npm package provenance - Public beta #612
Description
Summary
To better protect npm users from supply chain attacks, we are adding support for verifiable links between the source and the built packages in npm packages. You can read more about the proposed approach in the detailed RFC.
Intended Outcome
npm is the most widely used package manager on the planet today, and is therefore a potential target from malicious actors who want to exploit security weaknesses. By adding verifiable linking between a the source code repository, the build run that generated the package, and the package itself, we can mitigate certain supply chain attacks.
How will it work?
Read more about the proposed approach in the RFC.