Provenance

For security reasons, make it verifiable for your consumers where your package is coming from and to increase trust in your supply chain NPM introduces provenance.

release-plan supports provenance. Publishing to NPM in this badge:

Configuration

Call the publish command with respective parameters for your package manager.

npm

npm release-plan publish --provenance

pnpm

NPM_CONFIG_PROVENANCE=true pnpm release-plan publish

Resources

• Talk: Build provenance for package registries
• Blog: Introducing npm package provenance
• Docs: Generating provenance statements
• Article: Build Provenance for All Package Registries
• Example: Publishing npm package with provenance
• RFC: Link npm packages to the originating source code repository and build