vadimpiven · vadimpiven · Feb 1, 2026 · Feb 3, 2026 · gemini-code-assist · Feb 3, 2026
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/mise.lock b/mise.lock
@@ -180,9 +180,6 @@ backend = "github:mikefarah/yq"
 "platforms.windows-arm64" = { checksum = "sha256:91490f02ce4307be4c4f60a1cefc3f8cb0385167f9fbe315770cb88402e0430c", url = "https://github.com/mikefarah/yq/releases/download/v4.52.1/yq_windows_arm64.zip", url_api = "https://api.github.com/repos/mikefarah/yq/releases/assets/348526699"}
 "platforms.windows-x64" = { checksum = "sha256:908f8a1886fcbaef749980bbf77385999f9400126cc94d2b44302f305e968264", url = "https://github.com/mikefarah/yq/releases/download/v4.52.1/yq_windows_amd64.zip", url_api = "https://api.github.com/repos/mikefarah/yq/releases/assets/348526689"}
 
-[tools."github:mikefarah/yq".options]
-version_prefix = "v"
-
 [[tools."github:mozilla/sccache"]]
 version = "0.12.0"
 backend = "github:mozilla/sccache"

diff --git a/mise.toml b/mise.toml
@@ -41,6 +41,7 @@ node = "24.13.0"
 rust.version = "nightly-2026-01-15"
 
 "aqua:jqlang/jq" = "1.8.1"
+"github:mikefarah/yq" = "4.52.1"
 "aqua:BurntSushi/ripgrep" = "15.1.0"
 "aqua:aquasecurity/trivy" = "0.69.0"
 "aqua:google/yamlfmt" = "0.21.0"
@@ -59,10 +60,6 @@ version = "0.9.124"
 version_prefix = "samply-v"
 version = "0.13.1"
 
-[tools."github:mikefarah/yq"]
-version_prefix = "v"
-version = "4.52.1"
-
 # Tools with no Windows ARM64 binary available
 [tools."aqua:hadolint/hadolint"]
 version = "2.14.0"
@@ -261,14 +258,14 @@ sources = ["*.{yaml,yml}", "{.devcontainer,.github}/**/*.{yaml,yml}"]
 description = "Check Rust code with clippy"
 hide = true
 depends = ["setup:rust"]
-run = "cargo clippy -r --locked -- -D warnings"
+run = "cargo clippy --all-targets -r --locked -- -D warnings"
 sources = ["packages/**/*.rs", "Cargo.{toml,lock}", "clippy.toml"]
 
 [tasks."fix:clippy"]
 description = "Fix Rust code with clippy"
 hide = true
 depends = ["setup:rust"]
-run = "cargo clippy -r --locked --fix --allow-dirty"
+run = "cargo clippy --all-targets --fix --allow-dirty"
 sources = ["packages/**/*.rs", "Cargo.{toml,lock}", "clippy.toml"]
 
 # --- rustfmt (Rust) ---

diff --git a/packages/node/README.md b/packages/node/README.md
@@ -44,8 +44,10 @@ setGlobalDispatcher(agent);
 const response = await fetch("https://example.com");
 ```
 
-## Install script
+## Postinstall Script
 
-Warning: this package uses install script to download precompiled binary
-for the correct OS and architecture. All the binaries get attached to GitHub
-release. The releases are made immutable to prevent supply chain attacks.
+This package downloads a precompiled binary during installation. The
+[postinstall script](./scripts/postinstall.js) cryptographically verifies that
+the binary was built in the same GitHub Actions workflow run as this npm package
+using [Sigstore](https://www.sigstore.dev/) provenance attestations and the
+public [Rekor](https://docs.sigstore.dev/logging/overview/) transparency log.
diff --git a/packages/node/package.json b/packages/node/package.json
@@ -75,12 +75,16 @@
     "postinstall": "node scripts/postinstall.js"
   },
   "dependencies": {
+    "@sigstore/core": "catalog:",
+    "sigstore": "catalog:",
     "undici": "catalog:"
   },
   "devDependencies": {
     "@codecov/vite-plugin": "catalog:",
     "@playwright/test": "catalog:",
     "@rollup/plugin-node-resolve": "catalog:",
+    "@sigstore/bundle": "catalog:",
+    "@sigstore/rekor-types": "catalog:",
     "@types/node": "catalog:",
     "@vitest/coverage-istanbul": "catalog:",
     "electron": "catalog:",