Microsoft-owned code repository GitHub recently proposed to add a new security mechanism to npm. As securing the software supply chain is one of the biggest security challenges our industry faces right now, GitHub announced a number of changes over the last several months to improve the security of npm, like requiring two-factor authentication, streamlined login, and enhanced signing of artifacts.
According to Justin Hutchings, GitHub’s director of product management, these changes help protect open source consumers from software supply chain attacks.
Hutchings added that GitHub is opening a new request for comments (RFC) The idea is to discuss linking a package with its source repository and its build environment. When package maintainers opt-in to this system, consumers of their packages can have more confidence that the contents of the package match the contents of the linked repository.
With the new RFC, GitHub proposes to add support for end-to-end signing of npm packages using Sigstore, a recent project from the Linux Foundation and Open Source Security Foundation (OpenSSF). This process would include generating attestations about where, when, and how the package was authored, so that it can be verified later.