@powerhousedao/common — Greenflagged

The Powerhouse Common package contains the basic document model and drive UI (App) that is required to get started with Connect and visualize private & public apps.

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

acaldas.powerhousememo.devryanwolhuterprometheus-phcallme-tfroidliberuum

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
publish-pattern	dormant-publish	AI (publish-pattern): Dormancy reflects org release cadence, not abandonment; SLSA provenance confirms CI/CD origin.	ai	2026/05/26
provenance	publisher-changed	AI (provenance): Transition from acaldas.powerhouse to memo.dev within the same Powerhouse org; SLSA provenance attestation confirms CI/CD-published release.	ai	2026/05/22
provenance	slsa-provenance	AI (provenance): Package consistently published via CI/CD with Sigstore attestation; stable supply chain signal.	ai	2026/04/27
publish-pattern	new-deps-added	AI (publish-pattern): graphql-request is a well-known, established library; addition is benign in this context.	ai	2026/04/27
dependencies	unvetted-dep:@powerhousedao/design-system	AI (dependencies): First-party @powerhousedao scoped package pinned to matching version 5.0.0. Expected internal dependency.	ai	2026/04/27
dependencies	unvetted-dep:@powerhousedao/builder-tools	AI (dependencies): First-party @powerhousedao scoped package pinned to matching version 5.0.0. Expected internal dependency.	ai	2026/04/27
dependencies	unvetted-dep:document-drive	AI (dependencies): First-party Powerhouse ecosystem package, pinned to matching version. SLSA provenance on parent package confirms CI/CD build integrity.	ai	2026/04/27
phantom-deps	phantom-dep:@types/luxon	AI (phantom-deps): @types/luxon is a TypeScript type definition package declared as a runtime dep — harmless packaging quirk, not a security concern. Stable across versions.	ai	2026/04/25

Versions (showing 16 of 16)

Version	Deps	Published
6.1.0	5 / 3	2026-06-03
6.0.0	5 / 3	2026-05-21
5.3.6	10 / 39	2026-03-23
5.3.5	10 / 39	2026-03-06
5.3.4	10 / 39	2026-02-25
5.3.3	10 / 39	2026-02-16
5.3.1	10 / 39	2026-02-12
5.1.0	10 / 39	2025-12-11
5.0.10	10 / 39	2025-11-19
5.0.8	10 / 39	2025-11-19
5.0.7	10 / 39	2025-11-19
5.0.5	10 / 39	2025-11-18
5.0.3	9 / 39	2025-11-13
5.0.2	9 / 39	2025-11-05
5.0.1	9 / 39	2025-11-03
5.0.0	9 / 39	2025-10-31

v6.1.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v6.0.0

2 findings

HIGH Publisher changed: acaldas.powerhouse → memo.dev (on 2026-05-21) provenance

This version was published by a different npm account than previous versions on 2026-05-21. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v5.3.6

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.