GitHub is rolling out a new feature that allows developers to verify their npm packages with a cryptographic signature. According to the Microsoft-owned company, the new features help improve the trustworthiness and security of the packages.
Known as NPM Package Signing, the tool is now available in beta on GitHub Actions for users with the Team, Pro, or Enterprise account.
The feature works by generating a unique key pair for each developer who opts in to NPM package signing. The developer can then use the key pair to sign their npm packages and publish them to GitHub Packages, a hosting service for npm packages.
Signatures are verifiable by anyone with the package from NPM or Yarn, a JavaScript package manager. This process essentially ensures that the package is clean and has not been replaced or accessed by a threat actor.
Package Manager for npm JavaScript in GitHub
If you are unfamiliar with npm, it is a package manager for JavaScript and is the default manager for the Node.js runtime environment. It has a command line client and online database of public and private packages, known as the npm registry. You can learn more about NPM here.
The GitHub feature also integrates with GitHub's code scanning and secret scanning tools, which can detect vulnerabilities and secrets in npm packages. The company is now inviting organizations to test the beta and provide feedback on the package signing feature.
GitHub Actions give developers tools to improve their projects. By leveraging Docker code containers, developers will be able to set a schedule of events. Projects can have event triggers ranging from an introduction of new code to testing channels that trigger Actions.
Tip of the day: If you need to Create, Delete or Resize Partitions, Windows has everything you thanks to the built-in Disk Management-tool.
