← Home

@aws-sdk/signature-v4

npm Repository Homepage

A standalone implementation of the AWS Signature V4 request signing algorithm

51
Versions
Apache-2.0
License
No
Install Scripts
Missing
Provenance

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures No source commit

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

mattsb42-awskuheamzn-ossaws-sdk-bottrivikr-aws

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
publish-pattern new-deps-added AI (publish-pattern): @aws-sdk/types is a first-party AWS SDK core types package from the same monorepo, versioned identically. This pattern of internal dependency additions is expected and benign for this package. ai
maintainer-change maintainer-added AI (maintainer-change): mattsb42-aws is a known AWS employee; addition is consistent with normal AWS SDK team growth. Package is part of the official aws-sdk-js-v3 monorepo published by aws-sdk-bot. ai
maintainer-change maintainer-removed AI (maintainer-change): AWS SDK monorepo routinely rotates team members; aws-sdk-bot remains the publisher with a clean 29000+ approved package track record. Maintainer rotation is expected and not indicative of takeover. ai
dependencies unvetted-dep:@aws-sdk/util-middleware AI (dependencies): @aws-sdk/util-middleware is a sibling package in the AWS SDK v3 monorepo, published by the same trusted aws-sdk-bot publisher. This is a stable internal dependency with no security risk. ai
source-diff encoded-string-file:dist-es/suite.fixture.js AI (source-diff): The long encoded string is an AWS STS example security token in a SigV4 test fixture file — a well-known AWS test vector, not an obfuscated payload. Stable false positive for this package. ai
source-diff obfuscated-file:dist-es/constants.js AI (source-diff): False positive: long lines are inline TypeScript source maps (base64), not obfuscation. Standard AWS SDK build artifact. ai
source-diff obfuscated-file:dist-cjs/credentialDerivation.js AI (source-diff): False positive: long lines are inline TypeScript source maps (base64), not obfuscation. Standard AWS SDK build artifact. ai
source-diff obfuscated-file:dist-es/credentialDerivation.js AI (source-diff): False positive: long lines are inline TypeScript source maps (base64), not obfuscation. Standard AWS SDK build artifact. ai
source-diff obfuscated-file:dist-cjs/getCanonicalQuery.js AI (source-diff): False positive: long lines are inline TypeScript source maps (base64), not obfuscation. Standard AWS SDK build artifact. ai
source-diff obfuscated-file:dist-es/getCanonicalQuery.js AI (source-diff): False positive: long lines are inline TypeScript source maps (base64), not obfuscation. Standard AWS SDK build artifact. ai
source-diff obfuscated-file:dist-cjs/constants.js AI (source-diff): False positive: long lines are inline TypeScript source maps (base64), not obfuscation. Standard AWS SDK build artifact. ai
source-diff obfuscated-file:dist-cjs/suite.fixture.js AI (source-diff): False positive: long lines are inline TypeScript source maps (base64), not obfuscation. Standard AWS SDK build artifact. ai
source-diff obfuscated-file:dist-es/suite.fixture.js AI (source-diff): False positive: long lines are inline TypeScript source maps (base64), not obfuscation. Standard AWS SDK build artifact. ai
source-diff large-new-source-files AI (source-diff): New files are dual CJS/ES module build outputs added as part of AWS SDK v3 distribution structure change, not injected code. ai
source-diff obfuscated-file:dist-es/headerUtil.js AI (source-diff): False positive: long lines are inline TypeScript source maps (base64), not obfuscation. Standard AWS SDK build artifact. ai
source-diff obfuscated-file:dist-cjs/SignatureV4.js AI (source-diff): False positive: long lines are inline TypeScript source maps (base64), not obfuscation. Standard AWS SDK build artifact. ai
source-diff obfuscated-file:dist-es/SignatureV4.js AI (source-diff): False positive: long lines are inline TypeScript source maps (base64), not obfuscation. Standard AWS SDK build artifact. ai
source-diff obfuscated-file:dist/es/headerUtil.js AI (source-diff): File is standard TypeScript-compiled ES module output using tslib iterator helpers. The verbose try/catch/finally pattern is a known TypeScript compilation artifact, not obfuscation. Stable for this AWS SDK package. ai
provenance no-provenance AI (provenance): aws-sdk-bot publishes hundreds of packages without Sigstore provenance; this is consistent across the entire AWS SDK JS v3 release pipeline. ai
bogus-package bogus-package AI (bogus-package): AWS SDK monorepo utility packages routinely lack keywords and detailed READMEs; this is a structural pattern, not a spam indicator. ai

Versions (showing 51 of 99)

View all versions
Version Deps Published
3.374.0 2 / 8
3.370.0 8 / 8
3.369.0 8 / 8
3.357.0 8 / 8
3.354.0 8 / 8
3.347.0 8 / 8
3.342.0 8 / 8
3.341.0 7 / 8
3.338.0 7 / 8
3.337.0 7 / 8
3.329.0 7 / 8
3.310.0 7 / 8
3.306.0 7 / 8
3.303.0 7 / 8
3.299.0 7 / 8
3.296.0 7 / 9
3.295.0 7 / 9
3.292.0 7 / 9
3.290.0 7 / 9
3.289.0 7 / 9
3.282.0 7 / 9
3.272.0 7 / 9
3.271.0 7 / 9
3.267.0 7 / 9
3.266.1 7 / 9
3.266.0 7 / 9
3.257.0 7 / 9
3.254.0 7 / 9
3.226.0 6 / 9
3.224.0 6 / 9
3.222.0 6 / 9
3.215.0 6 / 9
3.212.0 6 / 9
3.208.0 6 / 9
3.201.0 6 / 9
3.200.0 6 / 9
3.198.0 6 / 9
3.197.0 6 / 9
3.193.0 6 / 9
3.190.0 6 / 9
3.188.0 6 / 9
3.186.0 6 / 9
3.183.0 6 / 9
3.178.0 6 / 9
3.171.0 6 / 9
3.170.0 6 / 9
3.168.0 6 / 9
3.163.0 6 / 9
3.162.0 6 / 9
3.160.0 6 / 9
3.159.0 6 / 9