PitchHut logo
Log in / Sign up
Review and verify your npm packages before publishing safely.
Preview url
Visit project
Pitch

PackAttest is a vital tool for npm package publishing that ensures only explicitly reviewed files make it to the final artifact. By providing complete visibility of package contents, it prevents accidental leaks and misconfigurations, streamlining the release process with confidence in the files being published.

Description

PackAttest

PackAttest is a powerful tool designed to enhance package publishing workflows by ensuring that only explicitly approved files are published. With a focus on transparency and user verification, it revolutionizes the way packages are released to avoid accidental leaks and misconfigurations.

Key Features

  • Artifact Review: Before publishing, PackAttest allows users to review the exact artifact, ensuring clarity on what is included in the final package.
  • Change Tracking: It highlights changes since the previous version, providing full visibility into file modifications.
  • Explicit Approval: Users must actively select files for publication, eliminating any implicit rules that could lead to unintended inclusions.
  • Safe Publishing: By comparing the current artifact against the previous published version, it prevents unreviewed changes from being published.

Typical Workflow

  1. Run pa review: This command enumerates the files in the package and allows inspection of the final artifact.
  2. Inspect the Output: Users can track file changes, view warnings, and select which files to publish.
  3. Commit Changes: The resulting .packattest attestation file should be committed to ensure consistency during Continuous Integration (CI).
  4. Publish with Confidence: Execute pa publish locally or pa verify in CI to complete the process and publish the selected files.

Usage Example

Use the following command to review the package contents:

pa review

This will display the packaging details along with any differences from the last release, prompting the user to select files for publication interactively.

Why Choose PackAttest?

Modern package management often relies on implicit rules that can lead to errors. PackAttest counters this by enforcing a verification layer that emphasizes review and explicit intent:

  • Accuracy: Decisions are based on the actual contents of the package, not assumptions from source configurations.
  • Human Oversight: It prioritizes user intent in the selection process for files to be published.

Security Enhancements

PackAttest is designed to mitigate common risks in package publishing:

  • Avoids accidental inclusion of sensitive files or source maps.
  • Protects against the drift of build outputs and unreviewed content sprawl.

With its focus on both security and usability, PackAttest provides developers with a reliable mechanism for ensuring their packages are published with integrity. Get started with PackAttest to secure your publishing process.

0 comments

No comments yet.

Sign in to be the first to comment.