GitHub has introduced provenance for npm packages on GitHub Actions. By using a special provenance flag, package maintainers can give consumers confidence that the outputted package was built using the linked source repository. With the npm package manager, developers that work with JavaScript can use thousand of packages to add new features and functionality to their projects.
To help illustrate why this development is useful, GitHub said most people wouldn’t plug a random USB into their computer in case it had malware. It’s the same with packages found on npm. While the code may be open-source, you don’t actually know if the package was built from that source code. With provenance, the npm packages can be linked to the source code.
According to GitHub, over the past few years, attackers have performed attacks against popular npm packages such as UAParser.js, Command-Option-Argument, and rc. It said these attacks don’t compromise the source code directly but instead use compromised credentials to publish a malicious version of the package. By actually linking the published package and the source code, consumers can be more sure that they’re installing trusted software.
If you want to delve deeper into the nitty gritty details of npm provenance, be sure to check out GitHub’s blog post.
0 Comments - Add comment