Skip to content

Commit

Permalink
docs: update audit docs with provenance info (#7304)
Browse files Browse the repository at this point in the history
Adds a note to the `audit` docs discussing the verification of
provenance attestations.

Per: npm/documentation#1010

Signed-off-by: Brian DeHamer <bdehamer@github.com>
  • Loading branch information
bdehamer authored Mar 20, 2024
1 parent 9d4e85f commit 9807caf
Showing 1 changed file with 7 additions and 0 deletions.
7 changes: 7 additions & 0 deletions docs/lib/content/commands/npm-audit.md
Original file line number Diff line number Diff line change
Expand Up @@ -47,6 +47,13 @@ Registry signatures can be verified using the following `audit` command:
$ npm audit signatures
```

The `audit signatures` command will also verify the provenance attestations of
downloaded packages. Because provenance attestations are such a new feature,
security features may be added to (or changed in) the attestation format over
time. To ensure that you're always able to verify attestation signatures check
that you're running the latest version of the npm CLI. Please note this often
means updating npm beyond the version that ships with Node.js.

The npm CLI supports registry signatures and signing keys provided by any registry if the following conventions are followed:

1. Signatures are provided in the package's `packument` in each published version within the `dist` object:
Expand Down

0 comments on commit 9807caf

Please sign in to comment.