Skip to content

Enable NPM provenance #15680

New issue
New issue
Open
Open
Enable NPM provenance#15680
Labels
enhancementThis issue is a user-facing general improvement that doesn't fix a bug or add a new feature
Milestone
8.19.2
@hasezoey

Description

@hasezoey
hasezoey
opened on Oct 7, 2025

Prerequisites

  • I have written a descriptive issue title
  • I have searched existing issues to ensure the feature has not already been requested

🚀 Feature Proposal

Enable npm provenance when publishing.
This will provide a attestation of where and on what commit a given publish was build on.

Additionally, i dont know if this applies to the current publishing process, but maybe also consider enabling Trusted Publishing if possible.

Motivation

From NPM docs:

This allows you to publicly establish where a package was built and who published a package, which can increase supply-chain security for your packages.

Example

At least for typegoose it was easy to add by just enabling npm publish option --provenance, or using publishConfig:

{
  "publishConfig": {
    "access": "public",
    "provenance": true
  }
}

A example of how it is shown can be seen via the typegoose package.
Or as images:

Image Image

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementThis issue is a user-facing general improvement that doesn't fix a bug or add a new feature

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions