3.4
2 findingsThis version was published by a different npm account than previous versions on 2020-08-19. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.3.3
2 findingsThis version was published by a different npm account than previous versions on 2020-07-07. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.3.2
2 findingsThis version was published by a different npm account than previous versions on 2020-06-18. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.3.1
2 findingsThis version was published by a different npm account than previous versions on 2020-06-03. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.3.0
2 findingsThis version was published by a different npm account than previous versions on 2020-05-22. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.2.4
2 findingsThis version was published by a different npm account than previous versions on 2020-05-14. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.2.3
2 findingsThis version was published by a different npm account than previous versions on 2020-04-30. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.2.2
2 findingsThis version was published by a different npm account than previous versions on 2020-04-24. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.2.1
2 findingsThis version was published by a different npm account than previous versions on 2020-04-07. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.2.0
2 findingsThis version was published by a different npm account than previous versions on 2020-04-02. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.1.0
2 findingsThis version was published by a different npm account than previous versions on 2020-03-31. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.3.3
2 findingsThis version was published by a different npm account than previous versions on 2020-01-11. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.3.0
2 findingsThis version was published by a different npm account than previous versions on 2020-01-10. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.2.7
2 findingsThis version was published by a different npm account than previous versions on 2020-03-30. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.2.6
2 findingsThis version was published by a different npm account than previous versions on 2020-03-25. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.2.5
2 findingsThis version was published by a different npm account than previous versions on 2020-02-28. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.2.4
2 findingsThis version was published by a different npm account than previous versions on 2020-02-07. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.2.3
2 findingsThis version was published by a different npm account than previous versions on 2020-02-07. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.2.2
2 findingsThis version was published by a different npm account than previous versions on 2020-01-10. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.2.1
2 findingsThis version was published by a different npm account than previous versions on 2019-12-18. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.2.0
2 findingsThis version was published by a different npm account than previous versions on 2019-10-29. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.1.3
2 findingsThis version was published by a different npm account than previous versions on 2019-10-23. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.1.2
2 findingsThis version was published by a different npm account than previous versions on 2019-10-10. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.1.0
2 findingsThis version was published by a different npm account than previous versions on 2019-10-10. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.0.16
2 findingsThis version was published by a different npm account than previous versions on 2019-08-21. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.0.15
2 findingsThis version was published by a different npm account than previous versions on 2019-07-30. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.0.14
2 findingsThis version was published by a different npm account than previous versions on 2019-07-18. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.0.13
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: aws-amplify-ops.
This version was published by a different npm account than previous versions on 2019-06-17. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.0.12
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: aws-amplify-ops.
This version was published by a different npm account than previous versions on 2019-05-06. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.0.11
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: aws-amplify-ops.
This version was published by a different npm account than previous versions on 2019-04-09. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.0.10
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: aws-amplify-ops.
This version was published by a different npm account than previous versions on 2019-03-28. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.0.9
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: aws-amplify-ops.
This version was published by a different npm account than previous versions on 2019-03-06. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.0.8
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: aws-amplify-ops.
This version was published by a different npm account than previous versions on 2019-03-04. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.0.7
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: mlabieniec.
This version was published by a different npm account than previous versions on 2019-01-10. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.0.6
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: mlabieniec.
This version was published by a different npm account than previous versions on 2018-12-13. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.0.5
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: mlabieniec.
This version was published by a different npm account than previous versions on 2018-12-07. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.0.4
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: mlabieniec.
This version was published by a different npm account than previous versions on 2018-12-03. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.0.3
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: mlabieniec.
This version was published by a different npm account than previous versions on 2018-10-17. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.0.2
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: mlabieniec.
This version was published by a different npm account than previous versions on 2018-10-04. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.0.1
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: mlabieniec.
This version was published by a different npm account than previous versions on 2018-10-02. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.30
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: mlabieniec.
This version was published by a different npm account than previous versions on 2018-09-27. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.29
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: mlabieniec.
This version was published by a different npm account than previous versions on 2018-09-21. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.28
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: mlabieniec.
This version was published by a different npm account than previous versions on 2018-09-21. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.27
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: mlabieniec.
This version was published by a different npm account than previous versions on 2018-09-17. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.26
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: mlabieniec.
This version was published by a different npm account than previous versions on 2018-09-12. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.25
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: mlabieniec.
This version was published by a different npm account than previous versions on 2018-09-09. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.24
4 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: mlabieniec.
This version was published by a different npm account than previous versions on 2018-09-09. This could indicate a legitimate maintainer transition or an account compromise.
Modified file contains 7 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.23
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: mlabieniec.
This version was published by a different npm account than previous versions on 2018-08-28. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.22
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: mlabieniec.
This version was published by a different npm account than previous versions on 2018-08-28. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.21
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: mlabieniec.
This version was published by a different npm account than previous versions on 2018-08-14. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.20
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: mlabieniec.
This version was published by a different npm account than previous versions on 2018-08-06. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.19
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: mlabieniec.
This version was published by a different npm account than previous versions on 2018-07-28. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.17
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: mlabieniec.
