You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
During the implementation of #411, In order to follow established convention in other ESM conversion, I introduced the npm audit signature command into the CI process, but I get below error occurs when it runs in CI, also when it runs in local environment.
audited 807 packages in 150s
705 packages have verified registry signatures
9 packages have verified attestations
102 packages have invalid attestations:
@npmcli/agent@2.2.2 (https://registry.npmjs.org/)
@npmcli/agent@3.0.0 (https://registry.npmjs.org/)
@npmcli/agent@2.2.2 (https://registry.npmjs.org/)
@npmcli/agent@2.2.2 (https://registry.npmjs.org/)
@npmcli/fs@4.0.0 (https://registry.npmjs.org/)
@npmcli/git@6.0.1 (https://registry.npmjs.org/)
@npmcli/installed-package-contents@3.0.0 (https://registry.npmjs.org/)
@npmcli/map-workspaces@4.0.1 (https://registry.npmjs.org/)
@npmcli/metavuln-calculator@8.0.0 (https://registry.npmjs.org/)
@npmcli/name-from-folder@3.0.0 (https://registry.npmjs.org/)
@npmcli/node-gyp@4.0.0 (https://registry.npmjs.org/)
@npmcli/package-json@6.0.1 (https://registry.npmjs.org/)
@npmcli/promise-spawn@8.0.1 (https://registry.npmjs.org/)
@npmcli/query@4.0.0 (https://registry.npmjs.org/)
@npmcli/redact@3.0.0 (https://registry.npmjs.org/)
@npmcli/run-script@9.0.1 (https://registry.npmjs.org/)
@octokit/auth-token@5.1.1 (https://registry.npmjs.org/)
@octokit/core@6.1.2 (https://registry.npmjs.org/)
@sec-ant/readable-stream@0.4.1 (https://registry.npmjs.org/)
@semantic-release/commit-analyzer@13.0.0 (https://registry.npmjs.org/)
@semantic-release/github@11.0.0 (https://registry.npmjs.org/)
@semantic-release/npm@12.0.1 (https://registry.npmjs.org/)
@semantic-release/release-notes-generator@14.0.1 (https://registry.npmjs.org/)
[....minimised]
validate-npm-package-name@6.0.0 (https://registry.npmjs.org/)
which@5.0.0 (https://registry.npmjs.org/)
write-file-atomic@6.0.0 (https://registry.npmjs.org/)
Someone might have tampered with these packages since they were published on the registry!
this is likely because an older npm version is being used in that pipeline. for auditing signatures, the latest npm version is needed. we've added the packageManager property the package.json of others of the repos under this org using corepack: corepack use npm@latest. with that added, we can prepend the audit command as corepack npm audit signatures and it will make sure to leverage the npm version from the packageManager property. renovate will also keep that value from growing stale for us
During the implementation of #411, In order to follow established convention in other ESM conversion, I introduced the
npm audit signature
command into the CI process, but I get below error occurs when it runs in CI, also when it runs in local environment.Find more details here: https://github.com/semantic-release/exec/actions/runs/11259848667/job/31309764144
The text was updated successfully, but these errors were encountered: