-
Notifications
You must be signed in to change notification settings - Fork 395
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add provenance signature to @lwc packages #4638
Labels
Comments
We currently use an internal tool for publishing releases. It does not support provenance. We may be migrating to a new tool at some point in the coming months. I don't know whether the new tool will have the ability, but we will use it if available. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Other important packages published to npm, like vue, started adding this npm feature called "provenance" in their published packages.
https://docs.npmjs.com/generating-provenance-statements
Vue
https://www.npmjs.com/package/vue#provenance
https://blog.deps.dev/npm-provenance/
It improves trust because developers can now for sure the source that was used for building that published package.
I took a look at your workflows and couldn't find a release workflow. If you are not releasing it in github or gitlab, you can't use this feature, according to npm docs.
The text was updated successfully, but these errors were encountered: