starred/markdownlint
1
0
Fork 0
mirror of https://github.com/DavidAnson/markdownlint.git synced 2026-04-25 09:16:02 +03:00
Code Issues 161 Projects Releases Packages Wiki Activity

[GH-ISSUE #1408] Publish npm Package with Provenance Statement #677

New issue
Closed
opened 2026-03-03 01:28:59 +03:00 by kerem · 3 comments
kerem commented 2026-03-03 01:28:59 +03:00
Owner
Copy link

Originally created by @dsanders11 on GitHub (Nov 7, 2024).
Original GitHub issue: https://github.com/DavidAnson/markdownlint/issues/1408

Provenance statements are a nice way to increase confidence in the integrity of published npm packages. It would be great if this package adopted the practice.

A prerequisite to publishing with provenance statements would be to move the publish step to GitHub Actions. Happy to help with guidance there if you'd like any (regarding the workflow or setting up the npm token secret for publishing).

Originally created by @dsanders11 on GitHub (Nov 7, 2024). Original GitHub issue: https://github.com/DavidAnson/markdownlint/issues/1408 <!-- Thank you for taking the time to report an issue! When deciding where to open an issue, please note there are multiple projects under the markdownlint umbrella: - https://github.com/DavidAnson/markdownlint : This is the core JavaScript/Node.js library and is used by other tools. Most issues with implementation and rule behavior belong here. - https://github.com/igorshubovych/markdownlint-cli : This is the original CLI for markdownlint. Issues specific to CLI belong here. - https://github.com/DavidAnson/markdownlint-cli2 : This is a newer CLI for markdownlint and is used by other tools. Issues specific to CLI2 belong here. - https://github.com/DavidAnson/vscode-markdownlint : This is the Visual Studio Code extension for markdownlint. Issues specific to VS Code belong here. - https://github.com/DavidAnson/markdownlint-cli2-action : This is a GitHub Action for markdownlint. Issues specific to the Action belong here. - https://github.com/markdownlint/markdownlint : This is the original markdownlint implementation for Ruby. All Ruby-related issues belong here. Before creating an issue, it's a good practice to search existing issues for something similar. If your issue has already been reported, please update the existing one with any new information. It's also good to review the documentation for any relevant details. When describing an issue, the following information is helpful: - What did you do? - What did you expect to happen? - What actually happened? - What messages or errors were there? - How can the issue be reproduced? - What version were you using? - What operating system were you using? The simplest demonstration of a problem is the most helpful. Small examples can be pasted into the issue description. (Be sure to paste as code so GitHub doesn't render the example in Markdown.) For larger examples, linking to a repository or file is more appropriate. Before proposing a new rule, please review the existing suggestions: https://github.com/DavidAnson/markdownlint/issues?q=is%3Aissue+is%3Aopen+label%3A%22new+rule%22 Thank you! --> [Provenance statements](https://github.blog/security/supply-chain-security/introducing-npm-package-provenance/) are a nice way to increase confidence in the integrity of published npm packages. It would be great if this package adopted the practice. A prerequisite to publishing with provenance statements would be to move the publish step to GitHub Actions. Happy to help with guidance there if you'd like any (regarding the workflow or setting up the npm token secret for publishing).
kerem 2026-03-03 01:28:59 +03:00
  • closed this issue
  • added the
    question
         label
kerem commented 2026-03-03 01:29:00 +03:00
Author
Owner
Copy link

@DavidAnson commented on GitHub (Nov 8, 2024):

https://dlaa.me/blog/post/npmprovenance

<!-- gh-comment-id:2463556217 --> @DavidAnson commented on GitHub (Nov 8, 2024): https://dlaa.me/blog/post/npmprovenance
kerem commented 2026-03-03 01:29:00 +03:00
Author
Owner
Copy link

@dsanders11 commented on GitHub (Nov 8, 2024):

Thanks for linking your blog post! Nice to see that you've considered it and shared your thoughts on it. Personally, I still believe there's value in it, so I hope you'll reconsider your stance in the future. 🙂

For what it's worth, regarding the bypassing 2FA concerns (very valid) Electron has been using a solution for that problem for quite some time now with Continuous Factor Auth (CFA). It's not a good fit for every project, but it has worked well for us and allows us to publish with a 2FA enabled account while also allowing a number of maintainers to provide the 2FA token without any of them having credentials for the publishing account.

<!-- gh-comment-id:2463586219 --> @dsanders11 commented on GitHub (Nov 8, 2024): Thanks for linking your blog post! Nice to see that you've considered it and shared your thoughts on it. Personally, I still believe there's value in it, so I hope you'll reconsider your stance in the future. 🙂 For what it's worth, regarding the bypassing 2FA concerns (very valid) Electron has been using a solution for that problem for quite some time now with [Continuous Factor Auth (CFA)](https://github.com/continuousauth/web). It's not a good fit for every project, but it has worked well for us and allows us to publish with a 2FA enabled account while also allowing a number of maintainers to provide the 2FA token without any of them having credentials for the publishing account.
kerem commented 2026-03-03 01:29:00 +03:00
Author
Owner
Copy link

@DavidAnson commented on GitHub (Nov 8, 2024):

If any of the claims I make are wrong, I am happy to learn why and reevaluate. :) But if they're right, what's the value of doing this?

<!-- gh-comment-id:2463656212 --> @DavidAnson commented on GitHub (Nov 8, 2024): If any of the claims I make are wrong, I am happy to learn why and reevaluate. :) But if they're right, what's the value of doing this?
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
next
linkinator-action@v2.4.1
linkinator-action@v2.4.0
wc13
scenario-chunks
seqseq
v0.40.0
v0.39.0
v0.38.0
v0.37.4
v0.37.3
v0.37.2
v0.37.1
v0.37.0
v0.36.1
v0.36.0
v0.35.0
v0.34.0
v0.33.0
v0.32.1
v0.32.0
v0.31.1
v0.31.0
v0.30.0
v0.29.0
v0.28.2
v0.28.1
v0.28.0
v0.27.0
v0.26.2
v0.26.1
v0.26.0
v0.25.1
v0.25.0
v0.24.0
v0.23.1
v0.23.0
v0.22.0
v0.21.1
v0.21.0
v0.20.4
v0.20.3
v0.20.2
v0.20.1
v0.20.0
v0.19.0
v0.18.0
v0.17.2
v0.17.1
v0.17.0
v0.16.0
v0.15.0
v0.14.2
v0.14.1
v0.14.0
v0.13.0
v0.12.0
v0.11.0
v0.10.0
v0.9.0
v0.8.1
v0.8.0
v0.7.0
v0.6.4
v0.6.3
v0.6.2
v0.6.1
v0.6.0
v0.5.0
v0.4.1
v0.4.0
v0.3.1
v0.3.0
v0.2.0
v0.1.1
v0.1.0
v0.0.8
v0.0.7
v0.0.6
v0.0.5
v0.0.4
v0.0.3
v0.0.2
v0.0.1
Labels
Clear labels   
bug

   
enhancement

   
enhancement

   
enhancement

   
fixed in next

   
fixed in next

   
fixed in next

   
new rule

   
new rule

   
new rule

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
refactoring

   
refactoring
No labels
bug
enhancement
enhancement
enhancement
fixed in next
fixed in next
fixed in next
new rule
new rule
new rule
pull-request
question
refactoring
refactoring
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/markdownlint#677
No description provided.