From 9807cafbaf274eca2a0abbd04a9b2b55e850de9d Mon Sep 17 00:00:00 2001 From: Brian DeHamer Date: Wed, 20 Mar 2024 10:11:01 -0700 Subject: [PATCH] docs: update audit docs with provenance info (#7304) Adds a note to the `audit` docs discussing the verification of provenance attestations. Per: https://github.com/npm/documentation/pull/1010 Signed-off-by: Brian DeHamer --- docs/lib/content/commands/npm-audit.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/docs/lib/content/commands/npm-audit.md b/docs/lib/content/commands/npm-audit.md index 467088f3a5d7c..3447a09f16619 100644 --- a/docs/lib/content/commands/npm-audit.md +++ b/docs/lib/content/commands/npm-audit.md @@ -47,6 +47,13 @@ Registry signatures can be verified using the following `audit` command: $ npm audit signatures ``` +The `audit signatures` command will also verify the provenance attestations of +downloaded packages. Because provenance attestations are such a new feature, +security features may be added to (or changed in) the attestation format over +time. To ensure that you're always able to verify attestation signatures check +that you're running the latest version of the npm CLI. Please note this often +means updating npm beyond the version that ships with Node.js. + The npm CLI supports registry signatures and signing keys provided by any registry if the following conventions are followed: 1. Signatures are provided in the package's `packument` in each published version within the `dist` object: