diff options
author | Philip Harrison <philip@mailharrison.com> | 2022-07-11 20:49:21 +0300 |
---|---|---|
committer | GitHub <noreply@github.com> | 2022-07-11 20:49:21 +0300 |
commit | f032e1c0ada062e2139c8f057b24abb1ce2e4a33 (patch) | |
tree | f2082b192509a9abee0f66bc3b1d80b46a5a1378 /package.json | |
parent | ef8d2edd7da993f4086c85089952cd45834ac78b (diff) |
feat: add npm audit signatures (#4827)
* feat: add npm audit signatures
Implements [RFC: Improve signature verification](https://github.com/npm/rfcs/pull/550/)
Adds a new sub-command to `audit`: `npm audit signatures` (following [`npm audit licenses`](https://github.com/npm/cli/pull/3452))
This command will verify registry signatures stored in the packument against a public key on the registry.
Supporting:
- Any registry that implements `host/-/npm/v1/keys` endpoint and provides `signatures` in the packument `dist` object
- Validates public keys are not expired
- Errors when encountering packages with missing signatures when the registry returns keys at `host/-/npm/v1/keys`
- Errors when encountering invalid signatures
- Output: json/human formats
Diffstat (limited to 'package.json')
-rw-r--r-- | package.json | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/package.json b/package.json index 95afa528f..77e1d0829 100644 --- a/package.json +++ b/package.json @@ -107,6 +107,7 @@ "npm-user-validate": "^1.0.1", "npmlog": "^6.0.2", "opener": "^1.5.2", + "p-map": "^4.0.0", "pacote": "^13.6.1", "parse-conflict-json": "^2.0.2", "proc-log": "^2.0.1", @@ -179,6 +180,7 @@ "npm-user-validate", "npmlog", "opener", + "p-map", "pacote", "parse-conflict-json", "proc-log", |