Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

How easy is it to publish NPM packages with SLSA attestations? #11

Open
aaronshim opened this issue Jan 29, 2025 · 0 comments
Open

How easy is it to publish NPM packages with SLSA attestations? #11

aaronshim opened this issue Jan 29, 2025 · 0 comments
Labels
question Further information is requested

Comments

@aaronshim
Copy link
Collaborator

aaronshim commented Jan 29, 2025
edited
Loading

We mention SLSA attestations as a mitigation for supply chain attacks in our library guidelines. We know that there is also external marketing of NPM compatibility with SLSA.

Anecdotally, we have run into some difficulties with publishing NPM packages with SLSA attestations when they are not built with the Github actions runner-- so for developers that want to use other trusted builders to publish to NPM may have difficulty following this suggestion.

Is this something we can discuss in a future meeting? (Perhaps our role in making sure these ecosystem solutions/technologies are actually usable in practice.) Perhaps this is something the members in the group can escalate with their colleagues to get many of these cloud providers-- and mostly NPM-- to prioritize supporting this?
@aaronshim aaronshim added the question Further information is requested label Jan 29, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question Further information is requested
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@aaronshim