Please add trusted publishing to npm packages to improve security

[tnkuehne]

Problem Statement

Following recent hacks on npm packages, it would be greatly appreciated if you could increase the trust level of the npm packages.

Solution Brainstorm

• A first and easy step would be generating provenance statements docs.npmjs.com/generating-provenance-statements
• The best case would be adding trusted publishing docs.npmjs.com/trusted-publishers, as this would allow you to get rid of npm tokens, making token compromises not a risk anymore

Additional Context

Would have opened a PR, but for trusted publishing, the changes mostly need to happen in the npm config of the packages.

Priority

_{React with 👍 to help prioritize this issue. Please use comments to provide useful context, avoiding +1 or me too, to help us triage it.}

[linear]

JS-1263

[AbhiPrasad]

We actually have a pretty robust publishing process at Sentry - no employees have access to tokens here.

You can reach more about this here: https://byk.im/posts/releasing-packages/. The rest of the pipeline is also open source (and can be audited):

• https://github.com/getsentry/publish
• https://github.com/getsentry/craft

We'll leave this open because I think we still want to add provenance statements, but it'll take some time for us to figure this out.