@aws-cdk/cloud-assembly-schema
Schema for the protocol between CDK framework and CDK CLI
Supply chain provenance
Status for the latest visible version.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:lib/cloud-assembly/validation-report-schema.js | AI (source-diff): Inline base64 source map from jsii/tsc compilation; standard for this package. | ai | |
| source-diff | obfuscated-file:lib/integ-tests/commands/deploy.js | AI (source-diff): Long lines are inline base64 source maps, not obfuscation. Standard TypeScript compiler output for this AWS CDK package. | ai | |
| source-diff | obfuscated-file:lib/integ-tests/commands/common.js | AI (source-diff): Long lines are inline base64 source maps (//# sourceMappingURL=data:application/json;base64,...), not obfuscation. Standard TypeScript compiler output for this AWS CDK package. | ai | |
| source-diff | obfuscated-file:lib/integ-tests/test-case.js | AI (source-diff): Long lines are inline base64 source maps, not obfuscation. Standard TypeScript compiler output for this AWS CDK package. | ai | |
| provenance | publisher-changed | AI (provenance): AWS CDK migrated publishing to GitHub Actions with SLSA provenance attestation. This is a documented organizational transition, not a compromise. SLSA attestation confirms CI/CD integrity. | ai | |
| maintainer-change | maintainer-removed | AI (maintainer-change): Removal of individual AWS CDK team members (eladb, romainmuller, rix0rrr) is consistent with the shift to automated GitHub Actions publishing for this AWS-owned package. | ai | |
| provenance | no-provenance | AI (provenance): Published by the well-established aws-cdk-team with 842 approved packages. Lack of Sigstore provenance is acceptable for this trusted publisher. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): The dynamic require in scripts/update-schema.js loads a hardcoded local JSON version file (cloud-assembly.version.json) via a constant path — no user input or arbitrary module loading. This is a dev/build script, not runtime code. | ai | |
| bogus-package | bogus-package | AI (bogus-package): AWS CDK schema package; README links are legitimate protocol/framework references, not phishing. Semver reflects monorepo versioning, not inflation. | ai | |
| dependencies | unvetted-dep:jsonschema | AI (dependencies): jsonschema is a well-known JSON schema validator; bundled dependency with tight version constraint (~1.4.1). | ai |
Versions (showing 51 of 635)
| Version | Deps | Published |
|---|---|---|
| 53.28.0 | 2 / 31 | |
| 53.27.0 | 2 / 31 | |
| 53.26.0 | 2 / 31 | |
| 53.25.0 | 2 / 31 | |
| 53.24.0 | 2 / 31 | |
| 53.23.0 | 2 / 31 | |
| 53.22.0 | 2 / 31 | |
| 53.21.0 | 2 / 31 | |
| 53.20.0 | 2 / 31 | |
| 53.19.0 | 2 / 31 | |
| 53.18.0 | 2 / 31 | |
| 53.17.0 | 2 / 31 | |
| 53.16.0 | 2 / 31 | |
| 53.15.0 | 2 / 31 | |
| 53.14.0 | 2 / 29 | |
| 53.13.0 | 2 / 29 | |
| 53.12.0 | 2 / 29 | |
| 53.11.0 | 2 / 29 | |
| 53.10.0 | 2 / 29 | |
| 53.9.0 | 2 / 29 | |
| 53.8.0 | 2 / 29 | |
| 53.7.0 | 2 / 29 | |
| 53.6.0 | 2 / 29 | |
| 53.5.0 | 2 / 29 | |
| 53.4.0 | 2 / 29 | |
| 53.3.0 | 2 / 29 | |
| 53.2.0 | 2 / 29 | |
| 53.1.0 | 2 / 29 | |
| 53.0.0 | 2 / 29 | |
| 52.2.0 | 2 / 29 | |
| 52.1.0 | 2 / 29 | |
| 52.0.0 | 2 / 29 | |
| 50.4.0 | 2 / 29 | |
| 50.3.0 | 2 / 29 | |
| 50.2.0 | 2 / 29 | |
| 50.1.0 | 2 / 29 | |
| 50.0.0 | 2 / 29 | |
| 49.4.0 | 2 / 29 | |
| 49.3.0 | 2 / 29 | |
| 49.2.0 | 2 / 29 | |
| 49.1.0 | 2 / 29 | |
| 49.0.0 | 2 / 29 | |
| 48.20.0 | 2 / 29 | |
| 48.19.0 | 2 / 29 | |
| 48.18.0 | 2 / 29 | |
| 48.17.0 | 2 / 29 | |
| 48.16.0 | 2 / 29 | |
| 48.15.0 | 2 / 29 | |
| 48.14.0 | 2 / 29 | |
| 48.13.0 | 2 / 29 | |
| 48.12.0 | 2 / 29 |
v53.28.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v53.27.0
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v53.26.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v53.25.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v53.24.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v53.23.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v53.22.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v53.21.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v53.20.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v53.19.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v53.18.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.