AWS SDK for JavaScript V3 : Is amazon-cognito-identity-js becoming deprecated or has security issues in favor of AWS Amplify V6?

0

We're using AWS SDK for JavaScript V3, where we use the amazon-cognito-identity-js package for Cognito authentication on a portal we've developed in Angular.

There is a Developer Note on top of the package mentioning: "We recommend using the Amplify JavaScript library's Auth features in place of the Amazon Cognito Identity SDK. The Amplify JavaScript library offers a modern, fully-typed, and performant experience for Auth use cases with tree-shaking built-in for bundle size reduction." https://www.npmjs.com/package/amazon-cognito-identity-js?activeTab=readme

We don't fully understand what this message means: is this package becoming deprecated or has any security issue to justify this message? We can't find any additional information on it being deprecated or not.

We're also aware that recently it has been announced the end of support for AWS SDK V2 September 2025. We haven't found anything similar for V3. https://aws.amazon.com/blogs/developer/announcing-end-of-support-for-aws-sdk-for-javascript-v2/

We're also aware that any major version lifecycle follows this flow, thus we're not expecting any message soon for deprecating V3. https://docs.aws.amazon.com/sdkref/latest/guide/maint-policy.html

Our ask:

  • Is this package amazon-cognito-identity-js being deprecated or there is any security issue with it?
  • If not, what's the basis for the Developer note on top to use Amplify V6?
1 Answer
0

I am not from Amplify SDK team, but try to answer your inquiry from what I understand.

  • Is this package amazon-cognito-identity-js being deprecated or there is any security issue with it?

Yes, this package is deprecating. It is not due to security issue but mainly due to the features provided in this package has been covered by aws-amplify auth SDK. The team will focus on maintaining one single SDK instead both amplify and cognito-identity-js.

cognito-idp component in AWS SDK for JavaScript provides basic functionalities at the Cognito service API at the level. https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/Welcome.html

Amplify SDK provides enhanced client application feature sets.

For examples,

  • JavaScript SDK does not provide SRP password algorithms, built application with it would need own implementation of that if using USER_SRP auth flow.
  • Client side token storage, token auto-refresh is not implemented in JavaScript SDK but well handled in Amplify SDK.
  • etc...
profile pictureAWS
Yungang
answered a month ago
  • Hi Yungang, thanks for the update. We understand this, but it is not definitive whether this package will be deprecated within the next X months or couple of years. We would like to understand if it is critical that we change and start using Amplify V6 straight away, or not.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions