@aws-sdk/config-resolver

[![NPM version](https://img.shields.io/npm/v/@aws-sdk/config-resolver/latest.svg)](https://www.npmjs.com/package/@aws-sdk/config-resolver) [![NPM downloads](https://img.shields.io/npm/dm/@aws-sdk/config-resolver.svg)](https://www.npmjs.com/package/@aws-sd

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures No source commit

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

mattsb42-awskuheamzn-ossaws-sdk-bottrivikr-aws

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
dependencies	unvetted-dep:@aws-sdk/util-middleware	AI (dependencies): First-party AWS SDK package published by aws-sdk-bot; unvetted status reflects pipeline ordering, not a real risk.	ai	2026/04/22
dependencies	unvetted-dep:@aws-sdk/util-config-provider	AI (dependencies): First-party AWS SDK package published by aws-sdk-bot; unvetted status reflects pipeline ordering, not a real risk.	ai	2026/04/22
source-diff	large-new-source-files	AI (source-diff): AWS SDK v3 packages routinely add large numbers of source files during modularization refactors; this is expected behavior for coordinated SDK version releases.	ai	2026/04/22
publish-pattern	new-deps-added	AI (publish-pattern): @aws-sdk/util-middleware is a first-party AWS SDK package in the same monorepo, published by the same aws-sdk-bot. Adding internal SDK utilities is expected and low-risk.	ai	2026/04/22
maintainer-change	maintainer-removed	AI (maintainer-change): AWS SDK team rotations are routine; aws-sdk-bot remains the publisher and both maintainers are known AWS contributors. Not indicative of a takeover.	ai	2026/04/22
source-diff	obfuscated-file:dist/cjs/CustomEndpointsConfig.js	AI (source-diff): The long line is a base64-encoded inline source map, standard for TypeScript-compiled CJS output. The code itself is fully readable. This is a stable false positive for AWS SDK compiled packages.	ai	2026/04/22
maintainer-change	maintainer-added	AI (maintainer-change): AWS SDK team additions are expected for the official aws-sdk-js-v3 project published by aws-sdk-bot. No compromise indicators.	ai	2026/04/22
phantom-deps	phantom-dep:@aws-sdk/signature-v4	AI (phantom-deps): AWS SDK v3 monorepo packages commonly declare sibling deps for type usage without direct imports; stable false positive for this package.	ai	2026/04/22
provenance	no-provenance	AI (provenance): Package predates widespread Sigstore provenance adoption on npm; published by trusted aws-sdk-bot with strong track record.	ai	2026/04/22

Versions (showing 19 of 119)

Version	Deps	Published
3.19.0	3 / 5	2021-06-24
3.18.0	3 / 5	2021-06-04
3.16.0	3 / 5	2021-05-14
3.15.0	3 / 5	2021-05-10
3.14.0	3 / 5	2021-04-30
3.13.1	3 / 5	2021-04-22
3.12.0	3 / 5	2021-04-09
3.10.0	3 / 5	2021-03-27
3.8.0	3 / 5	2021-03-05
3.7.0	3 / 5	2021-02-26
3.6.1	3 / 5	2021-02-22
3.6.0	3 / 5	2021-02-20
3.5.0	3 / 5	2021-02-12
3.4.1	3 / 5	2021-01-29
3.4.0	3 / 5	2021-01-29
3.3.0	3 / 5	2021-01-15
3.2.0	2 / 6	2021-01-09
3.1.0	2 / 6	2020-12-24
3.0.0	2 / 6	2020-12-15