@aws-sdk/xml-builder
XML utilities for the AWS SDK
8
Versions
Apache-2.0
License
No
Install Scripts
Missing
Provenance
Supply chain provenance
Status for the latest visible version.
No SLSA provenance
npm registry signatures
No source commit
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
amzn-ossaws-sdk-bot
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| provenance | missing-githead | AI (provenance): aws-sdk-bot publishes hundreds of AWS SDK packages; missing gitHead reflects a CI/CD environment change, not a supply chain risk. Consistent across the SDK package family. | ai | |
| provenance | no-provenance | AI (provenance): AWS SDK packages are published by the well-known aws-sdk-bot; lack of Sigstore attestation is a process gap, not a security threat for this established publisher. | ai | |
| dependencies | unvetted-dep:fast-xml-parser | AI (dependencies): fast-xml-parser is a well-known, widely-used XML parsing library; its use in an AWS SDK XML builder package is entirely appropriate and expected across all versions. | ai | |
| bogus-package | bogus-package | AI (bogus-package): Inflated semver is the standard AWS SDK v3 versioning scheme; short README and no keywords are typical for internal SDK utility packages published by aws-sdk-bot. | ai | |
| phantom-deps | phantom-dep:tslib | AI (phantom-deps): tslib is a standard TypeScript runtime helper used as an implicit dependency in compiled AWS SDK packages; stable pattern for this publisher. | ai | |
| phantom-deps | phantom-dep:@smithy/types | AI (phantom-deps): @smithy/types is a framework-scoped type package used by convention across the AWS SDK v3 ecosystem; not a real phantom dependency concern. | ai |