Commit 3ae53e4

and

committed

feat: add npm audit signatures

Implemenents [RFC: Improve signature verification](npm/rfcs#550) Adds a new sub-command to `audit`: `npm audit signatures` (following [`npm audit licenses`](#3452)) This command will verify registry signatures stored in the packument against a public key on the registry. Supporting: - Any registry that implements `host/-/npm/v1/keys` endpoint and provides `signatures` in the packument `dist` object - Validates public keys are not expired - Errors when encountering packages with missing signatures when the registry returns keys at `host/-/npm/v1/keys` - Errors when encountering invalid signatures - Output: json/human formats Co-authored-by: Michael Garvin <wraithgar@github.com>

1 parent 0ce09f1 commit 3ae53e4Copy full SHA for 3ae53e4

5 files changed

+2071

-9

lines changed

lib/commands
- audit.js
package-lock.json
package.json
tap-snapshots/test/lib/commands
- audit.js.test.cjs
test/lib/commands
- audit.js

5 files changed

+2071

-9

lines changed

Comments

(0)

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit 3ae53e4

5 files changed

5 files changed

File tree

5 files changed

5 files changed

0 commit comments