This version was published by a different npm account than previous versions on 2018-07-27. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.16
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: mlabieniec.
This version was published by a different npm account than previous versions on 2018-07-19. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.15
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: mlabieniec.
This version was published by a different npm account than previous versions on 2018-07-18. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.14
4 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: powerful23.
This version was published by a different npm account than previous versions on 2018-07-13. This could indicate a legitimate maintainer transition or an account compromise.
Modified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.13
4 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: mlabieniec.
This version was published by a different npm account than previous versions on 2018-06-29. This could indicate a legitimate maintainer transition or an account compromise.
Modified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.12
4 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: mlabieniec.
This version was published by a different npm account than previous versions on 2018-06-27. This could indicate a legitimate maintainer transition or an account compromise.
Modified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.11
4 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: mlabieniec.
This version was published by a different npm account than previous versions on 2018-06-21. This could indicate a legitimate maintainer transition or an account compromise.
Modified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.10
4 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: mlabieniec.
This version was published by a different npm account than previous versions on 2018-06-20. This could indicate a legitimate maintainer transition or an account compromise.
Modified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.9
4 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: mlabieniec.
This version was published by a different npm account than previous versions on 2018-06-04. This could indicate a legitimate maintainer transition or an account compromise.
Modified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.8
4 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: mlabieniec.
This version was published by a different npm account than previous versions on 2018-06-02. This could indicate a legitimate maintainer transition or an account compromise.
Modified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.7
4 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: mlabieniec.
This version was published by a different npm account than previous versions on 2018-06-01. This could indicate a legitimate maintainer transition or an account compromise.
Modified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.2
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: richardzcode.
This version was published by a different npm account than previous versions on 2018-03-19. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.1
4 findingsPackage contains compiled binaries that could be backdoors: • android/build/intermediates/exploded-aar/com.facebook.fresco/imagepipeline/1.3.0/jni/arm64-v8a/libimagepipeline.so • android/build/intermediates/exploded-aar/com.facebook.fresco/imagepipeline/1.3.0/jni/armeabi-v7a/libimagepipeline.so • android/build/intermediates/exploded-aar/com.facebook.fresco/imagepipeline/1.3.0/jni/armeabi/libimagepipeline.so • android/build/intermediates/exploded-aar/com.facebook.fresco/imagepipeline/1.3.0/jni/x86_64/libimagepipeline.so • android/build/intermediates/exploded-aar/com.facebook.fresco/imagepipeline/1.3.0/jni/x86/libimagepipeline.so • android/build/intermediates/exploded-aar/com.facebook.react/react-native/0.50.3/jni/armeabi-v7a/libfb.so • android/build/intermediates/exploded-aar/com.facebook.react/react-native/0.50.3/jni/armeabi-v7a/libfolly_json.so • android/build/intermediates/exploded-aar/com.facebook.react/react-native/0.50.3/jni/armeabi-v7a/libglog_init.so • android/build/intermediates/exploded-aar/com.facebook.react/react-native/0.50.3/jni/armeabi-v7a/libglog.so • android/build/intermediates/exploded-aar/com.facebook.react/react-native/0.50.3/jni/armeabi-v7a/libgnustl_shared.so ... and 16 more
This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: powerful23.
This version was published by a different npm account than previous versions on 2018-02-20. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.0
4 findingsPackage contains compiled binaries that could be backdoors: • android/build/intermediates/exploded-aar/com.facebook.fresco/imagepipeline/1.3.0/jni/arm64-v8a/libimagepipeline.so • android/build/intermediates/exploded-aar/com.facebook.fresco/imagepipeline/1.3.0/jni/armeabi-v7a/libimagepipeline.so • android/build/intermediates/exploded-aar/com.facebook.fresco/imagepipeline/1.3.0/jni/armeabi/libimagepipeline.so • android/build/intermediates/exploded-aar/com.facebook.fresco/imagepipeline/1.3.0/jni/x86_64/libimagepipeline.so • android/build/intermediates/exploded-aar/com.facebook.fresco/imagepipeline/1.3.0/jni/x86/libimagepipeline.so • android/build/intermediates/exploded-aar/com.facebook.react/react-native/0.50.3/jni/armeabi-v7a/libfb.so • android/build/intermediates/exploded-aar/com.facebook.react/react-native/0.50.3/jni/armeabi-v7a/libfolly_json.so • android/build/intermediates/exploded-aar/com.facebook.react/react-native/0.50.3/jni/armeabi-v7a/libglog_init.so • android/build/intermediates/exploded-aar/com.facebook.react/react-native/0.50.3/jni/armeabi-v7a/libglog.so • android/build/intermediates/exploded-aar/com.facebook.react/react-native/0.50.3/jni/armeabi-v7a/libgnustl_shared.so ... and 16 more
This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: powerful23.
This version was published by a different npm account than previous versions on 2018-02-13. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.31.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.30.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.29.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.28.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.27.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.26.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.16.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.15.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.14.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.13.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.2.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.1.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.9.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.