Replies: 1 comment 2 replies
-
|
This sounds great. Any chance you can put together a PR with the change? |
Beta Was this translation helpful? Give feedback.
2 replies
-
|
Sure! |
Beta Was this translation helpful? Give feedback.
-
|
For reference: #23917 |
Beta Was this translation helpful? Give feedback.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Is your feature request related to a problem? Please describe.
This is a request for adopting a security practice of generating provenance.
npm has released a new feature to generate provenance when publishing packages. The provenance is a file that holds verifiable information about the software artifacts describing where, when and how it was produced. Publishing provenance helps both the users and the maintainers be more confident that the package was published from the original repository by the original authors and not a malicious actor.
Describe the solution you'd like
Add the
--provenanceflag to your publish command at scripts/release/publish.ts#L127.Describe alternatives you've considered
None.
Are you able to assist to bring the feature to reality?
yes, I can
Additional context
Hi! I'm Gabriela and I work on behalf of Google and the OpenSSF suggesting supply-chain security changes :)
Beta Was this translation helpful? Give feedback.
All reactions