@aws-sdk/client-ec2
AWS SDK for JavaScript Ec2 Client for Node.js, Browser and React Native
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| phantom-deps | phantom-dep:@aws-sdk/util-base64-node | AI (phantom-deps): AWS SDK framework-scoped package loaded by convention for Node.js environment; expected pattern in monorepo. | ai | |
| phantom-deps | phantom-dep:@aws-sdk/util-base64-browser | AI (phantom-deps): AWS SDK framework-scoped package loaded by convention for browser environment; expected pattern in monorepo. | ai | |
| dependencies | unvetted-dep:@aws-sdk/util-base64 | AI (dependencies): AWS SDK sibling package published by the same trusted aws-sdk-bot publisher; unvetted status reflects review queue lag, not a security concern. | ai | |
| dependencies | unvetted-dep:@aws-sdk/middleware-endpoint | AI (dependencies): @aws-sdk/middleware-endpoint is an internal AWS SDK package published by the same aws-sdk-bot publisher; unvetted status is a pipeline artifact, not a real risk for this ecosystem. | ai | |
| bogus-package | bogus-package | AI (bogus-package): Generated AWS SDK client library; minimal README and no keywords are expected and benign for this package type. | ai | |
| dependencies | unvetted-dep:@aws-sdk/util-waiter | AI (dependencies): First-party AWS SDK package published by the same aws-sdk-bot publisher at the same version cadence; not a third-party unvetted dependency. | ai | |
| phantom-deps | phantom-dep:fast-xml-parser | AI (phantom-deps): Used for XML parsing in EC2 API responses; referenced in config/generated code rather than direct imports. Stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@aws-sdk/middleware-stack | AI (phantom-deps): Framework-scoped AWS SDK middleware package loaded by convention; phantom-dep finding is a stable false positive for this package. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): @types/uuid is a benign TypeScript type definition package for uuid, which is already a declared dependency. No malicious signal. | ai | |
| source-diff | large-new-source-files | AI (source-diff): EC2 is one of AWS's largest services; new source files reflect API surface expansion (new features/instance types), consistent with the package's history of frequent large updates. | ai | |
| phantom-deps | phantom-dep:uuid | AI (phantom-deps): uuid is used indirectly through the AWS SDK framework; phantom detection is a false positive for this package's architecture. | ai | |
| phantom-deps | phantom-dep:@types/uuid | AI (phantom-deps): @types/uuid is a type-only package loaded by convention in the TypeScript build; phantom detection is a false positive here. | ai | |
| maintainer-change | maintainer-removed | AI (maintainer-change): AWS regularly rotates named maintainers; aws-sdk-bot is the stable publishing identity for all AWS SDK JS v3 packages. Maintainer rotation is expected and not a takeover signal. | ai | |
| phantom-deps | phantom-dep:@aws-sdk/client-sts | AI (phantom-deps): AWS SDK v3 loads client-sts dynamically via credential providers by convention; not a direct import but a legitimate runtime dependency pattern across all AWS SDK v3 clients. | ai | |
| phantom-deps | phantom-dep:@aws-sdk/client-sso-oidc | AI (phantom-deps): AWS SDK v3 loads client-sso-oidc dynamically via credential providers by convention; standard pattern across all AWS SDK v3 clients. | ai | |
| phantom-deps | phantom-dep:@smithy/middleware-stack | AI (phantom-deps): Smithy framework packages are loaded by convention in AWS SDK v3 architecture; phantom-dep finding is a stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@smithy/middleware-serde | AI (phantom-deps): Smithy framework packages are loaded by convention in AWS SDK v3 architecture; phantom-dep finding is a stable false positive for this package. | ai | |
