Lightweight utility to verify if an npm package was published via a Trusted Publisher (OIDC/Provenance).
is-verified-pkg provides a programmatic and command-line interface to check for Sigstore attestations and OIDC Provenance on npm packages. This allows developers to verify that a package was built and published from a trusted CI/CD environment (like GitHub Actions) rather than a local machine.
- Zero Dependencies: Uses native
fetchandAbortController. - Dual-Stack: Full support for ESM (
.mjs) and CommonJS (.cjs). - Optimized: Sub-1KB footprint with mangled internal logic.
- CLI Included: Colorized terminal output with appropriate exit codes for CI/CD.
- Type Safe: Includes minified
.d.mtsand.d.ctsdefinitions.
npm install is-verified-pkgThe CLI is designed for integration into build pipelines. It returns exit code 0 if verified and 1 if unverified or an error occurs.
# Check latest version
npx is-verified-pkg <package-name>
# Check specific version
npx is-verified-pkg <package-name> <version>import { isVerified } from 'is-verified-pkg';
const ok = await isVerified('esbuild');
if (ok) {
console.log('Package is verified via OIDC');
}const { isVerified } = require('is-verified-pkg');
isVerified('zod', '3.22.0').then(verified => {
if (verified) console.log('Secure provenance found');
});name<string>: The npm package name (e.g.,reactor@scope/pkg).version<string>: The version to check. Defaults tolatest.- Returns:
Promise<boolean>—trueif the package containstrustedPublishermetadata or asigstore.bundleattestation.
The utility queries the npm registry metadata for the specified version and validates three primary fields:
pkg.trustedPublisher: Direct OIDC link.pkg.dist.attestations: Presence of a Sigstore bundle.pkg._npmUser.trustedPublisher: User-level publisher trust.
bun install # Install devDependencies
bun run build # Generate dist/ artifacts
bun run test # Run test suiteMIT