You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
A couple of months ago, npm introduced package provenance, a (verifiable) way to link a published package back to its source code and the specific build instructions used to publish it. I think it is a huge step in the direction of improving security and trust in the npm supply chain.
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
Verdaccio
-
A couple of months ago, npm introduced package provenance, a (verifiable) way to link a published package back to its source code and the specific build instructions used to publish it. I think it is a huge step in the direction of improving security and trust in the npm supply chain.
You can read about it on the GitHub blog and the npm docs.
Other useful resources on the sigstore project, which is backbone of this new feature:
How it works | Project overview | Main concepts | Security model
I know it is still early, but I was wondering if you have given any consideration to adding support for this or what are your initial thoughts.
Beta Was this translation helpful? Give feedback.
All reactions