npm

npm Provenance

npm Provenance provides supply chain security for JavaScript packages by establishing a verifiable link between a published package and its source code repository and build environment. When a package is published with provenance, it is signed using Sigstore public good servers and the attestation is logged in a public transparency ledger. This allows developers to verify where and how a package was built before downloading it, helping to protect against supply chain attacks and ensuring the integrity of the npm ecosystem.

GitHub

Documentation

📖
Documentation
https://docs.npmjs.com/generating-provenance-statements
📖
Documentation
https://github.blog/security/supply-chain-security/introducing-npm-package-provenance/

API entry from apis.yml

apis.yml Raw ↑ 
aid: npm:provenance
name: npm Provenance
description: npm Provenance provides supply chain security for JavaScript packages by establishing a verifiable
  link between a published package and its source code repository and build environment. When a package
  is published with provenance, it is signed using Sigstore public good servers and the attestation is
  logged in a public transparency ledger. This allows developers to verify where and how a package was
  built before downloading it, helping to protect against supply chain attacks and ensuring the integrity
  of the npm ecosystem.
humanURL: https://docs.npmjs.com/generating-provenance-statements
tags:
- Security
- Supply Chain
- Verification
- Sigstore
- Transparency
- CI/CD
properties:
- type: Documentation
  url: https://docs.npmjs.com/generating-provenance-statements
- type: Documentation
  url: https://github.blog/security/supply-chain-security/introducing-npm-package-provenance/