🐛 Bug: Invalid package attestation - 1.3.0

[shadaxv]

Bug Report Checklist

• I have tried restarting my IDE and the issue persists.
• I have pulled the latest main branch of the repository.
• I have searched for related issues and found none that matched my issue.

Expected

Audit does not indicate invalid attestation

Actual

An npm audit indicates incorrect package attestation in version 1.3.0:

npm audit signatures
audited 1665 packages in 20s

1663 packages have verified registry signatures

14 packages have verified attestations

2 packages have invalid attestations:

axios@1.6.8 (https://registry.npmjs.org/)
ts-api-utils@1.3.0 (https://registry.npmjs.org/)

Someone might have tampered with these packages since they were published on the registry!

Additional Info

node 20.11.0
npm 10.4.0

[shadaxv]

It looks like a problem on npm side, in version 10.5.0 there is no problem, I close the thread

[levrik]

@shadaxv TBH it seems rather weird. The version 1.3.0 of ts-api-utils doesn't exist on GitHub (that's likely why it gets flagged by npm audit). Given the recent events around the XZ Utils backdoor, this looks rather suspicious to me and I would be careful!

[JoshuaKGoldberg]

🤷 yeah this was a confusing bit to look at. Since the issue hasn't happened again, I'd recommend going with a newer version of ts-api-utils to not get the warnings.

[JoshuaKGoldberg]

Oh, and this isn't the only package that had the same odd issue: nodemailer/nodemailer#1634