Last week saw the GA release of npm CLI’s native Sigstore functionality, a project over a year in the making. This is a tremendous milestone for the adoption of Sigstore in open source projects and represents huge progress in effecting a cultural shift toward expecting provenance to exist for software components. It also helps move npm toward the best practices articulated by the OpenSSF’s Securing Open Source Repos Working Group in their document “Build Provenance for All Package Registries”. We’re very pleased to see npm showing what registries can (and should) be doing to offer new capabilities that respond to emerging threats in software supply chain security.
During the public beta period (which lasted from April 2023 until September 26), over 3,800 projects have adopted build provenance (including 134 high-impact projects), resulting in over 500 million total downloads of provenance-enabled package versions to-date.
We see npm’s work to integrate Sigstore as an exemplar for other package managers, which we codified into our roadmap as a strategic priority. The more ecosystems adopt signing and provenance, the more confidence the OSS community (and downstream dependers across OSS and proprietary source) will be able to have in the building blocks of open source. That’s an exciting future to be in, and one that we’re working toward every day.