aws-crt
NodeJS/browser bindings to the aws-c-* libraries
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| phantom-deps | phantom-dep:awssdk | AI (phantom-deps): awssdk is listed as a dependency in package.json for this AWS binding package; the phantom-dep flag reflects a dependency hygiene issue, not a security risk. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): buffer and process are standard browser polyfills; aws-crt has a browser build target and their addition is consistent with expanding browser compatibility. | ai | |
| phantom-deps | phantom-dep:ws | AI (phantom-deps): ws is explicitly declared as a runtime dependency in package.json; the phantom-dep finding is a false positive for this package. | ai | |
| phantom-deps | phantom-dep:glob-parent | AI (phantom-deps): glob-parent is a legitimate utility likely pulled in for build tooling; aws-crt is an established AWS package with excellent publisher track record. Not a malicious phantom dep. | ai | |
| source-diff | large-new-source-files | AI (source-diff): aws-crt regularly adds new source files as AWS SDK features expand; large additions are expected for a native binding package of this scale and track record. | ai | |
| bogus-package | bogus-package | AI (bogus-package): aws-crt is a well-established AWS SDK native binding with 856k weekly downloads; missing keywords and terse README are cosmetic, not indicative of spam or low value. | ai | |
| provenance | no-provenance | AI (provenance): Established AWS package published by aws-common-runtime with 159 approved versions; lack of Sigstore provenance is not a meaningful risk signal here. | ai | |
| install-scripts | install-script:install | AI (install-scripts): aws-crt is a native binding; install script loads the correct prebuilt binary per platform. Standard and documented pattern. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): Dynamic require loads platform-specific .node binary from known search paths; standard native addon loader pattern. | ai | |
| semgrep | semgrep:child-process-import | AI (semgrep): child_process used in native binding build/install tooling; expected for aws-crt. | ai | |
| npm-metadata | bundled-binaries | AI (npm-metadata): Prebuilt .node binaries for each platform are the standard distribution method for native Node.js addons like aws-crt. | ai |
Versions (showing 15 of 15)
| Version | Deps | Published |
|---|---|---|
| 1.19.0 | 7 / 21 | |
| 1.18.2 | 7 / 21 | |
| 1.15.21 | 9 / 21 | |
| 1.14.4 | 7 / 18 | |
| 1.14.0 | 5 / 20 | |
| 1.13.1 | 7 / 18 | |
| 1.12.0 | 8 / 19 | |
| 1.6.0 | 6 / 17 | |
| 1.3.5 | 6 / 17 | |
| 1.1.10 | 5 / 18 | |
| 1.1.4 | 5 / 15 | |
| 1.1.3 | 5 / 14 | |
| 0.4.1 | 7 / 12 | |
| 0.1.1 | 1 / 4 | |
| 0.1.0 | 1 / 4 |
v1.19.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.18.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.15.21
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.14.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.14.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.13.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.12.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.6.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.3.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.1.10
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.1.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.1.3
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.4.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.