@aws-sdk/eventstream-marshaller
[](https://www.npmjs.com/package/@aws-sdk/eventstream-marshaller) [](https://www.npmj
41
Versions
Apache-2.0
License
No
Install Scripts
Missing
Provenance
Supply chain provenance
Status for the latest visible version.
No SLSA provenance
npm registry signatures
No source commit
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
mattsb42-awskuheamzn-osszheallanaws-sdk-bottrivikr-aws
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:dist-es/Int64.js | AI (source-diff): Long line is an inline base64 source map comment, not obfuscated logic. Standard AWS SDK compiled output. | ai | |
| source-diff | obfuscated-file:dist-cjs/splitMessage.js | AI (source-diff): Long line is an inline base64 source map comment, not obfuscated logic. Standard AWS SDK compiled output. | ai | |
| source-diff | obfuscated-file:dist-es/splitMessage.js | AI (source-diff): Long line is an inline base64 source map comment, not obfuscated logic. Standard AWS SDK compiled output. | ai | |
| provenance | no-provenance | AI (provenance): AWS SDK bot publishes without Sigstore provenance; consistent across all AWS SDK packages. Low risk given publisher track record. | ai | |
| source-diff | large-new-source-files | AI (source-diff): New files are dist-cjs/ and dist-es/ compiled build artifacts added as part of AWS SDK build pipeline changes. No injected code. | ai | |
| source-diff | obfuscated-file:dist-cjs/EventStreamMarshaller.js | AI (source-diff): Long line is an inline base64 source map comment, not obfuscated logic. Standard AWS SDK compiled output. | ai | |
| source-diff | obfuscated-file:dist-es/EventStreamMarshaller.js | AI (source-diff): Long line is an inline base64 source map comment, not obfuscated logic. Standard AWS SDK compiled output. | ai | |
| source-diff | obfuscated-file:dist-cjs/HeaderMarshaller.js | AI (source-diff): Long line is an inline base64 source map comment, not obfuscated logic. Standard AWS SDK compiled output. | ai | |
| source-diff | obfuscated-file:dist-es/HeaderMarshaller.js | AI (source-diff): Long line is an inline base64 source map comment, not obfuscated logic. Standard AWS SDK compiled output. | ai | |
| source-diff | obfuscated-file:dist-cjs/Int64.js | AI (source-diff): Long line is an inline base64 source map comment, not obfuscated logic. Standard AWS SDK compiled output. | ai | |
| source-diff | source-size-dropped | AI (source-diff): Size drop is explained by refactoring: functionality moved into @aws-sdk/eventstream-codec dependency. Not a stub/redirect attack. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): AWS SDK team rotation via aws-sdk-bot; mattsb42-aws and kuhe are known AWS SDK contributors. Publisher track record is clean (241 approved, 0 rejected). | ai | |
| maintainer-change | maintainer-removed | AI (maintainer-change): Normal AWS SDK team rotation; removal of jamesiri alongside addition of new AWS contributors is consistent with legitimate team changes. | ai | |
| bogus-package | bogus-package | AI (bogus-package): Missing README/repo/keywords are typical for early pre-release AWS SDK v3 gamma packages from this era; publisher is well-established with 96 packages. | ai | |
| dependencies | unvetted-dep:@aws-crypto/crc32 | AI (dependencies): @aws-crypto/crc32 is an AWS-owned package in the same SDK ecosystem; its use in an eventstream marshaller for CRC32 checksums is expected and legitimate. | ai | |
| semgrep | semgrep:base64-decode | AI (semgrep): Base64 decoding is in a test fixture generation script (buildTestVectorsFixture.js), a standard pattern for protocol/crypto library test vectors. Not a malicious payload. | ai |
Versions (showing 41 of 41)
| Version | Deps | Published |
|---|---|---|
| 3.120.0 | 3 / 7 | |
| 3.118.1 | 4 / 9 | |
| 3.110.0 | 4 / 9 | |
| 3.109.0 | 4 / 9 | |
| 3.78.0 | 4 / 9 | |
| 3.58.0 | 4 / 9 | |
| 3.55.0 | 4 / 9 | |
| 3.54.1 | 4 / 9 | |
| 3.54.0 | 4 / 9 | |
| 3.53.0 | 4 / 9 | |
| 3.52.0 | 4 / 9 | |
| 3.50.0 | 4 / 9 | |
| 3.49.0 | 4 / 9 | |
| 3.47.2 | 4 / 3 | |
| 3.47.1 | 4 / 3 | |
| 3.47.0 | 4 / 3 | |
| 3.46.0 | 4 / 3 | |
| 3.40.0 | 4 / 6 | |
| 3.39.0 | 4 / 6 | |
| 3.38.0 | 4 / 6 | |
| 3.37.0 | 4 / 6 | |
| 3.36.0 | 4 / 6 | |
| 3.35.0 | 4 / 6 | |
| 3.34.0 | 4 / 6 | |
| 3.32.0 | 4 / 6 | |
| 3.29.0 | 4 / 6 | |
| 3.25.0 | 4 / 6 | |
| 3.23.0 | 4 / 6 | |
| 3.22.0 | 4 / 6 | |
| 3.20.0 | 4 / 6 | |
| 3.18.0 | 4 / 6 | |
| 3.15.0 | 4 / 6 | |
| 3.13.1 | 4 / 6 | |
| 3.12.0 | 4 / 6 | |
| 3.10.0 | 4 / 6 | |
| 3.6.1 | 4 / 6 | |
| 3.4.1 | 4 / 6 | |
| 3.4.0 | 4 / 6 | |
| 3.3.0 | 4 / 6 | |
| 3.1.0 | 3 / 7 | |
| 3.0.0 | 3 / 7 |