This repository has been archived by the owner on Oct 9, 2023. It is now read-only.
npm: mention generating provenance statements #42
Comments
|
I really don't think it's a good idea to recommend or link to it yet. Publishing from CI is very unsafe unless using actual two-factor (an automation token is one-factor), and it remains unclear to me what the value of provenance even is, since I'm not aware of any actual incidents it would have prevented. |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
npm recently introduces the Generating provenance statements. I think it will be a good idea to include a reference in the release section
Should I create a PR for that?
cc: @lirantal @ljharb
The text was updated successfully, but these errors were encountered: