← Home

@powerhousedao/builder-tools

npm Repository

A comprehensive toolkit for building and managing Powerhouse DAO applications. This package provides essential tools and utilities for development, including document model editing, connection management, and various editor utilities.

23
Versions
AGPL-3.0-only
License
No
Install Scripts
Verified
Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

acaldas.powerhousememo.devryanwolhuterprometheus-phcallme-tfroidliberuum

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
provenance publisher-changed AI (provenance): memo.dev is an established publisher (36 approved) within the same Powerhouse org; transition appears legitimate. ai
license copyleft-license:AGPL-3.0-only AI (license): Intentional AGPL license; stable for this package. ai
publish-pattern new-deps-added AI (publish-pattern): read-pkg is a well-known, benign utility; addition is consistent with builder-tools functionality. ai
dependencies unvetted-dep:@tailwindcss/cli AI (dependencies): Official Tailwind CSS CLI; no malware indicators. ai
dependencies unvetted-dep:@theguild/editor AI (dependencies): Known The Guild editor package; no malware indicators. ai
dependencies unvetted-dep:@radix-ui/react-select AI (dependencies): Official Radix UI component; no malware indicators. ai
dependencies unvetted-dep:constrained-editor-plugin AI (dependencies): Monaco/CodeMirror plugin; no malware indicators. ai
dependencies unvetted-dep:vite-plugin-node-polyfills AI (dependencies): Common Vite plugin; no malware indicators. ai
dependencies unvetted-dep:dspot-powerhouse-components AI (dependencies): Powerhouse ecosystem component; consistent with publisher org. ai
dependencies unvetted-dep:esbuild-plugins-node-modules-polyfill AI (dependencies): Common esbuild plugin; no malware indicators. ai
dependencies unvetted-dep:thememirror AI (dependencies): Known CodeMirror theme package; no malware indicators. ai
dependencies unvetted-dep:vite-envs AI (dependencies): Legitimate Vite plugin; no malware indicators. ai
phantom-deps phantom-dep:@radix-ui/react-select AI (phantom-deps): Builder-tools package legitimately declares config-level deps not directly imported in source; expected pattern for tooling packages. ai
phantom-deps phantom-dep:@radix-ui/react-checkbox AI (phantom-deps): Builder-tools package legitimately declares config-level deps not directly imported in source; expected pattern for tooling packages. ai
phantom-deps phantom-dep:constrained-editor-plugin AI (phantom-deps): Builder-tools package legitimately declares config-level deps not directly imported in source; expected pattern for tooling packages. ai
phantom-deps phantom-dep:postcss AI (phantom-deps): Builder-tools package legitimately declares config-level deps not directly imported in source; expected pattern for tooling packages. ai
phantom-deps phantom-dep:@codemirror/lang-javascript AI (phantom-deps): Builder-tools package legitimately declares config-level deps not directly imported in source; expected pattern for tooling packages. ai
phantom-deps phantom-dep:@radix-ui/react-radio-group AI (phantom-deps): Builder-tools package legitimately declares config-level deps not directly imported in source; expected pattern for tooling packages. ai
phantom-deps phantom-dep:dspot-powerhouse-components AI (phantom-deps): Builder-tools package legitimately declares config-level deps not directly imported in source; expected pattern for tooling packages. ai
phantom-deps phantom-dep:@codemirror/theme-one-dark AI (phantom-deps): Builder-tools package legitimately declares config-level deps not directly imported in source; expected pattern for tooling packages. ai
phantom-deps phantom-dep:tailwindcss AI (phantom-deps): Builder-tools package legitimately declares config-level deps not directly imported in source; expected pattern for tooling packages. ai
phantom-deps phantom-dep:@tailwindcss/cli AI (phantom-deps): Builder-tools package legitimately declares config-level deps not directly imported in source; expected pattern for tooling packages. ai
phantom-deps phantom-dep:@tailwindcss/postcss AI (phantom-deps): Builder-tools package legitimately declares config-level deps not directly imported in source; expected pattern for tooling packages. ai
phantom-deps phantom-dep:commander AI (phantom-deps): Builder-tools package legitimately declares config-level deps not directly imported in source; expected pattern for tooling packages. ai
phantom-deps phantom-dep:date-fns AI (phantom-deps): Builder-tools package legitimately declares config-level deps not directly imported in source; expected pattern for tooling packages. ai
phantom-deps phantom-dep:es-toolkit AI (phantom-deps): Builder-tools package legitimately declares config-level deps not directly imported in source; expected pattern for tooling packages. ai
phantom-deps phantom-dep:copy-anything AI (phantom-deps): Builder-tools package legitimately declares config-level deps not directly imported in source; expected pattern for tooling packages. ai
phantom-deps phantom-dep:@prettier/sync AI (phantom-deps): Builder-tools package legitimately declares config-level deps not directly imported in source; expected pattern for tooling packages. ai
phantom-deps phantom-dep:@theguild/editor AI (phantom-deps): Builder-tools package legitimately declares config-level deps not directly imported in source; expected pattern for tooling packages. ai
phantom-deps phantom-dep:@graphql-tools/schema AI (phantom-deps): Builder-tools package legitimately declares config-level deps not directly imported in source; expected pattern for tooling packages. ai
phantom-deps phantom-dep:@radix-ui/react-icons AI (phantom-deps): Builder-tools package legitimately declares config-level deps not directly imported in source; expected pattern for tooling packages. ai
provenance slsa-provenance AI (provenance): Package consistently published via CI/CD with Sigstore SLSA provenance attestation; stable supply chain integrity signal for this org's packages. ai

Versions (showing 23 of 23)

Version Deps Published
6.1.0 7 / 4
6.0.0 7 / 4
5.3.6 61 / 27
5.3.5 61 / 27
5.3.4 61 / 27
5.3.3 61 / 27
5.3.2 61 / 27
5.3.1 61 / 27
5.3.0 61 / 27
5.1.0 62 / 26
5.0.12 62 / 26
5.0.11 62 / 26
5.0.10 62 / 26
5.0.9 62 / 26
5.0.8 62 / 26
5.0.7 62 / 26
5.0.6 62 / 26
5.0.5 62 / 26
5.0.4 62 / 26
5.0.3 61 / 26
5.0.2 61 / 26
5.0.1 61 / 26
5.0.0 61 / 26

v6.1.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v6.0.0

2 findings
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

INFO Publisher changed: acaldas.powerhouse → memo.dev (on 2026-05-21) provenance

[Accepted risk] This version was published by a different npm account than previous versions on 2026-05-21. This could indicate a legitimate maintainer transition or an account compromise.

v5.3.6

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v5.3.5

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v5.3.4

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v5.3.3

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v5.3.2

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v5.3.1

2 findings
HIGH Publisher changed: acaldas.powerhouse → memo.dev (on 2026-02-12) provenance

This version was published by a different npm account than previous versions on 2026-02-12. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v5.3.0

2 findings
HIGH Publisher changed: acaldas.powerhouse → memo.dev (on 2026-02-04) provenance

This version was published by a different npm account than previous versions on 2026-02-04. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v5.1.0

2 findings
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

INFO Publisher changed: acaldas.powerhouse → memo.dev (on 2025-12-11) provenance

[Accepted risk] This version was published by a different npm account than previous versions on 2025-12-11. This could indicate a legitimate maintainer transition or an account compromise.

v5.0.12

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v5.0.11

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v5.0.10

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v5.0.9

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v5.0.8

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v5.0.7

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v5.0.6

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v5.0.5

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v5.0.4

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v5.0.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.