You can generate provenance statements for the packages you publish. This allows you to publicly establish where a package was built and who published a package, which can increase supply-chain security for your packages.

About npm provenance

npm provenance includes two types of attestations:

  • Provenance attestation
  • Publish attestation

The provenance attestation is established by publicly providing a link to a package's source code and build instructions from the build environment. This allows developers to verify where and how your package was built before they download it.

Publish attestations are generated by the registry when a package is published by an authorized user. When an npm package is published with provenance, it is signed by Sigstore public good servers and logged in a public transparency ledger, where users can view this information.

About Sigstore

Sigstore is a collection of tools and services aimed at making it easy to use short-lived, ephemeral certificates to sign software. Its three main components are a CLI tool, a certificate authority, and a time-stamping transparency log.

The certificate authority federates with any OIDC provider that includes verifiable build information. It acts as an intermediary between build systems and package registries by verifying the integrity of the OIDC token, issues a signing certificate that contains that build information, and then logging the signing certificate to an immutable ledger.

The transparency log service provides a public, verifiable, tamper-evident ledger of signed attestations. This ensures transparency of the public service, as well as providing a way to detect attempts to tamper with a package if a package registry were to be compromised.

Provenance limitations

  • To publish a package with provenance, you must build your package with a supported cloud CI/CD provider using a cloud-hosted runner. Today this includes GitHub Actions and GitLab CI/CD.
  • When a package in the npm registry has established provenance, it does not guarantee the package has no malicious code. Instead, npm provenance provides a verifiable link to the package's source code and build instructions, which developers can then audit and determine whether to trust it or not. For more information, see "Searching for and choosing packages to download."

Prerequisites

Before you can publish your packages with provenance, you must:

Publishing packages with provenance via GitHub Actions

In order to establish provenance, you must use a supported cloud CI/CD provider and a cloud-hosted runner to publish your packages. GitHub Actions is a supported CI/CD platform that allows you to automate software development tasks. For more information, see GitHub Actions in the GitHub documentation.

To update your GitHub Actions workflow to publish your packages with provenance, you must:

  • Give permission to mint an ID-token:

    permissions:
    id-token: write
  • Run on a GitHub-hosted runner:

    runs-on: ubuntu-latest
  • Add the --provenance flag to your publish command:

    npm publish --provenance
  • If you are publishing a package for the first time you will also need to explicitly set access to public:

    npm publish --provenance --access public

Example GitHub Actions workflow

This example workflow publishes a package to the npm registry with provenance.

name: Publish Package to npmjs
on:
release:
types: [created]
jobs:
build:
runs-on: ubuntu-latest
permissions:
contents: read
id-token: write
steps:
- uses: actions/checkout@v3
- uses: actions/setup-node@v3
with:
node-version: '18.x'
registry-url: 'https://registry.npmjs.org'
- run: npm install -g npm
- run: npm ci
- run: npm publish --provenance --access public
env:
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}

Example GitLab CI job

This example job publishes a package to the npm registry with provenance when a git tag is pushed. Don’t forget to define the NPM_TOKEN variable in your GitLab project settings.

publish:
image: 'node:20'
rules:
- if: $CI_COMMIT_TAG
id_tokens:
SIGSTORE_ID_TOKEN:
aud: sigstore
script:
- npm config set //registry.npmjs.org/:_authToken "$NPM_TOKEN"
- npm publish --provenance --access public

Using third-party package publishing tools

If you publish your packages with tools that do not directly invoke the npm publish command, you can do one of the following in your GitHub Actions workflow to publish your packages with provenance.

  • Configure environment variables: In your GitHub Actions workflow, you can use an environment variable called NPM_CONFIG_PROVENANCE, and set it to true.
  • Configure your package.json file: You can add a publishConfig block to your package.json file:
    "publishConfig": {
    "provenance": true
    },
  • Add an .npmrc file: You can add an .npmrc file to your project with the following entry:
    provenance=true

Note: At this time, yarn is not a supported tool for publishing your packages with provenance.

Publishing packages with provenance via GitLab CI/CD

In order to establish provenance, you must use a supported cloud CI/CD provider and a cloud-hosted runner to publish your packages. GitLab CI/CD is a supported CI/CD platform that allows you to automate software development tasks. For more information, see Generating provenance in GitLab CI/CD in the GitLab documentation.

Verifying provenance attestations

You can use the verify the provenance attestations of downloaded packages with the following audit command:

npm audit signatures

Example response showing the count of verified registry signatures and verified attestations for all of the packages in a project:

audited 1267 packages in 6s
1267 packages have verified registry signatures
74 packages have verified attestations

Because provenance attestations are such a new feature, security features may be added to (or changed in) the attestation format over time. To ensure that you're always able to verify attestation signatures check that you're running the latest version of the npm CLI. Please note this often means updating npm beyond the version that ships with Node.js.