search

semantic-release / exec

:shell: semantic-release plugin to execute custom shell commands
MIT License
136 stars 26 forks source link

Error in `npm audit signatures` #412

Open babblebey opened 1 month ago

babblebey commented 1 month ago

During the implementation of #411, In order to follow established convention in other ESM conversion, I introduced the npm audit signature command into the CI process, but I get below error occurs when it runs in CI, also when it runs in local environment.

audited 807 packages in 150s

705 packages have verified registry signatures

9 packages have verified attestations

102 packages have invalid attestations:

@npmcli/agent@2.2.2 (https://registry.npmjs.org/)
@npmcli/agent@3.0.0 (https://registry.npmjs.org/)
@npmcli/agent@2.2.2 (https://registry.npmjs.org/)
@npmcli/agent@2.2.2 (https://registry.npmjs.org/)
@npmcli/fs@4.0.0 (https://registry.npmjs.org/)
@npmcli/git@6.0.1 (https://registry.npmjs.org/)
@npmcli/installed-package-contents@3.0.0 (https://registry.npmjs.org/)
@npmcli/map-workspaces@4.0.1 (https://registry.npmjs.org/)
@npmcli/metavuln-calculator@8.0.0 (https://registry.npmjs.org/)
@npmcli/name-from-folder@3.0.0 (https://registry.npmjs.org/)
@npmcli/node-gyp@4.0.0 (https://registry.npmjs.org/)
@npmcli/package-json@6.0.1 (https://registry.npmjs.org/)
@npmcli/promise-spawn@8.0.1 (https://registry.npmjs.org/)
@npmcli/query@4.0.0 (https://registry.npmjs.org/)
@npmcli/redact@3.0.0 (https://registry.npmjs.org/)
@npmcli/run-script@9.0.1 (https://registry.npmjs.org/)
@octokit/auth-token@5.1.1 (https://registry.npmjs.org/)
@octokit/core@6.1.2 (https://registry.npmjs.org/)
@sec-ant/readable-stream@0.4.1 (https://registry.npmjs.org/)
@semantic-release/commit-analyzer@13.0.0 (https://registry.npmjs.org/)
@semantic-release/github@11.0.0 (https://registry.npmjs.org/)
@semantic-release/npm@12.0.1 (https://registry.npmjs.org/)
@semantic-release/release-notes-generator@14.0.1 (https://registry.npmjs.org/)
[....minimised]
validate-npm-package-name@6.0.0 (https://registry.npmjs.org/)
which@5.0.0 (https://registry.npmjs.org/)
write-file-atomic@6.0.0 (https://registry.npmjs.org/)

Someone might have tampered with these packages since they were published on the registry!

Find more details here: https://github.com/semantic-release/exec/actions/runs/11259848667/job/31309764144

travi commented 1 month ago

this is likely because an older npm version is being used in that pipeline. for auditing signatures, the latest npm version is needed. we've added the packageManager property the package.json of others of the repos under this org using corepack: corepack use npm@latest. with that added, we can prepend the audit command as corepack npm audit signatures and it will make sure to leverage the npm version from the packageManager property. renovate will also keep that value from growing stale for us