GitHub debuts pedigree check for npm packages via Actions

2023-04-19 16:00

Developers who use GitHub Actions to build software packages for the npm registry can now add a command flag that will publish details about the code's origin.

It's often used by software developers to mechanize the build process for packages distributed through the company's npm registry, which hosts more than two million of these modular libraries.

Some of the packages inside may be malicious, so GitHub is offering a way to add more visibility into how packages came to be.

"Starting today, when you build your npm projects on GitHub Actions, you can publish provenance alongside your package by including the -provenance flag," explain software engineers Brian DeHamer and Philip Harrison in a blog post provided to The Register.

"In order to increase the level of trust you have in the npm packages you download from the registry you must have visibility into the process by which the source was translated into the published artifact," write DeHamer and Harrison.

Package signing involves a key managed by the maintainer, but GitHub's provenance attestation is tied to GitHub Actions.

News URL

https://go.theregister.com/feed/www.theregister.com/2023/04/19/github_actions_npm_origins/

#github #NPM

Related vendor

VENDOR	LAST 12M	#/PRODUCTS	LOW	MEDIUM	HIGH	CRITICAL	TOTAL VULNS
Github		12	3	42	30	15	90