[shakna]

PyPI is working towards attestation [0], and already has "Trusted Publisher" [1].

Ruby has had signed gems since v2 [2].

These aren't a panacea. But they do mean an effort has been made.

npm has been talking about maybe doing something since 2013 [3], but ended up doing... Nothing. [4]

I don't think it's fair to compare npm to the others.

[0] https://docs.pypi.org/attestations/producing-attestations/

[1] https://docs.pypi.org/trusted-publishers/

[2] https://docs.ruby-lang.org/en/master/Gem/Security.html

[3] https://github.com/npm/npm/pull/4016

[4] https://github.com/node-forward/discussions/issues/29

[madeofpalk]

NPM has both Trusted Publishing and provenance claims for where packages are built.

https://docs.npmjs.com/trusted-publishers

https://docs.npmjs.com/generating-provenance-statements

Trusted Publishing is relatively new - GA-ed in July https://github.blog/changelog/2025-07-31-npm-trusted-publish...

[otterley]

Trusted Publishing is a marketing term—a fancy name for OIDC support and temporary auth token issuance. It delegates authenticating the uploader to their identity provider, nothing more.

In a very real sense, it shifts responsibility to someone else. For example, if the uploader was using Google as their identity provider and their Google account was popped, the attacker would be able to impersonate the uploader. So I wouldn’t describe it as establishing a strong trust relationship with the uploader.

It only meaningfully improves the security of the NPM ecosystem if (a) everyone is forced to sign packages and (b) identity providers require more secure authentication methods with as hardware tokens or passkeys.

[arianvanp]

Trusted publishing helps with tracking down how something got compromised after compromise. It doesn't do anything to protect against compromise except for using time-limited credentials but that only makes the window smaller. It doesn't make compromise impossible