← Home

@owf/eudi-sca

npm Repository Homepage

Tools and utilities for EUDI Strong Customer Authentication per TS12

3
Versions
Apache-2.0
License
No
Install Scripts
Verified
Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

timoglastraopenwalletfoundationmirkom

Keywords

scaeudiTS12wallet

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
provenance publisher-changed AI (provenance): Transition to GitHub Actions CI/CD publisher is confirmed legitimate by SLSA provenance attestation on this and likely future versions. ai
provenance missing-githead AI (provenance): SLSA provenance attestation provides equivalent or stronger commit linkage; missing gitHead is expected when publishing via GitHub Actions with Sigstore. ai
npm-metadata suspicious-initial-version AI (npm-metadata): 0.0.0 is the initial monorepo publish pattern for OWF Labs packages; not a throwaway. ai
phantom-deps phantom-dep:@owf/mdoc AI (phantom-deps): Same org scope workspace dep; phantom-dep heuristic unreliable for monorepo siblings. ai
phantom-deps phantom-dep:@owf/crypto AI (phantom-deps): Same org scope workspace dep; phantom-dep heuristic unreliable for monorepo siblings. ai
phantom-deps phantom-dep:@sd-jwt/core AI (phantom-deps): Referenced in config files per finding; stable false positive for this package. ai

Versions (showing 3 of 3)

Version Deps Published
0.3.0 7 / 2
0.2.0 8 / 1
0.0.0 6 / 1

v0.3.0

3 findings
HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.

HIGH Publisher changed: mirkom → GitHub Actions (on 2026-06-12) provenance

This version was published by a different npm account than previous versions on 2026-06-12. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.2.0

3 findings
HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.

HIGH Publisher changed: mirkom → GitHub Actions (on 2026-05-08) provenance

This version was published by a different npm account than previous versions on 2026-05-08. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.