← Home

@rio-cloud/cdk-v2-constructs

npm Repository

CDK constructs to build RIO flavored CI/CD pipeline in AWS.

3
Versions
Apache-2.0
License
No
Install Scripts
Missing
Provenance

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

rio_cop_frontendrio_team_ctcrioclaiddefauderio_team_claid

Keywords

cdk

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
phantom-deps phantom-dep:js-yaml AI (phantom-deps): Listed in bundleDependencies; bundled at publish time, not directly imported in source. ai
phantom-deps phantom-dep:@smithy/util-retry AI (phantom-deps): Listed in bundleDependencies; loaded transitively by AWS SDK, not directly imported. ai
phantom-deps phantom-dep:@aws-sdk/client-ecs AI (phantom-deps): Bundled AWS SDK client used by Lambda custom resources; indirect import pattern is expected. ai
phantom-deps phantom-dep:@aws-sdk/client-codedeploy AI (phantom-deps): Bundled AWS SDK client used by Lambda custom resources; indirect import pattern is expected. ai
semgrep semgrep:shady-links-raw-ip AI (semgrep): Localhost (127.0.0.1) health check for Datadog sidecar container; not a network exfiltration risk. ai
phantom-deps phantom-dep:@aws-sdk/client-secrets-manager AI (phantom-deps): Bundled AWS SDK client used by Lambda custom resources; indirect import pattern is expected. ai
phantom-deps phantom-dep:@aws-sdk/client-organizations AI (phantom-deps): Bundled AWS SDK client used by Lambda custom resources; indirect import pattern is expected. ai
phantom-deps phantom-dep:@types/aws-lambda AI (phantom-deps): Type-only package used by bundled Lambda handlers; framework-scoped, not directly imported. ai

Versions (showing 3 of 3)

Version Deps Published
8.1.0 12 / 27
8.0.7 12 / 27
8.0.2 12 / 27

v8.1.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v8.0.7

2 findings
HIGH Phantom dependency: js-yaml phantom-deps

Declared in package.json dependencies but never imported in source code. Phantom dependencies may exist solely to execute install scripts or inject transitive malicious code. This was the exact attack vector in the axios compromise (plain-crypto-js).

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.