@smithy/core
[](https://www.npmjs.com/package/@smithy/core) [](https://www.npmjs.com/package/@smithy/core)
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | large-new-source-files | AI (source-diff): Size increase explained by inlining 8 previously separate @smithy deps and adding platform-specific submodule variants. | ai | |
| source-diff | source-size-tripled | AI (source-diff): Same root cause: consolidation of multiple @smithy packages into this core package. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): @aws-crypto/crc32 is a legitimate AWS crypto library; consistent with new checksum submodule. | ai | |
| typosquat | typosquat.levenshtein:cors | AI (typosquat): @smithy/core is the official AWS Smithy TypeScript core package; the Levenshtein match to 'cors' is a spurious false positive due to scoped package name comparison. | ai |
Versions (showing 16 of 116)
| Version | Deps | Published |
|---|---|---|
| 2.3.2 | 8 / 5 | |
| 2.3.1 | 8 / 5 | |
| 2.3.0 | 8 / 5 | |
| 2.2.8 | 8 / 5 | |
| 2.2.7 | 8 / 5 | |
| 2.2.6 | 8 / 5 | |
| 2.2.5 | 8 / 5 | |
| 2.2.4 | 8 / 5 | |
| 2.2.3 | 8 / 5 | |
| 2.2.2 | 8 / 5 | |
| 2.2.1 | 8 / 5 | |
| 2.2.0 | 8 / 5 | |
| 2.1.1 | 8 / 5 | |
| 2.1.0 | 8 / 5 | |
| 2.0.1 | 8 / 5 | |
| 2.0.0 | 8 / 5 |
v2.3.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.3.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.3.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.2.8
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.2.7
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.2.6
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.2.5
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.2.4
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.2.3
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.2.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.2.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.2.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.1.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.1.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.