Justin Hutchings
Director of Product Management for supply chain security. I manage the team that's behind Dependabot, the Advisory Database, and the dependency graph. Twitter: https://twitter.com/jhutchings0
Supply chain attacks exploit our implicit trust of open source to hurt developers and our customers. Read our proposal for how npm will significantly reduce supply chain attacks by signing packages with Sigstore.
As stewards of the npm registry, we take the security of npm seriously and have continued to introduce a number of changes to improve the security and trustworthiness of the registry. We’ve announced a number of changes over the last several months to improve the security of npm, like requiring two-factor authentication, streamlined login, and enhanced signing of artifacts. These changes help protect open source consumers from software supply chain attacks; in other words, when malicious users try to spread malware by breaching a maintainer’s account and adding malicious software to open source dependencies that many developers use.
Today, we’re opening a new request for comments (RFC), which discusses linking a package with its source repository and its build environment. When package maintainers opt-in to this system, consumers of their packages can have more confidence that the contents of the package match the contents of the linked repository.
Historically, linking packages back to the source code has been difficult because it required individual projects to register and manage their own cryptographic keys. A recent project from the Linux Foundation and Open Source Security Foundation (OpenSSF) called Sigstore has made this process easier and more secure than past methods by not requiring developers to manage long-lived cryptographic keys. The project has seen some early adoption with other package manager ecosystems. With today’s RFC, we are proposing to add support for end-to-end signing of npm packages using Sigstore. This process would include generating attestations about where, when, and how the package was authored, so that it can be verified later.
Securing the software supply chain is one of the biggest security challenges our industry faces right now. This proposal is an important next step, but truly solving this challenge will require commitment and investment across the community. We’re excited to hear your feedback and look forward to going on this journey together!
GitHub had over 14,000 repositories. Fewer than half had clear ownership. Here’s how we gave every active repository a validated owner in under 45 days, archived the rest, and made ownership the foundation for everything that followed.
GitHub had 20,000+ secret scanning alerts across 15,000 repositories. Here’s how we separated signal from noise, built remediation workflows, and reached inbox zero in nine months.
These six free settings will not make your project unhackable. Nothing will. What they will do is close the easy doors. Turn these on, and your project will be meaningfully harder to attack than it was before.