-
Notifications
You must be signed in to change notification settings - Fork 3.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[BUG] Attestations incorrectly reported as invalid for npm < 10.5.0 #7279
Comments
Whoops, marked as closed by mistake :P |
Same error here, using npm |
This is due to sigstore/rekor#1888. The timestamp was removed from the checkpoint. npm was patched to account for this but older versions will not be able to properly verify attestations. Please remember to update npm even beyond the version that ships with node.js, as it has often gotten updates since whenever that version of node.js was built. |
@wraithgar Which was the first npm version that got patched for this? Couldn't find anything in the changelog. |
More reports of the issue: microsoft/playwright#29798 |
Sorry, but this is failing with LTS node.js. I am using node LTS Docker image and I would expect that things keep working, not that at some point before LTS end of life, existing Docker builds starts failing. |
That expectation holds for node, but is incorrect for a remote service node/npm connects to. |
Suuureee, but it could be backported to an older version of npm, so that things continue to work, if there is an external dependency like this? |
The usual path is that node updates the npm version it includes, but you can do that yourself so you don’t have to wait for it. |
So the current LTS will eventually get npm upgraded to >= 10.5.0? The latest npm with node 20 is 10.2.4. |
That's up to the Node.js folks. We're working on updating the docs for this feature to remind folks to update their own version of npm manually. This is a pretty new feature and using it is going to require folks to change how they think about "staying current". It may mean updating beyond whatever version of npm ships with a given version of Node.js. |
@wraithgar Thanks! It would be great if then also Docker image rules would be changed to include npm updates. Currently they state that they bundle only the npm bundled with node. This is a problem because it means that a) everyone has to figure out that npm updating is necessary in the first place b) it increases CI time for everyone instead of image having the latest reasonable version bundled in. |
I'm not sure why the docker images would need to be any different than node itself - and yes, everyone has to learn that npm updating is necessary. You can always make your own base docker image that upgrades npm itself, and avoid CI time increases. |
Of course. But then everyone has to do it. Not the best for the ecosystem. |
fwiw docs were updated to clarify this: thx peeps! |
As explained in [this issue](npm/cli#7279), it's important to keep NPM set to the latest if you're verifying signatures to ensure that you're using the latest signature logic.
Based on npm/cli#7279 bug rather than a project-related bug
Fixes attestation issue, see npm/cli#7279
For whoever may be interested, with latest releases of GitHub Actions GitHub-hosted runners today (like |
Is there an existing issue for this?
This issue exists in the latest npm version
Current Behavior
Recently
npm audit signatures
started failing in a project of mine. Error is about packages having invalid attestations. Specifically@semantic-release/npm@11.0.3
ts-api-utils@1.3.0
Full log: https://gist.github.com/davidlj95/1c2752b4f59dda2527cfc27862350af0
As you can see, was using
npm
version10.2.4
.When using
10.5.0
, error was gone. Versions10.3.0
and10.4.0
are affected too after a quick test.Expected Behavior
Attestations keep working for recent versions of
npm
For instance, GitHub Hosted Runner Ubuntu 220.4 (
latest
) uses version10.2.4
Steps To Reproduce
npm
with version from 10.2.4 (or maybe older) < 10.5.0npm audit signatures
Environment
The text was updated successfully, but these errors were encountered: