Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
shakna 3 days ago

PyPI is working towards attestation [0], and already has "Trusted Publisher" [1].

Ruby has had signed gems since v2 [2].

These aren't a panacea. But they do mean an effort has been made.

npm has been talking about maybe doing something since 2013 [3], but ended up doing... Nothing. [4]

I don't think it's fair to compare npm to the others.

[0] https://docs.pypi.org/attestations/producing-attestations/

[1] https://docs.pypi.org/trusted-publishers/

[2] https://docs.ruby-lang.org/en/master/Gem/Security.html

[3] https://github.com/npm/npm/pull/4016

[4] https://github.com/node-forward/discussions/issues/29

madeofpalk 3 days ago | parent [-]

NPM has both Trusted Publishing and provenance claims for where packages are built.

https://docs.npmjs.com/trusted-publishers

https://docs.npmjs.com/generating-provenance-statements

Trusted Publishing is relatively new - GA-ed in July https://github.blog/changelog/2025-07-31-npm-trusted-publish...

otterley 3 days ago | parent [-]

Trusted Publishing is a marketing term—a fancy name for OIDC support and temporary auth token issuance. It delegates authenticating the uploader to their identity provider, nothing more.

In a very real sense, it shifts responsibility to someone else. For example, if the uploader was using Google as their identity provider and their Google account was popped, the attacker would be able to impersonate the uploader. So I wouldn’t describe it as establishing a strong trust relationship with the uploader.

It only meaningfully improves the security of the NPM ecosystem if (a) everyone is forced to sign packages and (b) identity providers require more secure authentication methods with as hardware tokens or passkeys.