Philip Harrison
Philip Harrison
RFC for linking public npm packages to the source code repository and build it originated from. [View rendered version](https://github.com/npm/rfcs/blob/link-packages-to-source-and-build/accepted/0000-link-packages-to-source-and-build.md)
Add a new CLI command `audit signatures` that verifies the npm signatures in a packages packument. It works on the current install. Signatures are only useful if people verify them....
I'm having a hard time trying to figure this out. So I'm using datalink and tmpl for an experiment shop thingy. Building the cart part with tmpl and liking some...
I'm geting all kinds of weird errors: http://snippie.net/snip/707f9bd2 Running the latest 1.9.1 stable release. cheers
### Version N/A ### Details We're working on a security improvement for packages published with provenance, `@modern-js` being one such package! 🙌 Context: The change will start blocking publishes that...
👋 I've been looking at the [v1 actions spec](https://github.com/slsa-framework/github-actions-buildtypes/tree/main/workflow/v1) to see what we want to include in the provenance statement generated by the npm CLI in an untrusted workflow (when...
Could we version Fulcio certificates to make it easier to deal with old certificates that contain different cert extensions? ## Context Fulcio Certificates went through a significant change recently with...