@aws-amplify/storage — Greenflagged

Storage category of aws-amplify

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

amzn-ossaws-amplify-opsamplify-studio-uibuilderamplify-codegenamplify-data-dev-npmaws-amplify-data-runtime

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
publish-pattern	suspicious-version-number	AI (publish-pattern): Version 6.6.6 is a legitimate sequential release in a 2261-version package from the official AWS Amplify publisher. Repeating-digit heuristic is a stable false positive for this package.	ai	2026/04/23
publish-pattern	new-deps-added	AI (publish-pattern): All 5 new deps (tslib, buffer, @aws-sdk/types, @smithy/md5-js, fast-xml-parser) are well-known, legitimate packages consistent with AWS S3 storage functionality. No suspicious additions.	ai	2026/04/23
source-diff	source-size-dropped	AI (source-diff): Source size drop is consistent with modular refactoring (more files, less total code). No stub/redirect indicators present.	ai	2026/04/23
source-diff	large-new-source-files	AI (source-diff): AWS Amplify v6 modular refactor splits code into many smaller files; large file count increases are expected and consistent with the simultaneous source size reduction.	ai	2026/04/23
dependencies	unvetted-dep:@aws-sdk/client-s3-browser	AI (dependencies): Early AWS SDK v3 preview dependency used by the official AWS Amplify storage package; same AWS ecosystem, no security concern.	ai	2026/04/23
maintainer-change	maintainer-removed	AI (maintainer-change): Removal of richardzcode is consistent with normal AWS team transitions.	ai	2026/04/23
provenance	publisher-changed	AI (provenance): Both powerful23 and mlabieniec are known AWS Amplify team members; publisher rotation is normal for this org's packages.	ai	2026/04/23
maintainer-change	maintainer-added	AI (maintainer-change): amzn-oss, jamesiri, jpeddicord are AWS team accounts; routine team roster changes for an official AWS package.	ai	2026/04/23
provenance	no-provenance	AI (provenance): aws-amplify-ops consistently publishes without Sigstore provenance; this is expected for this publisher and package family.	ai	2026/04/23
semgrep	semgrep:base64-decode	AI (semgrep): Base64 decoding of FileReader.readAsDataURL result is standard React Native file handling; no obfuscation or malicious payload present.	ai	2026/04/21
bogus-package	bogus-package	AI (bogus-package): This is a mature AWS Amplify subpath package entry point; minimal README/keywords and version number are expected for this package structure, not spam indicators.	ai	2026/04/21

Versions (showing 43 of 343)

Show 55 prereleases

Version	Deps	Published
1.3.3	1 / 1	2020-01-11
1.3.0	5 / 0	2020-01-10
1.2.4	1 / 1	2019-10-29
1.2.3	1 / 1	2019-10-23
1.2.2	1 / 19	2019-10-10
1.1.2	1 / 19	2019-09-05
1.1.0	1 / 19	2019-08-05
1.0.36	1 / 19	2019-08-01
1.0.35	1 / 19	2019-07-31
1.0.34	1 / 19	2019-07-30
1.0.33	1 / 19	2019-07-18
1.0.31	1 / 21	2019-06-17
1.0.30	1 / 21	2019-05-14
1.0.29	1 / 21	2019-05-06
1.0.28	1 / 21	2019-04-04
1.0.27	1 / 21	2019-03-28
1.0.26	1 / 21	2019-03-04
1.0.25	1 / 21	2019-01-10
1.0.24	1 / 21	2018-12-26
1.0.23	1 / 21	2018-12-13
1.0.22	1 / 21	2018-12-07
1.0.21	1 / 21	2018-12-06
1.0.20	1 / 21	2018-12-03
1.0.19	1 / 21	2018-11-12
1.0.18	1 / 21	2018-11-01
1.0.17	1 / 21	2018-10-29
1.0.16	1 / 21	2018-10-17
1.0.15	2 / 21	2018-10-04
1.0.14	2 / 21	2018-10-02
1.0.13	2 / 21	2018-09-27
1.0.12	2 / 21	2018-09-21
1.0.11	2 / 21	2018-09-21
1.0.10	2 / 21	2018-09-17
1.0.9	2 / 21	2018-09-12
1.0.8	2 / 21	2018-09-09
1.0.7	2 / 21	2018-08-28
1.0.6	2 / 21	2018-08-28
1.0.5	2 / 21	2018-08-14
1.0.4	2 / 21	2018-08-06
1.0.3	2 / 21	2018-07-28
1.0.2	2 / 21	2018-07-19
1.0.1	2 / 21	2018-07-18
1.0.0	2 / 21	2018-07-13