@pagopa/io-wallet-oid4vci
This package provides functionalities to manage the **OpenID for Verifiable Credentials Issuance (OID4VCI)** protocol flow, specifically tailored for the Italian Wallet ecosystem. It simplifies the creation of wallet attestations required during the crede
Supply chain provenance
Status for the latest visible version.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| phantom-deps | phantom-dep:@openid4vc/utils | AI (phantom-deps): Referenced in config files as part of monorepo build tooling, not a direct import concern. | ai | |
| phantom-deps | phantom-dep:@openid4vc/openid4vci | AI (phantom-deps): Referenced in config files as part of monorepo build tooling, not a direct import concern. | ai | |
| phantom-deps | phantom-dep:zod | AI (phantom-deps): Monorepo build tool; zod is a runtime dep re-exported or used indirectly via tsup bundling. | ai | |
| phantom-deps | phantom-dep:@openid-federation/core | AI (phantom-deps): Likely used via type-only or indirect imports in monorepo build; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@pagopa/io-wallet-utils | AI (phantom-deps): Same-org sibling package; phantom-dep heuristic unreliable for monorepo re-exports. | ai |
Versions (showing 12 of 12)
| Version | Deps | Published |
|---|---|---|
| 1.5.1 | 8 / 1 | |
| 1.5.0 | 8 / 1 | |
| 1.4.2 | 8 / 1 | |
| 1.4.1 | 8 / 1 | |
| 1.4.0 | 8 / 1 | |
| 1.3.0 | 8 / 1 | |
| 1.2.1 | 8 / 1 | |
| 1.2.0 | 8 / 1 | |
| 1.1.1 | 8 / 1 | |
| 1.0.0 | 9 / 1 | |
| 0.7.7 | 8 / 1 | |
| 0.5.1 | 6 / 0 |
v1.5.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.5.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.4.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.4.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.4.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.3.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.2.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.2.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.1.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.0.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.7.7
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.5.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.