@aws-amplify/core
Core category of aws-amplify
23
Versions
Apache-2.0
License
No
Install Scripts
Missing
Provenance
Supply chain provenance
Status for the latest visible version.
No SLSA provenance
npm registry signatures
gitHead linked
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
amzn-ossaws-amplify-opsamplify-studio-uibuilderamplify-codegenamplify-data-dev-npmaws-amplify-data-runtime
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| publish-pattern | dormant-publish | AI (publish-pattern): AWS-published package with strong track record; dormancy followed by legitimate build system updates, not takeover indicator. | ai | |
| provenance | missing-githead | AI (provenance): Established AWS Amplify package published by aws-amplify-ops with strong track record; missing gitHead is likely a CI pipeline change, not a malicious signal. | ai | |
| phantom-deps | phantom-dep:tslib | AI (phantom-deps): tslib is a standard TypeScript runtime helper, commonly used implicitly by TypeScript-compiled packages. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): Legitimate webpack config pattern for loading react-native-url-polyfill metadata; not arbitrary module loading. | ai | |
| phantom-deps | phantom-dep:@types/node-fetch | AI (phantom-deps): @types/node-fetch is a type declaration package; not directly imported at runtime by design. | ai | |
| semgrep | semgrep:env-bulk-read | AI (semgrep): Reading process.env keys to detect React environment is standard platform detection logic in a core AWS Amplify library. | ai | |
| phantom-deps | phantom-dep:@types/uuid | AI (phantom-deps): @types/ packages are type-only and commonly included without direct imports; stable false positive for this package. | ai | |
| dependencies | unvetted-dep:@aws-sdk/url-parser-node | AI (dependencies): @aws-sdk/url-parser-node is an official AWS SDK v3 package from Amazon; the unvetted flag reflects the alpha stage at time of publish, not a security concern. | ai | |
| provenance | publisher-changed | AI (provenance): Publisher change from mlabieniec to aws-amplify-ops in June 2019 reflects legitimate AWS organizational transfer; stable for this package. | ai | |
| dependencies | unvetted-dep:url | AI (dependencies): Standard Node.js URL utility; legitimate dependency for AWS library. | ai | |
| dependencies | unvetted-dep:@aws-sdk/credential-provider-cognito-identity | AI (dependencies): First-party AWS SDK package; unvetted status expected for beta SDK v3 packages in active development. | ai | |
| dependencies | unvetted-dep:@aws-crypto/sha256-js | AI (dependencies): AWS crypto library; expected dependency for AWS Amplify core. | ai | |
| typosquat | typosquat.levenshtein:cors | AI (typosquat): Scoped @aws-amplify/core package is not a typosquat; legitimate AWS Amplify namespace. | ai | |
| bogus-package | bogus-package | AI (bogus-package): Official AWS package with clear purpose and repository; mass-production signal is false positive for corporate publishers. | ai | |
| dependencies | unvetted-dep:zen-observable | AI (dependencies): zen-observable is an established RxJS-related package; legitimate dependency for observable patterns. | ai | |
| dependencies | unvetted-dep:@aws-sdk/client-cognito-identity | AI (dependencies): Official AWS SDK v3 package; expected dependency for Cognito integration in AWS Amplify. | ai | |
| phantom-deps | phantom-dep:@aws-sdk/node-http-handler | AI (phantom-deps): AWS SDK packages loaded by convention; framework-scoped dependency pattern. | ai | |
| phantom-deps | phantom-dep:@aws-sdk/util-user-agent-browser | AI (phantom-deps): AWS SDK utility package loaded by convention; framework-scoped dependency pattern. | ai | |
| dependencies | unvetted-dep:@aws-sdk/node-http-handler | AI (dependencies): First-party AWS SDK package; unvetted status expected for beta SDK v3 packages in active development. | ai | |
| dependencies | unvetted-dep:zen-observable-ts | AI (dependencies): zen-observable-ts is a known RxJS observable library; unvetted status is metadata signal, not security concern. | ai | |
| semgrep | semgrep:new-function-constructor | AI (semgrep): new Function() used for safe browser/Node.js environment detection; input is not user-controlled. Legitimate pattern in cross-platform libraries. | ai | |
| dependencies | unvetted-dep:aws-sdk | AI (dependencies): aws-sdk is a core AWS library; pinned version 2.474.0 is stable for this package. | ai | |
| source-diff | large-new-source-files | AI (source-diff): 106 new source files reflect major version bump with AWS SDK v3 integration; no bundled/injected code indicators. | ai | |
| provenance | no-provenance | AI (provenance): AWS Amplify is an established project; missing provenance is a process improvement, not a security blocker for this trusted publisher. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): zen-observable is an established library; new dependency is legitimate for this AWS-maintained package. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): Maintainer transition to aws-amplify-ops in 2019 is a documented organizational handoff; stable for this package. | ai | |
| maintainer-change | maintainer-removed | AI (maintainer-change): Normal maintainer rotation; no compromise indicators present in this established project. | ai |
Versions (showing 23 of 324)
| Version | Deps | Published |
|---|---|---|
| 1.0.22 | 2 / 21 | |
| 1.0.21 | 2 / 21 | |
| 1.0.20 | 2 / 21 | |
| 1.0.19 | 2 / 21 | |
| 1.0.18 | 2 / 21 | |
| 1.0.17 | 2 / 21 | |
| 1.0.16 | 2 / 21 | |
| 1.0.15 | 2 / 21 | |
| 1.0.14 | 2 / 21 | |
| 1.0.13 | 2 / 21 | |
| 1.0.12 | 2 / 21 | |
| 1.0.11 | 2 / 21 | |
| 1.0.10 | 2 / 21 | |
| 1.0.9 | 2 / 21 | |
| 1.0.8 | 2 / 21 | |
| 1.0.7 | 2 / 21 | |
| 1.0.6 | 2 / 21 | |
| 1.0.5 | 2 / 21 | |
| 1.0.4 | 2 / 21 | |
| 1.0.3 | 2 / 21 | |
| 1.0.2 | 2 / 21 | |
| 1.0.1 | 2 / 21 | |
| 1.0.0 | 2 / 21 |