Comments (4)
@rbuckton @weswigham thoughts?
from tslib.
This may be valuable, although tslib
itself has no actual build outputs. Our publish process only performs what is essentially a lint against modules/index.js
to make sure it has the same exports as tslib.js
, though we do run some additional tests during CI.
SLSA only validates the provenance of a single package and doesn't validate transitive dependencies. If tslib
doesn't support SLSA it wouldn't necessarily impact projects that depend on it that want to support SLSA themselves.
I am currently reading up on SLSA, but it would help to know what this change would entail as far as ongoing maintenance (i.e., signing certificate renewal, PR review requirements, etc.).
from tslib.
I've read a lot of the docs, and, for us, the ask is basically just to change our build & publish actions to their "verified" actions that do a bunch of hashing and publish integrity metadata alongside the publish. Technically, we can get L1 just by passing --provenance
to our existing npm publish
call. The L3-level @ianlewis mentions is stronger integrity guarantees - that the build wasn't tampered with, rather than just providing a link between git hash and build artifact.
Which reading the docs linked, implies changing our publish yaml to (guesstimating a bit, since the parts are, well, in parts, and we want to retain our existing on-github-release behavior, not on-git-tag):
name: Publish to NPM
on:
release:
types: [created]
jobs:
build:
permissions:
id-token: write # For signing
contents: read # For repo checkout.
actions: read # For getting workflow run info.
uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
with:
run-scripts: "i, test"
publish:
needs: [build]
runs-on: ubuntu-latest
steps:
- name: Set up Node registry authentication
uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3.6.0
with:
node-version: 18
registry-url: "https://registry.npmjs.org"
- name: publish
id: publish
uses: slsa-framework/slsa-github-generator/actions/nodejs/publish@4314fec3d06bb217f163b89466dcd34be65b9bf1 # v1.6.0
with:
access: public
node-auth-token: ${{ secrets.NPM_TOKEN }}
package-name: ${{ needs.build.outputs.package-name }}
package-download-name: ${{ needs.build.outputs.package-download-name }}
package-download-sha256: ${{ needs.build.outputs.package-download-sha256 }}
provenance-name: ${{ needs.build.outputs.provenance-name }}
provenance-download-name: ${{ needs.build.outputs.provenance-download-name }}
provenance-download-sha256: ${{ needs.build.outputs.provenance-download-sha256 }}
and adding node test/validateModuleExportsMatchCommonJS/index.js
as our formal npm run test
script in the package.json
.
But for real, since there's 0 dependencies and 0 build step, passing --provenance
to npm publish
should be just as strong a guarantee, since there's no additional build steps to guarantee the integrity of.
from tslib.
But for real, since there's 0 dependencies and 0 build step, passing
--provenance
tonpm publish
should be just as strong a guarantee, since there's no additional build steps to guarantee the integrity of.
You're right this is a bit of a special case so you're right that the security benefits are a bit nuanced for sure. I still think there is a bit of benefit to separating the build, provenance generation, provenance signing, and publishing steps and should work nicely if you ever do need to introduce any build steps or dependencies (though I imagine the later at least is unlikely).
from tslib.
Related Issues (20)
- Use standard `exports` in `package.json` HOT 3
- __importDefault method may return an object with undefined default property HOT 2
- __assign is not a function
- Type 'boolean' is not assignable to parameter of type '(false | Observable<false>) & (true | Observable<true>) HOT 1
- CI: set minimal permissions for GitHub Workflows HOT 1
- TypeError: (0 , tslib__WEBPACK_IMPORTED_MODULE_0__.__rest) is not a function HOT 1
- Should tslib be in peerDependencies or just dependencies when building a library? HOT 3
- [2.5.1][Regression] imported helper named '__decorate' does not exist in 'tslib' HOT 6
- ERROR in bundle from UglifyJs Unexpected token: punc (,) HOT 8
- Regression in [email protected] when using private fields i.c.m. with ESM HOT 3
- Cannot find module '...node_modules/tslib/modules/index.js' imported from chunks/app/server.mjs HOT 2
- tslib >=2.5.1 regression - increases bundle size caused by noop `Object.create;` statements
- calls to tslib __setFunctionName fail on Cobalt 9 HOT 5
- Suggest an dependabot to keep GitHub Actions updated HOT 1
- Regression failure upgrading from 2.5.0 to 2.5.1+, webpack fails to transpile new export statement for ES5. HOT 1
- Performance improvement HOT 2
- The spread (...) syntax allows an string,but __spreadArray does not support string. HOT 2
- Why do I get compilation results of tslib imports containing native absolute path? HOT 2
- this appears to be a dev-dependency, but the instructions point it to be a dependency HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from tslib.