Open nazarhussain opened 1 year ago
Is this a sufficient alternative to closing #3596 ? Also related to our discussion about managing dependencies #3470 .
Is this a sufficient alternative to closing https://github.com/ChainSafe/lodestar/issues/3596
No, #3596 is about mitigating supply-chain attacks on our dependencies.
This is just helpful for lodestar library users, so they can better trust the validity of our libraries (eg @lodestar/config
)
Is your feature request related to a problem? Please describe.
Describe the solution you'd like
Github recently allowed a new feature to publish the npm package provenance data linked to npm publish page. See the link in the additional context
Describe alternatives you've considered
There is no automated alternative for now.
Additional context https://github.blog/2023-04-19-introducing-npm-package-provenance/