Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enable supply chain security through npm provenance attestation #60497

Open
1 task done
pupapaik opened this issue Nov 14, 2024 · 1 comment
Open
1 task done

Enable supply chain security through npm provenance attestation #60497

pupapaik opened this issue Nov 14, 2024 · 1 comment
Labels
Duplicate An existing issue was already created

Comments

@pupapaik
Copy link

Acknowledgement

  • I acknowledge that issues using this template may be closed without further explanation at the maintainer's discretion.

Comment

Following the recent Lottie-Player supply chain attack, it's crucial to enhance package security. NPM provenance provides cryptographic proof that this package was built from this repository using GitHub Actions, making supply chain attacks significantly harder. More info in my blog post https://medium.com/exaforce/npm-provenance-the-missing-security-layer-in-popular-javascript-libraries-b50107927008
@pupapaik pupapaik mentioned this issue Nov 14, 2024
Closed
pupapaik added a commit to ExaForce/TypeScript that referenced this issue Nov 14, 2024
@pupapaik
Enable supply chain security through npm provenance attestation
e8e013c 
- Configure GitHub Actions workflow for secure publishing
- Enable automatic provenance generation during npm publish
- Add integrity verification through Sigstore transparency logs

Fixes: microsoft#60497
pupapaik added a commit to ExaForce/TypeScript that referenced this issue Nov 14, 2024
@pupapaik
Enable supply chain security through npm provenance attestation
6a25cf1 
- Configure GitHub Actions workflow for secure publishing
- Enable automatic provenance generation during npm publish
- Add integrity verification through Sigstore transparency logs

Fixes: microsoft#60497
@IllusionMH
Copy link
Contributor

Duplicate of #59028

@RyanCavanaugh RyanCavanaugh added the Duplicate An existing issue was already created label Nov 14, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Duplicate An existing issue was already created
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Enable supply chain security through npm provenance attestation ExaForce/TypeScript
3 participants
@IllusionMH @RyanCavanaugh @pupapaik