As stewards of the npm registry, we take the security of npm seriously and have continued to introduce a number of changes to improve the security and trustworthiness of the registry. We’ve announced a number of changes over the last several months to improve the security of npm, like requiring two-factor authentication, streamlined login, and enhanced signing of artifacts. These changes help protect open source consumers from software supply chain attacks; in other words, when malicious users try to spread malware by breaching a maintainer’s account and adding malicious software to open source dependencies that many developers use.
Today, we’re opening a new request for comments (RFC), which discusses linking a package with its source repository and its build environment. When package maintainers opt-in to this system, consumers of their packages can have more confidence that the contents of the package match the contents of the linked repository.
Historically, linking packages back to the source code has been difficult because it required individual projects to register and manage their own cryptographic keys. A recent project from the Linux Foundation and Open Source Security Foundation (OpenSSF) called Sigstore has made this process easier and more secure than past methods by not requiring developers to manage long-lived cryptographic keys. The project has seen some early adoption with other package manager ecosystems. With today’s RFC, we are proposing to add support for end-to-end signing of npm packages using Sigstore. This process would include generating attestations about where, when, and how the package was authored, so that it can be verified later.
Securing the software supply chain is one of the biggest security challenges our industry faces right now. This proposal is an important next step, but truly solving this challenge will require commitment and investment across the community. We’re excited to hear your feedback and look forward to going on this journey together!