Within NL Design System, we are auditing all packages to ensure they are published securely. This means that provenance statements are generated to guarantee the authenticity of a package (the exact code used to build a package is known).
Example result for one of our packages:
I notice for your packages that some versions have a provenance statement and some don't.
Since you already use trusted publishing, adding provenance is easy. The npm docs describe how you can implement this: https://docs.npmjs.com/generating-provenance-statements. The way we do it is by changing each package's publishConfig.provenance to true.
Within NL Design System, we are auditing all packages to ensure they are published securely. This means that provenance statements are generated to guarantee the authenticity of a package (the exact code used to build a package is known).
Example result for one of our packages:
I notice for your packages that some versions have a provenance statement and some don't.
Since you already use trusted publishing, adding provenance is easy. The npm docs describe how you can implement this: https://docs.npmjs.com/generating-provenance-statements. The way we do it is by changing each package's
publishConfig.provenancetotrue.