Skip to content

Warn when the npm provenance source commit or repository cannot be found

npm will now check the linked source commit and repository when you view a package's provenance information on If the linked source commit or repository cannot be found, an error displays at the top of the page and alongside the provenance information to let you know that provenance for this package can no longer be established. This can happen when a repository is deleted or made private.

Note: In future releases, publishing a public package with provenance from a private source repository will not be allowed.

Read more about viewing npm provenance and publishing with provenance.

Today we are making further improvements to granular access tokens in npm.

Highlights of this update are

  • Custom Expiration Times: You can now create granular access tokens with custom expiration times, allowing for durations that span multiple years.
  • Increased Token Limit: We have expanded the maximum limit for granular access tokens creation to 1000. This enables maintainers with a large amount of packages to secure their publishing workflows more efficiently.

We recommend using granular access tokens with least privileges (for example one token per package) for automating your publishing and org management activities.

Read more about creating a granular access tokens here.

See more

We have added over 17.5 million new package licenses to our database, expanding the license coverage for packages that appear in dependency graph, dependency insights, dependency review, and a repository's software bill of materials (SBOM). Package licenses dictate how a package can be used, making them an essential aspect of compliance when working with open source software.

These licenses are sourced from ClearlyDefined, a curated data store for open source licenses.

See more