projen — Greenflagged

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

mrgrainamzn-ossprojen-automation

Keywords

cdkcicdgeneratormanagementprojectscaffolding

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
source-diff	obfuscated-file:lib/cdk/jsii-build.js	AI (source-diff): jsii-compiled TS output with long lines; readable code, not obfuscation. Stable for this package.	ai	2026/05/29
source-diff	obfuscated-file:lib/github/dependency-review.js	AI (source-diff): jsii-compiled TypeScript; readable GitHub workflow component.	ai	2026/05/19
maintainer-change	maintainer-takeover	AI (maintainer-change): Legitimate AWS org transition: cdklabs-automation → mrgrain/amzn-oss/projen-automation.	ai	2026/05/19
maintainer-change	maintainer-added	AI (maintainer-change): New maintainers are known AWS/projen contributors.	ai	2026/05/19
maintainer-change	maintainer-removed	AI (maintainer-change): cdklabs-automation replaced by equivalent AWS automation accounts.	ai	2026/05/19
provenance	publisher-changed	AI (provenance): Publisher changed to GitHub Actions with SLSA provenance; legitimate CI/CD transition.	ai	2026/05/19
source-diff	obfuscated-file:lib/ai-instructions.js	AI (source-diff): jsii-compiled TypeScript, not obfuscated; readable source with JSDoc comments.	ai	2026/05/19
source-diff	obfuscated-file:lib/javascript/biome/biome-config.js	AI (source-diff): Generated config type definitions (toJson_ exports); long lines from many exports, not obfuscation.	ai	2026/05/19
source-diff	obfuscated-file:lib/javascript/biome/biome.js	AI (source-diff): jsii-compiled TypeScript class; readable source.	ai	2026/05/19
source-diff	obfuscated-file:lib/release/bump-type.js	AI (source-diff): jsii-compiled TypeScript; readable semver utility functions.	ai	2026/05/19
source-diff	obfuscated-file:lib/release/commit-tag-version.js	AI (source-diff): jsii-compiled TypeScript; readable release tooling.	ai	2026/05/19
source-diff	obfuscated-file:lib/util/diff.js	AI (source-diff): jsii-compiled TypeScript; readable diff utility.	ai	2026/05/19
source-diff	obfuscated-file:lib/awscdk/private/feature-flags-v2.const.js	AI (source-diff): Generated CDK feature flags constant; long lines from large object literal.	ai	2026/05/19
source-diff	obfuscated-file:lib/python/pyproject-toml.js	AI (source-diff): jsii-compiled TypeScript; generated config types.	ai	2026/05/19
semgrep	semgrep:dynamic-require	AI (semgrep): Plugin/module loader pattern; projen dynamically loads project modules by design.	ai	2026/04/29
phantom-deps	phantom-dep:shx	AI (phantom-deps): shx is listed in both dependencies and bundledDependencies; phantom-dep is a false positive here.	ai	2026/04/29
semgrep	semgrep:child-process-import	AI (semgrep): CLI synth tool legitimately spawns child processes; expected for a project scaffolding tool.	ai	2026/04/29
semgrep	semgrep:env-spread	AI (semgrep): Task runner intentionally merges process.env with task-specific env vars; core design of projen.	ai	2026/04/29

Versions (showing 45 of 45)

Version	Deps	Published
0.99.70	15 / 33	2026-05-28
0.99.69	15 / 33	2026-05-28
0.99.68	15 / 33	2026-05-27
0.99.67	15 / 33	2026-05-27
0.99.66	15 / 33	2026-05-26
0.99.65	15 / 33	2026-05-24
0.99.64	15 / 33	2026-05-23
0.99.63	15 / 33	2026-05-20
0.99.62	15 / 33	2026-05-18
0.99.61	15 / 33	2026-05-13
0.99.60	15 / 33	2026-05-11
0.99.59	15 / 33	2026-05-11
0.99.58	15 / 33	2026-05-10
0.99.57	15 / 33	2026-05-07
0.99.56	15 / 33	2026-05-07
0.99.55	15 / 33	2026-05-07
0.99.54	15 / 33	2026-05-07
0.99.53	15 / 33	2026-05-06
0.99.52	15 / 33	2026-04-20
0.99.51	15 / 33	2026-04-17
0.99.50	15 / 33	2026-04-17
0.99.49	15 / 33	2026-04-15
0.99.48	15 / 33	2026-04-13
0.99.47	15 / 33	2026-04-10
0.99.46	15 / 33	2026-04-10
0.99.45	15 / 33	2026-04-09
0.99.44	15 / 33	2026-04-09
0.99.43	15 / 33	2026-04-09
0.99.42	15 / 33	2026-04-08
0.99.41	15 / 33	2026-04-08
0.99.40	15 / 33	2026-04-08
0.99.39	15 / 33	2026-04-08
0.99.38	15 / 33	2026-04-07
0.99.37	15 / 33	2026-04-07
0.99.36	15 / 33	2026-04-07
0.99.35	15 / 33	2026-04-07
0.99.34	15 / 33	2026-04-03
0.99.33	15 / 33	2026-04-02
0.99.32	15 / 33	2026-04-02
0.99.31	15 / 33	2026-04-02
0.99.30	15 / 33	2026-04-02
0.99.29	15 / 33	2026-04-02
0.99.28	15 / 33	2026-04-02
0.99.27	15 / 33	2026-04-01
0.91.20	14 / 30	2025-04-04

v0.99.70

2 findings

HIGH New obfuscated file: lib/cdk/jsii-build.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.99.69

2 findings

HIGH New obfuscated file: lib/cdk/jsii-build.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.99.68

2 findings

HIGH New obfuscated file: lib/cdk/jsii-build.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.99.67

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.99.66

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.99.65

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.99.64

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.99.63

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.99.62

12 findings

HIGH Complete maintainer takeover detected maintainer-change

All previous maintainers (cdklabs-automation) were replaced by new maintainers (mrgrain, amzn-oss, projen-automation). This is a strong signal of a potential package hijack and requires careful review.

HIGH Publisher changed: cdklabs-automation → GitHub Actions (on 2026-05-18) provenance

This version was published by a different npm account than previous versions on 2026-05-18. This could indicate a legitimate maintainer transition or an account compromise.

HIGH New obfuscated file: lib/ai-instructions.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: lib/javascript/biome/biome-config.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: lib/javascript/biome/biome.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: lib/release/bump-type.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: lib/release/commit-tag-version.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: lib/github/dependency-review.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: lib/util/diff.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: lib/awscdk/private/feature-flags-v2.const.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: lib/python/pyproject-toml.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.99.61

12 findings

HIGH Complete maintainer takeover detected maintainer-change

All previous maintainers (cdklabs-automation) were replaced by new maintainers (mrgrain, amzn-oss, projen-automation). This is a strong signal of a potential package hijack and requires careful review.

HIGH Publisher changed: cdklabs-automation → GitHub Actions (on 2026-05-13) provenance

This version was published by a different npm account than previous versions on 2026-05-13. This could indicate a legitimate maintainer transition or an account compromise.