The public npm registry is migrating away from the existing PGP signatures to ECDSA signatures that are more compact and can be verified without extra dependencies in the npm CLI.
Ensure the integrity of packages you download from the public npm registry, or any registry that supports signatures, by verifying the registry signatures of downloaded packages using the following npm CLI command:
npm audit signatures
The CLI will error if some packages have missing or invalid signatures. This could indicate that those packages might have been tampered with.
Read more about this feature from our documentation: about registry signatures.