@aws-sdk/core — Greenflagged

Core functions & classes shared by multiple AWS SDK clients.

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures No source commit

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

amzn-ossaws-sdk-bot

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
source-diff	large-new-source-files	AI (source-diff): Submodule restructuring adds many files; normal for AWS SDK monorepo packages.	ai	2026/05/20
source-diff	obfuscated-file:dist-cjs/submodules/client/index.browser.js	AI (source-diff): CJS bundle output with readable source; standard build artifact for this package.	ai	2026/05/20
source-diff	obfuscated-file:dist-es/submodules/client/util-endpoints/lib/aws/partitions.js	AI (source-diff): AWS partitions JSON data exported as a single long line; not obfuscation.	ai	2026/05/20
source-diff	obfuscated-file:dist-cjs/submodules/client/index.native.js	AI (source-diff): CJS bundle output with readable source; standard build artifact for this package.	ai	2026/05/20
provenance	no-provenance	AI (provenance): AWS SDK packages historically publish without Sigstore provenance; publisher track record (9926 approved) provides sufficient trust signal.	ai	2026/04/22
maintainer-change	maintainer-removed	AI (maintainer-change): AWS SDK team rotation is expected for a large monorepo; publisher remains aws-sdk-bot (official AWS automation). No suspicious new maintainers added.	ai	2026/04/22
bogus-package	bogus-package	AI (bogus-package): Cosmetic signals (short README, no keywords) are typical of AWS SDK monorepo sub-packages. Package has 41 approved dependents and clear legitimate purpose.	ai	2026/04/22
phantom-deps	phantom-dep:tslib	AI (phantom-deps): tslib is a declared runtime dependency used implicitly via TypeScript compilation output — the standard and documented usage pattern for tslib in TS projects.	ai	2026/04/22
semgrep	semgrep:dynamic-require	AI (semgrep): Dynamic require in scripts/lint.js loads the package's own package.json via path.join — a benign dev-script pattern, not runtime code. Stable false positive for this package.	ai	2026/04/22
typosquat	typosquat.levenshtein:cors	AI (typosquat): @aws-sdk/core is a legitimate AWS SDK scoped package; the Levenshtein match to 'cors' is coincidental and not a typosquat attempt.	ai	2026/04/21

Versions (showing 51 of 201)

View all versions

Version	Deps	Published
3.974.15	8 / 5	2026-05-28
3.974.14	8 / 5	2026-05-26
3.974.13	8 / 5	2026-05-21
3.974.12	8 / 5	2026-05-18
3.974.11	8 / 5	2026-05-15
3.974.10	6 / 5	2026-05-14
3.974.9	6 / 5	2026-05-14
3.974.8	14 / 5	2026-05-01
3.974.7	14 / 5	2026-04-29
3.974.6	14 / 5	2026-04-27
3.974.5	14 / 5	2026-04-23
3.974.4	14 / 5	2026-04-22
3.974.3	14 / 5	2026-04-21
3.974.2	13 / 5	2026-04-20
3.974.1	13 / 5	2026-04-17
3.974.0	13 / 5	2026-04-16
3.973.27	13 / 5	2026-04-07
3.973.26	13 / 5	2026-03-30
3.973.25	13 / 5	2026-03-26
3.973.24	13 / 5	2026-03-23
3.973.23	13 / 5	2026-03-20
3.973.22	13 / 5	2026-03-19
3.973.21	13 / 5	2026-03-18
3.973.20	13 / 5	2026-03-13
3.973.19	13 / 5	2026-03-09
3.973.18	13 / 5	2026-03-05
3.973.17	13 / 5	2026-03-04
3.973.16	13 / 5	2026-03-03
3.973.15	13 / 5	2026-02-26
3.973.14	13 / 5	2026-02-25
3.973.13	13 / 5	2026-02-24
3.973.12	13 / 5	2026-02-23
3.973.11	13 / 5	2026-02-18
3.973.10	13 / 5	2026-02-13
3.973.9	13 / 5	2026-02-12
3.973.8	13 / 5	2026-02-11
3.973.7	13 / 5	2026-02-06
3.973.6	13 / 5	2026-02-03
3.973.5	13 / 5	2026-01-30
3.973.4	13 / 5	2026-01-28
3.973.3	13 / 5	2026-01-27
3.973.2	13 / 5	2026-01-26
3.973.1	13 / 5	2026-01-23
3.973.0	13 / 5	2026-01-22
3.972.0	13 / 5	2026-01-20
3.970.0	13 / 5	2026-01-15
3.969.0	13 / 5	2026-01-14
3.968.0	13 / 5	2026-01-13
3.967.0	13 / 5	2026-01-13
3.966.0	13 / 5	2026-01-09
3.965.0	13 / 5	2026-01-07

v3.974.15

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.974.14

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.974.13

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.974.12

4 findings

HIGH New obfuscated file: dist-cjs/submodules/client/index.browser.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist-cjs/submodules/client/index.native.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist-es/submodules/client/util-endpoints/lib/aws/partitions.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.974.11

4 findings

HIGH New obfuscated file: dist-cjs/submodules/client/index.browser.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist-cjs/submodules/client/index.native.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist-es/submodules/client/util-endpoints/lib/aws/partitions.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.974.10

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.974.9

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.974.8

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.974.7

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.974.6

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.974.5

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.974.4

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.