Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Invalid package attestation - 1.6.8 #6308

Closed
shadaxv opened this issue Mar 19, 2024 · 4 comments
Closed

Invalid package attestation - 1.6.8 #6308

shadaxv opened this issue Mar 19, 2024 · 4 comments

Comments

@shadaxv
Copy link

shadaxv commented Mar 19, 2024

Describe the bug

An npm audit indicates incorrect package attestation in version 1.6.8:

npm audit signatures
audited 1665 packages in 20s

1663 packages have verified registry signatures

14 packages have verified attestations

2 packages have invalid attestations:

axios@1.6.8 (https://registry.npmjs.org/)
ts-api-utils@1.3.0 (https://registry.npmjs.org/)

Someone might have tampered with these packages since they were published on the registry!

To Reproduce

  • Install axios@1.6.8
  • Run npm audit signatures

Code snippet

No response

Expected behavior

Audit does not indicate invalid attestation

Axios Version

1.6.8

Adapter Version

No response

Browser

No response

Browser Version

No response

Node.js Version

20.11.0

OS

No response

Additional Library Versions

npm 10.4.0

Additional context/Screenshots

No response
@lvass74
Copy link

lvass74 commented Mar 19, 2024

Just hit the same issue with npm 10.2.3.
With npm 10.5.0 the issue is not present.
Nor with npm 9.8.x

@shadaxv
Copy link
Author

shadaxv commented Mar 19, 2024

@lvass74 In my case, the problem also occurs in npm version 10.5.0

image

@lvass74
Copy link

lvass74 commented Mar 19, 2024

@shadaxv Double checked with nodeJs 21 and npm 10.5.0 but didn't hit the issue:

Downloading and installing node v21.7.1...
Downloading https://nodejs.org/dist/v21.7.1/node-v21.7.1-darwin-x64.tar.xz...
######################################################################################################################################################################################################################################################### 100.0%
Computing checksum with shasum -a 256
Checksums matched!
Now using node v21.7.1 (npm v10.5.0)
$ node -v
v21.7.1
$ npm -v
10.5.0
$ npm audit signatures
audited 9 packages in 1s

9 packages have verified registry signatures

1 package has a verified attestation

$ npm list
scratches@ /Users/lvass/Library/Application Support/JetBrains/PyCharm2023.3/scratches
└── axios@1.6.8

Are you sure using npm 10.5.0?
On your screenshot I see this:
image

@shadaxv
Copy link
Author

shadaxv commented Mar 19, 2024

@lvass74 Good catch, I used the new version of node, but actually I did not use the new version of npm, in version 10.5.0 there is no problem, looks like a problem on the side of npm. Thank you @lvass74, I close the thread

@shadaxv shadaxv closed this as completed Mar 19, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@lvass74 @shadaxv