Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Error in npm audit signatures #412

Open
babblebey opened this issue Oct 9, 2024 · 1 comment
Open

Error in npm audit signatures #412

babblebey opened this issue Oct 9, 2024 · 1 comment

Comments

@babblebey
Copy link
Member

During the implementation of #411, In order to follow established convention in other ESM conversion, I introduced the npm audit signature command into the CI process, but I get below error occurs when it runs in CI, also when it runs in local environment.

audited 807 packages in 150s

705 packages have verified registry signatures

9 packages have verified attestations

102 packages have invalid attestations:

@npmcli/agent@2.2.2 (https://registry.npmjs.org/)
@npmcli/agent@3.0.0 (https://registry.npmjs.org/)
@npmcli/agent@2.2.2 (https://registry.npmjs.org/)
@npmcli/agent@2.2.2 (https://registry.npmjs.org/)
@npmcli/fs@4.0.0 (https://registry.npmjs.org/)
@npmcli/git@6.0.1 (https://registry.npmjs.org/)
@npmcli/installed-package-contents@3.0.0 (https://registry.npmjs.org/)
@npmcli/map-workspaces@4.0.1 (https://registry.npmjs.org/)
@npmcli/metavuln-calculator@8.0.0 (https://registry.npmjs.org/)
@npmcli/name-from-folder@3.0.0 (https://registry.npmjs.org/)
@npmcli/node-gyp@4.0.0 (https://registry.npmjs.org/)
@npmcli/package-json@6.0.1 (https://registry.npmjs.org/)
@npmcli/promise-spawn@8.0.1 (https://registry.npmjs.org/)
@npmcli/query@4.0.0 (https://registry.npmjs.org/)
@npmcli/redact@3.0.0 (https://registry.npmjs.org/)
@npmcli/run-script@9.0.1 (https://registry.npmjs.org/)
@octokit/auth-token@5.1.1 (https://registry.npmjs.org/)
@octokit/core@6.1.2 (https://registry.npmjs.org/)
@sec-ant/readable-stream@0.4.1 (https://registry.npmjs.org/)
@semantic-release/commit-analyzer@13.0.0 (https://registry.npmjs.org/)
@semantic-release/github@11.0.0 (https://registry.npmjs.org/)
@semantic-release/npm@12.0.1 (https://registry.npmjs.org/)
@semantic-release/release-notes-generator@14.0.1 (https://registry.npmjs.org/)
[....minimised]
validate-npm-package-name@6.0.0 (https://registry.npmjs.org/)
which@5.0.0 (https://registry.npmjs.org/)
write-file-atomic@6.0.0 (https://registry.npmjs.org/)

Someone might have tampered with these packages since they were published on the registry!

Find more details here: https://github.com/semantic-release/exec/actions/runs/11259848667/job/31309764144

@travi
Copy link
Member

travi commented Oct 18, 2024

this is likely because an older npm version is being used in that pipeline. for auditing signatures, the latest npm version is needed. we've added the packageManager property the package.json of others of the repos under this org using corepack: corepack use npm@latest. with that added, we can prepend the audit command as corepack npm audit signatures and it will make sure to leverage the npm version from the packageManager property. renovate will also keep that value from growing stale for us

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants