| ▲ | madeofpalk 3 days ago | |
NPM has both Trusted Publishing and provenance claims for where packages are built. https://docs.npmjs.com/trusted-publishers https://docs.npmjs.com/generating-provenance-statements Trusted Publishing is relatively new - GA-ed in July https://github.blog/changelog/2025-07-31-npm-trusted-publish... | ||
| ▲ | otterley 3 days ago | parent [-] | |
Trusted Publishing is a marketing term—a fancy name for OIDC support and temporary auth token issuance. It delegates authenticating the uploader to their identity provider, nothing more. In a very real sense, it shifts responsibility to someone else. For example, if the uploader was using Google as their identity provider and their Google account was popped, the attacker would be able to impersonate the uploader. So I wouldn’t describe it as establishing a strong trust relationship with the uploader. It only meaningfully improves the security of the NPM ecosystem if (a) everyone is forced to sign packages and (b) identity providers require more secure authentication methods with as hardware tokens or passkeys. | ||