Settings

Theme

NPM Package Provenance (2023)

github.blog

2 points by behindsight 3 months ago · 2 comments

Reader
codedrift_ 3 months ago

> To achieve this, we require that packages are built on a trusted CI/CD platform

Given what happened with NX [1], I'm hoping GitHub Actions disallows certain types of commands in their YAML. Otherwise we still have a straightforward way to attach provenance to malicious code. =\

1: https://x.com/adnanthekhan/status/1958722939534417989

behindsightOP 3 months ago

Reminder, you can audit all your npm packages to see if they provide provenance attestation with:

    npm audit signatures
you can use this to also provide a gentle reminder to package authors to consider setting one up (or replacing those that can't/won't)

Additional resources:

- Trusted publishing via OIDC [1]

- Requiring 2FA for package publishing [2]

1: https://docs.npmjs.com/trusted-publishers

2: https://docs.npmjs.com/requiring-2fa-for-package-publishing-...

Keyboard Shortcuts

j
Next item
k
Previous item
o / Enter
Open selected item
?
Show this help
Esc
Close modal / clear selection