Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
NPM has deprecated the PGP method of verifying signatures and now uses its own ECDSA registries. https://docs.npmjs.com/verifying-registry-signatures
This PR adds a signature check to the npm-audit-test that can help us detect if there has been an attempt to hijack one of our dependencies.
https://github.com/dockstore/dockstore-ui2/actions/runs/5614243824/job/15211965428?pr=1825
Review Instructions
GitHub workflows passes with a log message showing the signatures have been verified in the log message.
Issue
https://ucsc-cgl.atlassian.net/browse/SEAB-1533
Security
If there are any concerns that require extra attention from the security team, highlight them here.
Please make sure that you've checked the following before submitting your pull request. Thanks!
npm run build
markdown-wrapper
component, which does extra sanitizationnpm audit
and ensure you are not introducing new vulnerabilities