← Home

@powerhousedao/reactor

npm Repository
14
Versions
AGPL-3.0-only
License
No
Install Scripts
Verified
Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

acaldas.powerhousememo.devryanwolhuterprometheus-phcallme-tfroidliberuum

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
source-diff obfuscated-file:dist/index.d.ts AI (source-diff): Bundled TypeScript declaration file with long import lines; not obfuscation, normal for rollup/tsdown output. ai
phantom-deps phantom-dep:@sindresorhus/fnv1a AI (phantom-deps): Declared in package.json; may be used indirectly or via config — stable false positive for this package. ai
dependencies unvetted-dep:document-drive AI (dependencies): document-drive is a sibling package in the same powerhouse-inc monorepo, always pinned to matching versions. Not a third-party risk. ai
phantom-deps phantom-dep:kysely-pglite AI (phantom-deps): kysely-pglite is a legitimate runtime dependency for PGLite database integration; referenced in config files as expected for this type of dependency. ai
phantom-deps phantom-dep:@electric-sql/pglite AI (phantom-deps): @electric-sql/pglite is a legitimate runtime dependency for PGLite database integration; referenced in config files as expected. ai
npm-metadata no-description AI (npm-metadata): Empty description is a minor metadata gap common in monorepo packages; not a meaningful malware signal for this established package. ai
typosquat typosquat.levenshtein:react AI (typosquat): Scoped package @powerhousedao/reactor is clearly not a typosquat of 'react'; it's a legitimate package in the Powerhouse DAO monorepo ecosystem. Name similarity is coincidental. ai

Versions (showing 14 of 14)

Version Deps Published
6.1.0 8 / 9
6.0.0 7 / 8
5.3.6 6 / 5
5.3.4 6 / 5
5.3.0 6 / 5
5.1.0 6 / 5
5.0.9 6 / 5
5.0.8 6 / 5
5.0.7 6 / 5
5.0.6 6 / 5
5.0.5 6 / 5
5.0.4 6 / 5
5.0.3 6 / 3
5.0.0 6 / 3

v6.1.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v6.0.0

3 findings
HIGH Publisher changed: acaldas.powerhouse → memo.dev (on 2026-05-21) provenance

This version was published by a different npm account than previous versions on 2026-05-21. This could indicate a legitimate maintainer transition or an account compromise.

HIGH New obfuscated file: dist/index.d.ts source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v5.3.6

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.