npm and Sigstore: Provenance Comes to the World’s Largest OSS Ecosystem
At GitHub, we’ve been hard at work over the last year on a project to secure the Javascript ecosystem by building provenance directly into first-party tooling and partnering with Sigstore to make software signing easy and ubiquitous.
GitHub-owned npm is the de facto standard package system for Javascript, which is the world’s largest language ecosystem by lines of code. Serving over 70 billion requests per month and accepting around 40k publish events in the average day, npm is popular enough that it’s seen more than its fair share of malware attacks and supply chain trojans in the recent past....
By: Trevor Rosen , Zach Steindler
Full Abstract and Presentation Materials: #npm-and-sigstore-provenance-comes-to-the-worlds-largest-oss-ecosystem-32893