@owf/eudi-wrprc Apache-2.0 2 versions

@owf/eudi-wrprc

npm Repository Homepage

ETSI TS 119 475 Wallet-Relying Party Registration Certificate (WRPRC) implementation

Versions

Apache-2.0

License

Install Scripts

Verified

Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

timoglastraopenwalletfoundationmirkom

Keywords

eudiwalletwrprcregistration-certificateetsits-119-475relying-partyidentity

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
provenance	publisher-changed	AI (provenance): Transition from manual publish to GitHub Actions CI with SLSA attestation; legitimate pipeline migration for this org.	ai	2026/05/21
provenance	missing-githead	AI (provenance): CI-based publish via GitHub Actions with SLSA provenance; gitHead absence is expected in this pipeline.	ai	2026/05/21
dependencies	unvetted-dep:@owf/crypto	AI (dependencies): Sibling workspace package in the same OWF monorepo; not an external unvetted dependency.	ai	2026/04/29
dependencies	unvetted-dep:@owf/identity-common	AI (dependencies): Sibling workspace package in the same OWF monorepo; not an external unvetted dependency.	ai	2026/04/29
npm-metadata	suspicious-initial-version	AI (npm-metadata): 0.0.0 is standard for initial monorepo package releases; repo URL and org context confirm legitimacy.	ai	2026/04/29

Versions (showing 2 of 2)

Version	Deps	Published
0.2.0	3 / 0	2026-05-08
0.0.0	3 / 0	2026-04-13

v0.2.0

3 findings

HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.

HIGH Publisher changed: mirkom → GitHub Actions (on 2026-05-08) provenance

This version was published by a different npm account than previous versions on 2026-05-08. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.