Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

npm package provenance - Public beta #612

Closed
github-product-roadmap opened this issue Nov 16, 2022 · 1 comment
Closed

npm package provenance - Public beta #612

github-product-roadmap opened this issue Nov 16, 2022 · 1 comment
Labels
all Product SKU: All preview Feature phase: Preview shipped Shipped

Comments

@github-product-roadmap
Copy link
Collaborator

Summary

To better protect npm users from supply chain attacks, we are adding support for verifiable links between the source and the built packages in npm packages. You can read more about the proposed approach in the detailed RFC.

Intended Outcome

npm is the most widely used package manager on the planet today, and is therefore a potential target from malicious actors who want to exploit security weaknesses. By adding verifiable linking between a the source code repository, the build run that generated the package, and the package itself, we can mitigate certain supply chain attacks.

How will it work?

Read more about the proposed approach in the RFC.
@github github locked and limited conversation to collaborators Nov 16, 2022
@github-product-roadmap github-product-roadmap added all Product SKU: All preview Feature phase: Preview npm labels Nov 16, 2022
@ankneis ankneis moved this to Q1 2023 – Jan-Mar in GitHub Public Roadmap Nov 16, 2022
@github-product-roadmap github-product-roadmap changed the title npm supports creating verifiable links between a package version and its source/build - Public beta npm package provenance - Public beta Feb 22, 2023
@ankneis ankneis moved this from Q1 2023 – Jan-Mar to Q2 2023 – Apr-Jun in GitHub Public Roadmap Apr 10, 2023
@ankneis ankneis added the shipped Shipped label Apr 19, 2023
@ankneis
Copy link
Collaborator

ankneis commented Apr 19, 2023

🚢 This has shipped! https://github.blog/changelog/2023-04-19-npm-provenance-public-beta

@ankneis ankneis closed this as completed Apr 19, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
all Product SKU: All preview Feature phase: Preview shipped Shipped
Projects
GitHub Public Roadmap
Status: No status
Milestone
No milestone
Development

No branches or pull requests
2 participants
@github-product-roadmap @ankneis