Skip to content

A new npm `audit signatures` command to verify npm package integrity

The public npm registry is migrating away from the existing PGP signatures to ECDSA signatures that are more compact and can be verified without extra dependencies in the npm CLI.

Ensure the integrity of packages you download from the public npm registry, or any registry that supports signatures, by verifying the registry signatures of downloaded packages using the following npm CLI command:

npm audit signatures

The CLI will error if some packages have missing or invalid signatures. This could indicate that those packages might have been tampered with.

Read more about this feature from our documentation: about registry signatures.

The macOS 10.15 Actions runner image started our deprecation process on 5/31/22 and will be fully unsupported by 8/30/22. To raise awareness of the upcoming removal, jobs using macOS 10.15 will temporarily fail during scheduled time periods defined below:

  • July 21, 12:00 UTC – July 22, 18:00 UTC
  • July 27, 00:00 UTC – July 28, 00:00 UTC
  • August 3, 00:00 UTC – August 4, 00:00 UTC
  • August 15, 00:00 UTC – August 16, 00:00 UTC
  • August 26, 00:00 UTC – August 27, 00:00 UTC

What you need to do

Workflows using the macos-10.15 YAML workflow label should be updated to macos-11, macos-12, or macos-latest. You can always get up-to-date information on our tools by reading about the software in GitHub Actions virtual environments. Please contact GitHub Support if you run into any problems or need help.

See more