| ▲ | jakub_g 6 hours ago | |
Actually, npm supports "provenance" and as it eliminated long lived access tokens for publishing, it encourages people to use "trusted publishing" which over time should make majority of packages be auto-provenance-vefified. https://docs.npmjs.com/trusted-publishers#automatic-provenan... | ||
| ▲ | btown an hour ago | parent | next [-] | |
Unless the Chrome web store integrates with this, it puts the onus on users to continuously scan extension updates for hash mismatches with the public extension builds, which isn’t standardized. And even then this would be after an update is unpacked, which may not run in time to prevent initial execution. Nor does it prevent a supply chain attack on the code running in the GitHub Action for the build, especially if dependencies aren’t pinned. There’s no free lunch here. | ||
| ▲ | smithza 3 hours ago | parent | prev | next [-] | |
key word "encourages" when someone uses `npm install/add/whatever-verb` does it default to only using trusted publishing sources? and the dependency graph? either 100% enforcement or it won't stick and these attack vulnerabilities are still there. | ||
| ▲ | elashri 6 hours ago | parent | prev [-] | |
pypi also added this last year [1] and encouraging people to use trusted publishing as well. | ||