getsentry
Please add trusted publishing to npm packages to improve security
Problem Statement
Following recent hacks on npm packages, it would be greatly appreciated if you could increase the trust level of the npm packages.
Solution Brainstorm
- A first and easy step would be generating provenance statements docs.npmjs.com/generating-provenance-statements
- The best case would be adding trusted publishing docs.npmjs.com/trusted-publishers, as this would allow you to get rid of npm tokens, making token compromises not a risk anymore
Additional Context
Would have opened a PR, but for trusted publishing, the changes mostly need to happen in the npm config of the packages.
Priority
React with 👍 to help prioritize this issue. Please use comments to provide useful context, avoiding +1 or me too, to help us triage it.
![linear[bot] avatar](https://avatars.githubusercontent.com/in/20150?v=4 "Published by a pub.dev verified publisher"){kind=small}
We actually have a pretty robust publishing process at Sentry - no employees have access to tokens here.
You can reach more about this here: https://byk.im/posts/releasing-packages/. The rest of the pipeline is also open source (and can be audited):
- https://github.com/getsentry/publish
- https://github.com/getsentry/craft
We'll leave this open because I think we still want to add provenance statements, but it'll take some time for us to figure this out.
