@aws-amplify/pubsub
Pubsub category of aws-amplify
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | large-new-source-files | AI (source-diff): AWS Amplify pubsub was actively expanding features in this era; new source files reflect legitimate feature growth, not injected code. | ai | |
| source-diff | source-size-dropped | AI (source-diff): Size reduction reflects refactoring of shared code into @aws-amplify/core; a known pattern in the amplify-js monorepo, not a stub replacement. | ai | |
| provenance | missing-githead | AI (provenance): AWS Amplify is a large org that periodically updates CI/CD pipelines; missing gitHead across a version with no content changes is a low-risk publish environment shift, not a supply chain indicator. | ai | |
| provenance | publisher-changed | AI (provenance): AWS Amplify consolidated publishing under aws-amplify-ops org account; this is a documented organizational transition, not a compromise. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): New maintainers are AWS Amplify team members added as part of the same organizational consolidation; stable for this package. | ai | |
| provenance | no-provenance | AI (provenance): Package predates Sigstore provenance availability on npm; no provenance is expected for packages of this age from this publisher. | ai | |
| dependencies | unvetted-dep:@types/paho-mqtt | AI (dependencies): @types/paho-mqtt is a TypeScript type definition package for the MQTT client; expected and benign dependency for an AWS Amplify PubSub package. | ai | |
| dependencies | unvetted-dep:zen-observable | AI (dependencies): zen-observable is a legitimate RxJS observable implementation; standard dependency for AWS Amplify pubsub. | ai | |
| phantom-deps | phantom-dep:@types/paho-mqtt | AI (phantom-deps): TypeScript type definitions loaded by convention in framework packages; expected pattern. | ai | |
| phantom-deps | phantom-dep:@types/zen-observable | AI (phantom-deps): TypeScript type definitions loaded by convention in framework packages; expected pattern. | ai | |
| bogus-package | bogus-package | AI (bogus-package): Mass-production signal reflects AWS's monorepo structure; no keywords is minor metadata issue, not malicious. | ai | |
| phantom-deps | phantom-dep:buffer | AI (phantom-deps): buffer is a polyfill for browser compatibility; standard in AWS SDK packages. | ai | |
| phantom-deps | phantom-dep:@aws-amplify/auth | AI (phantom-deps): Same-org dependency used conditionally; stable pattern for AWS Amplify monorepo. | ai | |
| phantom-deps | phantom-dep:url | AI (phantom-deps): url is a polyfill for browser compatibility; common pattern in AWS SDK packages. | ai | |
| phantom-deps | phantom-dep:graphql | AI (phantom-deps): graphql may be used conditionally or through re-exports; stable for this package. | ai |
Versions (showing 34 of 134)
| Version | Deps | Published |
|---|---|---|
| 3.2.4 | 7 / 2 | |
| 3.2.3 | 7 / 2 | |
| 3.2.2 | 7 / 2 | |
| 3.2.1 | 7 / 2 | |
| 3.2.0 | 7 / 2 | |
| 3.1.1 | 7 / 2 | |
| 3.1.0 | 7 / 2 | |
| 3.0.25 | 7 / 2 | |
| 3.0.24 | 7 / 2 | |
| 3.0.23 | 7 / 2 | |
| 3.0.22 | 7 / 2 | |
| 3.0.21 | 7 / 2 | |
| 3.0.20 | 7 / 2 | |
| 3.0.19 | 7 / 2 | |
| 3.0.18 | 7 / 2 | |
| 3.0.17 | 7 / 2 | |
| 3.0.16 | 7 / 2 | |
| 3.0.15 | 7 / 2 | |
| 3.0.14 | 7 / 2 | |
| 3.0.13 | 7 / 2 | |
| 3.0.12 | 7 / 2 | |
| 3.0.11 | 7 / 2 | |
| 3.0.10 | 7 / 2 | |
| 3.0.9 | 7 / 2 | |
| 3.0.8 | 7 / 2 | |
| 3.0.7 | 7 / 2 | |
| 3.0.6 | 7 / 2 | |
| 3.0.5 | 7 / 2 | |
| 3.0.4 | 7 / 2 | |
| 3.0.3 | 7 / 2 | |
| 3.0.1 | 7 / 2 | |
| 1.3.3 | 5 / 1 | |
| 1.0.25 | 4 / 22 | |
| 1.0.0 | 6 / 21 |
v3.2.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.2.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.2.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.2.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.2.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.1.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.1.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.0.25
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.0.24
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.0.23
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.0.22
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.0.21
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.0.20
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.0.19
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.0.18
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.0.17
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.0.16
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: aws-amplify-ops.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.0.15
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.0.14
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.0.13
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.0.12
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.0.11
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.0.10
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.0.9
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.0.8
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.0.7
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.0.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.0.5
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2020-04-03. This could indicate a legitimate maintainer transition or an account compromise.
v3.0.4
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2020-04-02. This could indicate a legitimate maintainer transition or an account compromise.
v3.0.3
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2020-04-01. This could indicate a legitimate maintainer transition or an account compromise.
v3.0.1
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2020-03-31. This could indicate a legitimate maintainer transition or an account compromise.
v1.3.3
2 findingsThis version was published by a different npm account than previous versions on 2020-01-11. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.