Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] ini@4.1.2 has an invalid attestation #245

Closed
1 task done
sjinks opened this issue Mar 12, 2024 · 2 comments
Closed
1 task done

[BUG] ini@4.1.2 has an invalid attestation #245

sjinks opened this issue Mar 12, 2024 · 2 comments
Labels
Needs Triage needs an initial review

Comments

@sjinks
Copy link

sjinks commented Mar 12, 2024

Is there an existing issue for this?

  • I have searched the existing issues

Current Behavior

npm audit signatures complains:

1 package has an invalid attestation:

ini@4.1.2 (https://registry.npmjs.org/)

Someone might have tampered with this package since it was published on the registry!

Expected Behavior

No errors about package attestation

Steps To Reproduce

npm init -y
npm i ini
npm audit signatures

Test repo: https://github.com/sjinks/test-ini
Action log: https://github.com/sjinks/test-ini/actions/runs/8242432839/job/22541375637

Environment

  • npm: 10.2.4
  • Node: v20.11.1
  • OS: Ubuntu 22.04.4 LTS
  • platform: amd64
@sjinks sjinks added the Needs Triage needs an initial review label Mar 12, 2024
@sjinks
Copy link
Author

sjinks commented Mar 12, 2024

ini@4.1.1 is OK:

$ npm i ini@4.1.1

changed 1 package, and audited 2 packages in 709ms

found 0 vulnerabilities

$ npm audit signatures
audited 1 package in 1s

1 package has a verified registry signature

1 package has a verified attestation

@sjinks sjinks mentioned this issue Mar 12, 2024
Merged
@sjinks
Copy link
Author

sjinks commented Apr 2, 2024

Does not happen in npm 10.5.0: npm/cli#7279

@sjinks sjinks closed this as completed Apr 2, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Needs Triage needs an initial review
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@sjinks