Source: thenewstack.io
Npm to Adopt Sigstore for Software Supply Chain Security
https://www.npmjs.com/, the JavaScript package manager and default package manager for the JavaScript runtime environment https://nodejs.org/, needs all the security help it can get. https://www.whitesourcesoftware.com/, a leading open source security provider, recently claimed https://thenewstack.io/is-npm-a-hotbed-of-malware/.
While Hutching isn’t ordering npm to adopt the Linux Foundation and https://openssf.org/‘s https://www.sigstore.dev/ for signing source code, he strongly encourages it.
Specifically, Hutchings explained, they’re opening a https://github.com/npm/rfcs/pull/626, which discusses linking a package with its source repository and its build environment.
Instead, by adding support for npm package end-to-end signing with Sigstore, the process is automated.
While Hutching isn’t ordering npm to adopt the Linux Foundation and https://openssf.org/‘s https://www.sigstore.dev/ for signing source code, he strongly encourages it.
Specifically, Hutchings explained, they’re opening a https://github.com/npm/rfcs/pull/626, which discusses linking a package with its source repository and its build environment.
Instead, by adding support for npm package end-to-end signing with Sigstore, the process is automated.
Related Articles
Community Partners
DevOps Careers