| provenance | no-provenance | AI (provenance): AWS SDK bot is a well-established, trusted publisher; lack of Sigstore provenance is not a concern for this package. | ai |
Versions (showing 100 of 716)
| Version | Deps | Published |
|---|---|---|
| 3.1057.0 | 11 / 8 | |
| 3.1056.0 | 11 / 8 | |
| 3.1055.0 | 11 / 8 | |
| 3.1054.0 | 11 / 8 | |
| 3.1053.0 | 11 / 8 | |
| 3.1052.0 | 11 / 8 | |
| 3.1051.0 | 11 / 8 | |
| 3.1050.0 | 11 / 8 | |
| 3.1049.0 | 11 / 8 | |
| 3.1048.0 | 11 / 8 | |
| 3.1047.0 | 19 / 8 | |
| 3.1046.0 | 19 / 8 | |
| 3.1045.0 | 41 / 8 | |
| 3.1044.0 | 41 / 8 | |
| 3.1043.0 | 41 / 8 | |
| 3.1042.0 | 41 / 8 | |
| 3.1041.0 | 41 / 8 | |
| 3.1040.0 | 41 / 8 | |
| 3.1039.0 | 41 / 8 | |
| 3.1038.0 | 41 / 8 | |
| 3.1037.0 | 41 / 8 | |
| 3.1036.0 | 41 / 8 | |
| 3.1035.0 | 41 / 8 | |
| 3.1034.0 | 41 / 8 | |
| 3.1033.0 | 41 / 8 | |
| 3.1032.0 | 41 / 8 | |
| 3.1031.0 | 41 / 8 | |
| 3.1030.0 | 41 / 8 | |
| 3.1029.0 | 41 / 8 | |
| 3.1028.0 | 41 / 8 | |
| 3.1027.0 | 41 / 8 | |
| 3.1026.0 | 41 / 8 | |
| 3.1025.0 | 41 / 8 | |
| 3.1024.0 | 41 / 8 | |
| 3.1023.0 | 41 / 8 | |
| 3.1022.0 | 41 / 8 | |
| 3.1021.0 | 41 / 8 | |
| 3.1020.0 | 41 / 8 | |
| 3.1019.0 | 41 / 8 | |
| 3.1018.0 | 41 / 8 | |
| 3.1017.0 | 41 / 8 | |
| 3.1016.0 | 41 / 8 | |
| 3.1015.0 | 41 / 8 | |
| 3.1014.0 | 41 / 8 | |
| 3.1013.0 | 41 / 8 | |
| 3.1012.0 | 41 / 8 | |
| 3.1011.0 | 41 / 8 | |
| 3.1010.0 | 41 / 8 | |
| 3.1009.0 | 41 / 8 | |
| 3.1008.0 | 41 / 8 | |
| 3.1007.0 | 41 / 8 | |
| 3.1006.0 | 41 / 8 | |
| 3.1005.0 | 41 / 8 | |
| 3.1004.0 | 41 / 8 | |
| 3.1003.0 | 41 / 8 | |
| 3.1002.0 | 41 / 8 | |
| 3.1001.0 | 41 / 8 | |
| 3.1000.0 | 41 / 8 | |
| 3.999.0 | 41 / 6 | |
| 3.998.0 | 41 / 6 | |
| 3.997.0 | 41 / 6 | |
| 3.996.0 | 41 / 6 | |
| 3.995.0 | 41 / 6 | |
| 3.994.0 | 41 / 6 | |
| 3.993.0 | 41 / 6 | |
| 3.992.0 | 41 / 6 | |
| 3.991.0 | 41 / 6 | |
| 3.990.0 | 41 / 6 | |
| 3.989.0 | 41 / 6 | |
| 3.988.0 | 41 / 6 | |
| 3.987.0 | 41 / 6 | |
| 3.986.0 | 41 / 6 | |
| 3.985.0 | 41 / 6 | |
| 3.984.0 | 41 / 6 | |
| 3.983.0 | 41 / 6 | |
| 3.982.0 | 41 / 6 | |
| 3.981.0 | 41 / 6 | |
| 3.980.0 | 41 / 6 | |
| 3.979.0 | 41 / 6 | |
| 3.978.0 | 41 / 6 | |
| 3.977.0 | 41 / 6 | |
| 3.976.0 | 41 / 6 | |
| 3.975.0 | 41 / 6 | |
| 3.974.0 | 41 / 6 | |
| 3.973.0 | 41 / 6 | |
| 3.972.0 | 41 / 6 | |
| 3.971.0 | 41 / 6 | |
| 3.970.0 | 41 / 6 | |
| 3.969.0 | 41 / 6 | |
| 3.968.0 | 41 / 6 | |
| 3.967.0 | 41 / 6 | |
| 3.966.0 | 41 / 6 | |
| 3.965.0 | 41 / 6 | |
| 3.964.0 | 41 / 6 | |
| 3.962.0 | 41 / 6 | |
| 3.958.0 | 41 / 6 | |
| 3.957.0 | 41 / 6 | |
| 3.956.0 | 41 / 6 | |
| 3.955.0 | 41 / 6 | |
| 3.954.0 | 41 / 6 |
v3.1057.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.1056.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.1055.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.1054.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.1053.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.1052.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.1051.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.1050.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.1049.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.1048.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.1047.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.1046.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.1045.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.1044.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.1043.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.1042.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.1041.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.1040.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.1039.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.1038.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.1037.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.1036.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.1035.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.