Npm Package Provenance (2023)
Posted4 months agoActive4 months ago
github.blogTechstory
supportivepositive
Debate
0/100
Npm SecurityPackage ProvenanceSupply Chain Security
Key topics
Npm Security
Package Provenance
Supply Chain Security
GitHub introduces npm package provenance to improve supply chain security.
Snapshot generated from the HN discussion
Discussion Activity
Light discussionFirst comment
N/A
Peak period
2
0-1h
Avg / period
2
Key moments
- 01Story posted
Sep 9, 2025 at 3:26 PM EDT
4 months ago
Step 01 - 02First comment
Sep 9, 2025 at 3:26 PM EDT
0s after posting
Step 02 - 03Peak activity
2 comments in 0-1h
Hottest window of the conversation
Step 03 - 04Latest activity
Sep 9, 2025 at 3:45 PM EDT
4 months ago
Step 04
Generating AI Summary...
Analyzing up to 500 comments to identify key contributors and discussion patterns
ID: 45187429Type: storyLast synced: 11/17/2025, 6:08:57 PM
Want the full context?
Jump to the original sources
Read the primary article or dive into the live Hacker News thread when you're ready.
Additional resources:
- Trusted publishing via OIDC [1]
- Requiring 2FA for package publishing [2]
1: https://docs.npmjs.com/trusted-publishers
2: https://docs.npmjs.com/requiring-2fa-for-package-publishing-...
Given what happened with NX [1], I'm hoping GitHub Actions disallows certain types of commands in their YAML. Otherwise we still have a straightforward way to attach provenance to malicious code. =\
1: https://x.com/adnanthekhan/status/1958722939534417989