Skip to content

Commit 95d9700

Browse files
authored
Docs for unreachable provenance source commit (npm#672)
npm will now show a warning when the npm provenance source commit or repository cannot be found. Signed-off-by: Philip Harrison <philip@mailharrison.com>
1 parent f2c57df commit 95d9700

File tree

2 files changed

+9
-1
lines changed

2 files changed

+9
-1
lines changed

content/packages-and-modules/getting-packages-from-the-registry/searching-for-and-choosing-packages-to-download.mdx

Lines changed: 9 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -48,7 +48,7 @@ You can use this information to audit packages and determine whether or not you
4848

4949
To view provenance information for a package in the npm registry:
5050

51-
1. In the npm registry, navigate to a package.
51+
1. In the npm registry, navigate to a package.
5252

5353
2. On the package's page, in the **Version** field to the right of the README, look for a green check mark. If there is a green check mark, this means the package was published with provenance.
5454

@@ -66,6 +66,14 @@ To view provenance information for a package in the npm registry:
6666

6767
<Screenshot src="packages-and-modules/getting-packages-from-the-registry/npm-provenance.png" alt="Screenshot showing npm provenance information for a published package" />
6868

69+
<Note>
70+
71+
**Note:** Whenever you access a package's provenance information on npmjs.com, the linked source commit and repository are checked by npm. If the linked source commit or repository cannot be found, an error message will appear at the top of the page and alongside the provenance information. This is to inform you that the provenance for this package can no longer be established, which may occur when a repository is deleted or made private.
72+
73+
</Note>
74+
75+
<Screenshot src="packages-and-modules/getting-packages-from-the-registry/npm-provenance-unreachable-source-commit@2x.png" alt="Screenshot showing a warning when the provenance source commit or repository cannot be found." />
76+
6977
### Verifying provenance attestations
7078

7179
When you download a package from the registry, you can verify the provenance of a package with the following CLI command:
95.7 KB
Loading

0 commit comments

Comments
 (0)