NPM has support for github CI provenance. So you can verify that the package on ... | Hacker News

Hacker News new | past | comments | ask | show | jobs | submit

login

porridgeraisin 14 days ago | parent | context | favorite | on: Obtainium: Get Android App Updates Directly from t...

NPM has support for github CI provenance. So you can verify that the package on npm was built on the github actions of the repo mentioned in npm.

g-b-r 13 days ago [–]

I saw, nice

It seems to not check it automatically, though?

porridgeraisin 13 days ago | [–]

Yeah, you have to set provenance flag to true.

  - uses: JS-DevTools/npm-publish@v2
  with:
      token: ${{ secrets.NPM_TOKEN }}
      access: public
      provenance: true

For example

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact