@renown/sdk
A comprehensive SDK for integrating Renown authentication and user profile management into your React applications.
Supply chain provenance
Status for the latest visible version.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:dist/src/components/image-data.d.ts | AI (source-diff): TypeScript declaration mirroring the base64 PNG data URI constant; not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/src/components/icons.js | AI (source-diff): Long lines are SVG path data in React components, not obfuscated code. | ai | |
| source-diff | obfuscated-file:dist/src/components/image-data.js | AI (source-diff): Long line is a base64-encoded PNG data URI, explicitly documented as such in the file comment. | ai | |
| provenance | publisher-changed | AI (provenance): Both publishers are within the Powerhouse org; SLSA attestation confirms CI/CD publish; consistent with org-internal maintainer rotation. | ai | |
| dependencies | unvetted-dep:did-jwt | AI (dependencies): did-jwt is a well-established DID/JWT library from the Veramo/Ceramic ecosystem; legitimate dependency for identity/credential functionality. | ai | |
| dependencies | unvetted-dep:@didtools/key-did | AI (dependencies): @didtools/key-did is part of the DID Tools suite; legitimate dependency for DID-based identity. | ai | |
| dependencies | unvetted-dep:key-did-resolver | AI (dependencies): key-did-resolver is a DID key resolver from the Ceramic ecosystem; legitimate and widely used. | ai | |
| dependencies | unvetted-dep:did-jwt-vc | AI (dependencies): did-jwt-vc is a well-established verifiable credentials library; legitimate dependency for identity/credential functionality. | ai | |
| dependencies | unvetted-dep:did-resolver | AI (dependencies): did-resolver is a core DID resolution library from the Veramo ecosystem; legitimate and widely used. | ai | |
| dependencies | unvetted-dep:did-key-creator | AI (dependencies): did-key-creator is a DID key creation utility; legitimate dependency for DID-based identity. | ai | |
| provenance | slsa-provenance | AI (provenance): Package consistently published via CI/CD with Sigstore SLSA attestation; this is a stable positive signal for the Powerhouse monorepo packages. | ai |
Versions (showing 23 of 23)
| Version | Deps | Published |
|---|---|---|
| 6.1.0 | 7 / 2 | |
| 6.0.0 | 6 / 2 | |
| 5.3.6 | 7 / 10 | |
| 5.3.5 | 7 / 10 | |
| 5.3.4 | 7 / 10 | |
| 5.3.3 | 7 / 10 | |
| 5.3.2 | 7 / 10 | |
| 5.3.1 | 7 / 10 | |
| 5.3.0 | 7 / 10 | |
| 5.1.0 | 7 / 4 | |
| 5.0.12 | 7 / 4 | |
| 5.0.11 | 7 / 4 | |
| 5.0.10 | 7 / 4 | |
| 5.0.9 | 7 / 4 | |
| 5.0.8 | 7 / 4 | |
| 5.0.7 | 7 / 4 | |
| 5.0.6 | 7 / 4 | |
| 5.0.5 | 7 / 4 | |
| 5.0.4 | 7 / 4 | |
| 5.0.3 | 7 / 4 | |
| 5.0.2 | 7 / 4 | |
| 5.0.1 | 7 / 4 | |
| 5.0.0 | 7 / 4 |
v6.1.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v6.0.0
2 findingsThis version was published by a different npm account than previous versions on 2026-05-21. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.3.6
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.