yarnpkg
[Feature] audit signatures
- [ ] I'd be willing to implement this feature (contributing guide)
- [ ] This feature is important to have in this repository; a contrib plugin wouldn't do
Describe the user story
npm has npm audit signatures since version 8. Would be nice to be able to do that within yarn as well.
https://docs.npmjs.com/cli/v10/commands/npm-audit#audit-signatures
Describe the solution you'd like
Just like I can run yarn npm audit today I'd like to be able to run yarn npm audit signatures.
Describe the drawbacks of your solution
Can't think of any.
Describe alternatives you've considered
For now I guess I'll just run npm audit signatures?
For anyone that wants to implement this, the bulk of npm's implementation is in lib/utils/verify-signatures.js and relies on @sigstore/tuf
For anyone that wants to implement this, the bulk of npm's implementation is in
lib/utils/verify-signatures.jsand relies on@sigstore/tuf
Is there a code licensing conflict?
Edit: Yarn Berry is licensed as BSD 2-Clause NPM CLI is licensed as Perl's The Artistic License 2.0
@sigstore/tuf is licensed as Apache 2.0, Yarn berry is licensed as BSD 2-clause, and npm is licensed as Artistic 2.0.
All three appear to permissive licenses, though Yarn would only need to add a dependency on @sigstore/tuf.
- https://opensource.org/license/apache-2-0
- https://opensource.org/license/bsd-2-clause
- https://opensource.org/license/artistic-2-0