Closed
Description
Is there an existing issue for this?
- I have searched the existing issues
This issue exists in the latest npm version
- I am using the latest npm
Current Behavior
Recently npm audit signatures started failing in a project of mine. Error is about packages having invalid attestations. Specifically
@semantic-release/npm@11.0.3ts-api-utils@1.3.0
Full log: https://gist.github.com/davidlj95/1c2752b4f59dda2527cfc27862350af0
As you can see, was using npm version 10.2.4.
When using 10.5.0, error was gone. Versions 10.3.0 and 10.4.0 are affected too after a quick test.
Expected Behavior
Attestations keep working for recent versions of npm
For instance, GitHub Hosted Runner Ubuntu 220.4 (latest) uses version 10.2.4
Steps To Reproduce
- Using
npmwith version from 10.2.4 (or maybe older) < 10.5.0 - Install one of the packages listed above
- Run
npm audit signatures - Command fails with error
audited 499 packages in 2s
497 packages have verified registry signatures
56 packages have verified attestations
2 packages have invalid attestations:
@semantic-release/npm@11.0.3 (https://registry.npmjs.org/)
ts-api-utils@1.3.0 (https://registry.npmjs.org/)
Someone might have tampered with these packages since they were published on the registry!
Environment
- npm: 10.2.4 (reproduces til 10.4.0)
- Node.js: v20.11.1
- OS Name: macOs Sonoma 14.4
- System Model Name: Apple MacBook Pro
- npm config:
; "user" config from /Users/davidlj95/.npmrc
//registry.npmjs.org/:_authToken = (protected)
; node bin location = /Users/davidlj95/.n/bin/node
; node version = v20.11.1
; npm local prefix = /Users/davidlj95/Code/tmp/invalid-attestations
; npm version = 10.2.4
; cwd = /Users/davidlj95/Code/tmp/invalid-attestations
; HOME = /Users/davidlj95
; Run `npm config ls -l` to show all defaults.