Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Enable supply chain security through npm provenance attestation #60497

Open
1 task done
pupapaik opened this issue Nov 14, 2024 · 1 comment · May be fixed by #60498
Open
1 task done

Enable supply chain security through npm provenance attestation #60497

pupapaik opened this issue Nov 14, 2024 · 1 comment · May be fixed by #60498
Labels
Duplicate An existing issue was already created

Comments

@pupapaik
Copy link

Acknowledgement

  • I acknowledge that issues using this template may be closed without further explanation at the maintainer's discretion.

Comment

Following the recent Lottie-Player supply chain attack, it's crucial to enhance package security. NPM provenance provides cryptographic proof that this package was built from this repository using GitHub Actions, making supply chain attacks significantly harder. More info in my blog post https://medium.com/exaforce/npm-provenance-the-missing-security-layer-in-popular-javascript-libraries-b50107927008

pupapaik added a commit to ExaForce/TypeScript that referenced this issue Nov 14, 2024
- Configure GitHub Actions workflow for secure publishing
- Enable automatic provenance generation during npm publish
- Add integrity verification through Sigstore transparency logs

Fixes: microsoft#60497
pupapaik added a commit to ExaForce/TypeScript that referenced this issue Nov 14, 2024
- Configure GitHub Actions workflow for secure publishing
- Enable automatic provenance generation during npm publish
- Add integrity verification through Sigstore transparency logs

Fixes: microsoft#60497
@IllusionMH
Copy link
Contributor

Duplicate of #59028

@RyanCavanaugh RyanCavanaugh added the Duplicate An existing issue was already created label Nov 14, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Duplicate An existing issue was already created
Projects
None yet
Development

Successfully merging a pull request may close this issue.

3 participants