lwc icon indicating copy to clipboard operation
lwc copied to clipboard
verified publisher icon salesforce

Add provenance signature to @lwc packages

Open AllanOricil opened this issue 1 year ago • 1 comments

Other important packages published to npm, like vue, started adding this npm feature called "provenance" in their published packages.

https://docs.npmjs.com/generating-provenance-statements

Vue https://www.npmjs.com/package/vue#provenance

https://blog.deps.dev/npm-provenance/

It improves trust because developers can now for sure the source that was used for building that published package.

I took a look at your workflows and couldn't find a release workflow. If you are not releasing it in github or gitlab, you can't use this feature, according to npm docs.

AllanOricil avatar Oct 15 '24 14:10 AllanOricil

We currently use an internal tool for publishing releases. It does not support provenance. We may be migrating to a new tool at some point in the coming months. I don't know whether the new tool will have the ability, but we will use it if available.

wjhsf avatar Oct 15 '24 15:10 wjhsf