Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add provenance signature to @lwc packages #4638

Open
AllanOricil opened this issue Oct 15, 2024 · 1 comment
Open

Add provenance signature to @lwc packages #4638

AllanOricil opened this issue Oct 15, 2024 · 1 comment
Labels
enhancement

Comments

@AllanOricil
Copy link
Contributor

AllanOricil commented Oct 15, 2024
edited
Loading

Other important packages published to npm, like vue, started adding this npm feature called "provenance" in their published packages.

https://docs.npmjs.com/generating-provenance-statements

Vue
https://www.npmjs.com/package/vue#provenance

https://blog.deps.dev/npm-provenance/

It improves trust because developers can now for sure the source that was used for building that published package.

I took a look at your workflows and couldn't find a release workflow. If you are not releasing it in github or gitlab, you can't use this feature, according to npm docs.
@wjhsf
Copy link
Contributor

wjhsf commented Oct 15, 2024

We currently use an internal tool for publishing releases. It does not support provenance. We may be migrating to a new tool at some point in the coming months. I don't know whether the new tool will have the ability, but we will use it if available.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@nolanlawson @AllanOricil @wjhsf