SLSA (Supply-chain Levels for Software Artifacts) is a security framework for defining cryptographically verifiable attestations about software artifacts, including their provenance (e.g., the exact source repository and build process that produced them).
Attestations are digitally signed, publicly verifiable statements about npm packages, including their provenance and build environment information.
Attestations are built on top of Sigstore and use short-lived signing keys bound to trusted identities (like GitHub Actions workflows), making them misuse-resistant and less susceptible to key loss and theft.
This site shows the top 500 most-downloaded packages on npm and which have SLSA attestations available.
Attestations were available from April 19th 2023
If your package is incorrectly listed, please create an issue.
You can verify attestations for installed packages using the npm CLI (version 9.5.0 or later):
npm audit signaturesThis will show you which packages in your project have verified attestations. For more information, see the npm documentation on verifying provenance.
The easiest way to enable attestations is to publish your packages
from GitHub Actions or GitLab CI/CD with the
--provenance
flag. See the
npm provenance documentation
for detailed setup instructions.
You can also use
npm trusted publishers
which automatically generate attestations without requiring the
--provenance
flag.
Great! Please create an issue to let us know!
This is inspired by Are we PEP 740 yet?, which tracks attestations in the Python ecosystem. The top package data comes from Ecosyste.ms.