feat: expose fetched attestation bundles on manifest#457
Merged
Conversation
When verifyAttestations is enabled, pacote already fetches the full sigstore attestation bundles from the registry and uses them for verification. However, the fetched bundles are discarded after verification, and only the lightweight dist.attestations metadata (URL + predicate type) is saved to mani._attestations. This change expands _attestations to include the fetched bundles as a 'bundles' property, making the complete sigstore bundles (DSSE envelopes, verification material, tlog entries) available to downstream consumers like the npm CLI without requiring a re-fetch. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Add assertions to verify that the fetched attestation bundles are preserved on mani._attestations.bundles when verification is enabled, and absent when verification is disabled. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
mitchdenny
pushed a commit
to mitchdenny/npm-cli
that referenced
this pull request
Mar 3, 2026
Add a new --include-attestations flag for `npm audit signatures` that includes the full sigstore attestation bundles in JSON output. This enables downstream tooling to consume and further process attestation data (e.g. for policy engines, SBOMs, or custom verification). When used with `npm audit signatures --json --include-attestations`, the JSON output includes a `verified` array containing each package's name, version, and attestation bundles. Depends on npm/pacote#457 to expose the fetched attestation bundles on the manifest's _attestations property. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Contributor
Author
|
cc @feelepxyz — Related npm CLI issue: npm/cli#9048 and draft PR: npm/cli#9049 (which depends on this pacote change shipping first). |
wraithgar
reviewed
Mar 3, 2026
lib/registry.js
Outdated
| } | ||
| } | ||
| mani._attestations = dist.attestations | ||
| mani._attestations = { ...dist.attestations, bundles: attestations } |
Member
There was a problem hiding this comment.
Let's hang these off of another _ attribute. I'd hate for attestations to add a bundles attribute some time in the future and make this a huge problem.
Contributor
There was a problem hiding this comment.
Agreed with this recommendation 😄
…ttribute Instead of merging fetched bundles into _attestations (which mirrors dist.attestations from the registry), store them on a separate _attestationBundles attribute. This avoids future collisions if the registry ever adds a 'bundles' field to dist.attestations. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
mitchdenny
commented
Mar 6, 2026
Contributor
Author
mitchdenny
left a comment
There was a problem hiding this comment.
Thanks @wraithgar and @owlstronaut — great catch. I've updated the PR to store the fetched bundles on a separate _attestationBundles attribute instead of merging them into _attestations. This keeps _attestations identical to dist.attestations from the registry and avoids any future collision risk.
I've also updated the npm CLI PR (npm/cli#9049) to read from _attestationBundles accordingly.
Run template-oss-apply to regenerate managed files with release/v* branch patterns for CI, CodeQL, release workflows, settings, and dependabot configuration. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
These workflow/config changes are pre-existing drift unrelated to this PR and should be addressed separately. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Member
|
Linting failures are cause of new branches we added to try to do some npm@10 backports, they should not block this PR |
wraithgar
approved these changes
Mar 9, 2026
Merged
wraithgar
pushed a commit
that referenced
this pull request
Mar 9, 2026
🤖 I have created a release *beep* *boop* --- ## [21.5.0](v21.4.0...v21.5.0) (2026-03-09) ### Features * [`d912f17`](d912f17) [#457](#457) expose fetched attestation bundles on manifest (#457) (@mitchdenny) ### Chores * [`586a55d`](586a55d) [#471](#471) template-oss-apply for new macos images (#471) (@wraithgar) * [`d1cc5c8`](d1cc5c8) [#460](#460) template-oss-apply for release branches (#460) (@wraithgar) * [`b741e8b`](b741e8b) [#468](#468) bump @npmcli/template-oss from 4.28.0 to 4.29.0 (#468) (@dependabot[bot], @npm-cli-bot) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
mitchdenny
pushed a commit
to mitchdenny/npm-cli
that referenced
this pull request
Mar 17, 2026
Add a new --include-attestations flag for `npm audit signatures` that includes the full sigstore attestation bundles in JSON output. This enables downstream tooling to consume and further process attestation data (e.g. for policy engines, SBOMs, or custom verification). When used with `npm audit signatures --json --include-attestations`, the JSON output includes a `verified` array containing each package's name, version, and attestation bundles. Depends on npm/pacote#457 to expose the fetched attestation bundles on the manifest's _attestations property. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
When
verifyAttestationsis enabled, pacote fetches the full sigstore attestation bundles from the registry attestation URL and uses them to verify package provenance and publish attestations. After verification, the fetched bundles are discarded and only the lightweightdist.attestationsmetadata (URL and predicate type) is saved tomani._attestations:This means downstream consumers like the npm CLI have no access to the verified attestation bundles (DSSE envelopes, verification material, transparency log entries) without re-fetching them from the registry.
Use case: I'd like to add an
--include-attestationsflag tonpm audit signaturesso users can inspect the full attestation bundles for their installed packages. Currentlynpm audit signaturesonly reports pass/fail counts — there's no way to view the actual attestation content via the CLI.Proposed change: Enrich
mani._attestationsto include the already-fetched bundles:This preserves backward compatibility (
urlandprovenanceare still present) and avoids an extra HTTP request for each attested package. The data has already been fetched and verified — this just preserves it for downstream use.