To mitigate the possibility of supply chain attacks, the publishing automation is managed completely without NPM tokens and API keys. The github actions workflow responsible for building and releasing the packages is directly hooked up to NPM as a Trusted Publisher. The author's (@lilnasy) NPM and GitHub account is secured with two factor authentication. E-mail is NOT one of the used authentication factors.
Provenance statements are generated every time the package is built and published, viewable on the NPM page. The statements include auditable metadata such as the source commits, the exact workflow description, and logs from the run. Given how provenance is presented in the UI as green check mark, it's important to point out that it is NOT an indication that there is nothing malicious going on. It simply allows you to track the progress of building the source code into the published package you and your team will download.
Please write a detailed description of the issue, including
- the steps you took to create the issue
- affected versions
- conditions necessary for the issue to occur
- if known, mitigations for the issue
If you think you've found a security issue impacting users, please DO NOT report, discuss, or describe it on any public forum prior to contacting the responders and allowing appropriate time for a fix to be deployed.
- Arsh (@lilnasy) can be privately reached at hi@arsh.sh.