Skip to content

v2.0.4 — npm provenance via CI trusted publishing

Choose a tag to compare

@shayaShav shayaShav released this 02 Jul 18:32
v2.0.4

Starting with this release, npm packages are published by GitHub Actions via OIDC trusted publishing: no npm tokens exist anywhere, every release carries SLSA provenance attestations (verify with npm audit signatures or on the npm package page), and release tags are SSH-signed. No engine changes.

What's Changed

  • ci: npm OIDC trusted publishing with provenance and signed release tags by @shayaShav in #5

Full Changelog: v2.0.3...v2.0.4