diff options
| author | Philip Harrison <philip@mailharrison.com> | 2022-07-11 20:49:21 +0300 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2022-07-11 20:49:21 +0300 |
| commit | f032e1c0ada062e2139c8f057b24abb1ce2e4a33 (patch) | |
| tree | f2082b192509a9abee0f66bc3b1d80b46a5a1378 /docs/content | |
| parent | ef8d2edd7da993f4086c85089952cd45834ac78b (diff) | |
feat: add npm audit signatures (#4827)
* feat: add npm audit signatures
Implements [RFC: Improve signature verification](https://github.com/npm/rfcs/pull/550/)
Adds a new sub-command to `audit`: `npm audit signatures` (following [`npm audit licenses`](https://github.com/npm/cli/pull/3452))
This command will verify registry signatures stored in the packument against a public key on the registry.
Supporting:
- Any registry that implements `host/-/npm/v1/keys` endpoint and provides `signatures` in the packument `dist` object
- Validates public keys are not expired
- Errors when encountering packages with missing signatures when the registry returns keys at `host/-/npm/v1/keys`
- Errors when encountering invalid signatures
- Output: json/human formats
Diffstat (limited to 'docs/content')
| -rw-r--r-- | docs/content/commands/npm-audit.md | 13 |
1 files changed, 12 insertions, 1 deletions
diff --git a/docs/content/commands/npm-audit.md b/docs/content/commands/npm-audit.md index 9d09a4107..206a33f53 100644 --- a/docs/content/commands/npm-audit.md +++ b/docs/content/commands/npm-audit.md @@ -11,7 +11,7 @@ description: Run a security audit <!-- see lib/commands/audit.js --> ```bash -npm audit [fix] +npm audit [fix|signatures] ``` <!-- automatically generated, do not edit manually --> @@ -41,6 +41,17 @@ vulnerability is found. It may be useful in CI environments to include the will cause the command to fail. This option does not filter the report output, it simply changes the command's failure threshold. +### Audit Signatures + +This command can also audit the integrity values of the packages in your +tree against any signatures present in the registry they were downloaded +from. npm will attempt to download the keys from `/-/npm/v1/keys` on +each the registry used to download any given package. It will then +check the `dist.signatures` object in the package itself, and verify the +`sig` present there using the `keyid` there, matching it with a key +returned from the registry. The command for this is `npm audit +signatures` + ### Audit Endpoints There are two audit endpoints that npm may use to fetch vulnerability |