Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: add npm audit signatures #4827

Merged
merged 2 commits into from Jul 11, 2022
Merged

feat: add npm audit signatures #4827

merged 2 commits into from Jul 11, 2022
+2,086 −13

Commits on Jun 30, 2022

  1. feat: add npm audit signatures 

    Implemenents [RFC: Improve signature verification](npm/rfcs#550)

Adds a new sub-command to `audit`: `npm audit signatures` (following [`npm audit licenses`](#3452))

This command will verify registry signatures stored in the packument against a public key on the registry.

Supporting:
- Any registry that implements `host/-/npm/v1/keys` endpoint and provides `signatures` in the packument `dist` object
- Validates public keys are not expired
- Errors when encountering packages with missing signatures when the registry returns keys at `host/-/npm/v1/keys`
- Errors when encountering invalid signatures
- Output: json/human formats

Co-authored-by: Michael Garvin <wraithgar@github.com>
    @feelepxyz @wraithgar
    feelepxyz and wraithgar committed Jun 30, 2022
    Copy the full SHA
    3ae53e4 View commit details
    Browse the repository at this point in the history

Commits on Jul 11, 2022

  1. docs: update docs for audit signatures

    @wraithgar
    wraithgar committed Jul 11, 2022
    Copy the full SHA
    cd9c4f4 View commit details
    Browse the repository at this point in the history