Add provenance signature to @lwc packages
AllanOricil opened this issue · 1 comments
Other important packages published to npm, like vue, started adding this npm feature called "provenance" in their published packages.
https://docs.npmjs.com/generating-provenance-statements
Vue
https://www.npmjs.com/package/vue#provenance
https://blog.deps.dev/npm-provenance/
It improves trust because developers can now for sure the source that was used for building that published package.
I took a look at your workflows and couldn't find a release workflow. If you are not releasing it in github or gitlab, you can't use this feature, according to npm docs.
We currently use an internal tool for publishing releases. It does not support provenance. We may be migrating to a new tool at some point in the coming months. I don't know whether the new tool will have the ability, but we will use it if available.