@smithy/core
[](https://www.npmjs.com/package/@smithy/core) [](https://www.npmjs.com/package/@smithy/core)
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | large-new-source-files | AI (source-diff): Size increase explained by inlining 8 previously separate @smithy deps and adding platform-specific submodule variants. | ai | |
| source-diff | source-size-tripled | AI (source-diff): Same root cause: consolidation of multiple @smithy packages into this core package. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): @aws-crypto/crc32 is a legitimate AWS crypto library; consistent with new checksum submodule. | ai | |
| typosquat | typosquat.levenshtein:cors | AI (typosquat): @smithy/core is the official AWS Smithy TypeScript core package; the Levenshtein match to 'cors' is a spurious false positive due to scoped package name comparison. | ai |
Versions (showing 51 of 116)
| Version | Deps | Published |
|---|---|---|
| 3.24.5 | 3 / 7 | |
| 3.24.4 | 3 / 7 | |
| 3.24.3 | 3 / 7 | |
| 3.24.2 | 3 / 7 | |
| 3.24.1 | 3 / 7 | |
| 3.24.0 | 3 / 7 | |
| 3.23.17 | 10 / 7 | |
| 3.23.16 | 10 / 7 | |
| 3.23.15 | 10 / 7 | |
| 3.23.14 | 10 / 7 | |
| 3.23.13 | 10 / 7 | |
| 3.23.12 | 10 / 7 | |
| 3.23.11 | 10 / 7 | |
| 3.23.10 | 10 / 7 | |
| 3.23.9 | 10 / 7 | |
| 3.23.8 | 10 / 7 | |
| 3.23.7 | 10 / 7 | |
| 3.23.6 | 10 / 7 | |
| 3.23.5 | 10 / 7 | |
| 3.23.4 | 10 / 7 | |
| 3.23.3 | 10 / 7 | |
| 3.23.2 | 10 / 7 | |
| 3.23.1 | 10 / 7 | |
| 3.23.0 | 10 / 7 | |
| 3.22.1 | 10 / 7 | |
| 3.22.0 | 10 / 7 | |
| 3.21.1 | 10 / 7 | |
| 3.21.0 | 10 / 7 | |
| 3.20.8 | 10 / 7 | |
| 3.20.7 | 10 / 7 | |
| 3.20.6 | 10 / 7 | |
| 3.20.5 | 10 / 7 | |
| 3.20.4 | 10 / 7 | |
| 3.20.3 | 10 / 7 | |
| 3.20.2 | 10 / 7 | |
| 3.20.1 | 10 / 7 | |
| 3.20.0 | 10 / 7 | |
| 3.19.0 | 10 / 7 | |
| 3.18.7 | 10 / 7 | |
| 3.18.6 | 10 / 7 | |
| 3.18.5 | 10 / 7 | |
| 3.18.4 | 10 / 7 | |
| 3.18.3 | 10 / 7 | |
| 3.18.2 | 10 / 7 | |
| 3.18.1 | 10 / 7 | |
| 3.18.0 | 10 / 7 | |
| 3.17.2 | 10 / 7 | |
| 3.17.1 | 10 / 7 | |
| 3.17.0 | 10 / 7 | |
| 3.16.1 | 10 / 7 | |
| 3.16.0 | 10 / 7 |
v3.24.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.24.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.24.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.24.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.24.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.24.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.23.17
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.23.15
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.23.14
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.23.13
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.23.12
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.23.11
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.23.10
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.23.9
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.23.8
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.23.7
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.23.6
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.23.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.23.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.23.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.23.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.23.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.23.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.22.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.22.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.21.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.21.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.20.8
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.20.7
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.20.6
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.20.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.20.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.20.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.20.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.20.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.20.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.19.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.18.7
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.18.6
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.18.5
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.18.4
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.18.3
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.18.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.18.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.18.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.17.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.17.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.17.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.16.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.16.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.